For as long as we have had a cybersecurity industry, the market’s attention has been solidly focused on improvements in threat detection. Each new generation of technology brings the ability to detect an ever increasing number of advanced threats. Techniques such as stateful inspection, heuristics, behavioral detection and machine learning have all rightfully earned their places in the technology stacks used to defend our networks and endpoints from adversaries. All of this focus on new technologies, however, neglects the most versatile, evasion-resistant detection engine that exists – the human brain.
Any automated detection technique is by definition, predictable. Today’s attackers understand this well and are skilled at inventing techniques to bypass, evade or hide from these automated defensive measures. Today, more enterprises are turning their attention inward and leveraging human analysts as threat hunters as the last line of defense. These “human detection engines” actively seek out subtle signs of threats that may have bypassed the organization’s carefully arranged layers of defense, in an effort to put a stop to incidents before they become a full-blown breach.
CrowdStrike® employs the world’s largest and most advanced team of threat hunters — they are spread between the CrowdStrike Professional Services team and the Falcon OverWatch™ managed threat hunting team. These cyber professionals engage in hand-to-hand combat with a wide range of adversaries every day, and have the battle scars to prove it. Beginning in late 2017, CrowdStrike began a threat hunting workshop program to share best practices and experiences, and to help organizations of all sizes build their own threat hunting capabilities. In these workshops, attendees spend a day hearing from CrowdStrike’s top threat hunting experts and learning how they approach their goal of finding the faintest signals in an ocean of noisy data.
Dispelling the Myths
The workshop begins with an open discussion around what threat hunting is and is not, and throughout the day there is a focus on hunting’s value and feasibility as part of an organization’s comprehensive security approach. One way this is achieved is by dispelling some of the myths surrounding threat hunting— fallacies that may be keeping organizations from incorporating it into their security strategies. The workshop focuses on four myths that are particularly prevalent:
Myth #1: Threat hunting is an ad-hoc process that can’t be managed
Successful threat hunting teams are ones that can operationalize their efforts into a repeatable process. It starts as a thought experiment: Given what you know about your environment, how might a successful attack occur? What signs would such a hypothetical attack leave behind and how would you go about searching for those bits of evidence? This is how a hunt begins. This activity generates detections, investigations and ultimately is used to create better automated detection techniques. A closed-loop process ensures that similar future threats are identified automatically, driving continuous improvement in security operations.
Myth #2: Threat hunting requires a highly sophisticated staff
It’s certainly true that hunters who are knowledgeable on the tactics, techniques and procedures (TTPs) of their adversaries find more threats, and find them faster. That said, everyone has to start somewhere, and there is a wide range of different styles of threat hunting to choose from. Even a relatively unskilled analyst can hunt successfully with some proper coaching and basic tools. Regardless of skill level, attendees at a CrowdStrike Threat Hunting Workshop will return to their “day jobs” armed with some winning techniques to help them find signs of threats in PowerShell activity, user account activity, process activity and more.
Myth #3: Threat hunting requires specialized tools and a vast amount of data
Workshop attendees see how even relatively sophisticated and stealthy attacks can be spotted by an analyst equipped with some simple tools and datasets, most of which are already in place in the typical enterprise. Instructors show attendees concrete examples of how they can track tricky threats, armed with just the following: (a) access to endpoint and network telemetry; (b) an asset management system that provides context on enterprise users and assets; and (c) some basic threat intelligence. Several real-world use cases of this process are covered, including:
Many of the examples demonstrated in the workshop leverage free, open tools and data sets that most organizations have at their fingertips.
Myth #4: Threat hunting results can’t be measured
Any effort worth making is worth measuring and threat hunting is no exception. The easiest metric to consider is the number of malicious activities that threat hunting has uncovered, and the resulting decrease in dwell time that results from early detection. However, finding a new critical threat is not an everyday occurrence and it’s not the only outcome that matters. Successful threat hunting programs produce new types of patterns and behavior descriptions that in the future, become automated detections. Measuring the long-term improvements in the overall effectiveness of your enterprise security program is just as important as tracking the individual threats that are uncovered on a week-by-week basis.
At the end of the day, workshop participants go home armed with the essential skills and knowledge needed to get their own threat hunting efforts off the ground. The feedback CrowdStrike receives shows that it has been time well invested. The following are some of the comments we’ve received from participants in threat hunting workshops:
- “Thank you. I learned a great deal through demonstrations and lectures from real-world experts.”
- “This was a fantastic, comprehensive and relevant run-through of hunting best practices.”
- “I’ve got some great Ideas on how to better leverage the tools I already own.”
- “Today I learned about the theories and processes of hunting I can take home and apply to my own job.”
Learn More and Register For a CrowdStrike Threat Hunting Workshop
Attending a CrowdStrike Threat Hunting Workshop can help you begin to fill the gaps in your organization’s technical defenses by incorporating human intelligence, experience and intuition. Here are some links to get you started:
- To find a CrowdStrike Threat Hunting Workshop in your area, check the schedule on our registration page.
- If you can’t attend one of these events locally, you can get a head start by watching this on-demand webcast: “Let’s Go Threat Hunting: Expert Tips for Enhancing Hunting in Your Organization.”