The Myth of Part-time Threat Hunting, Part 2: Leveraging the Power of Human Ingenuity
September 29, 2021Falcon OverWatch Team From The Front Lines
The race between hunter and hunted is defined as much by stealth as it is by speed. In Part 2 of this two-part blog series, we dive into why having hunters immersed full time in the threat hunting mission is critical to building out a hunting program capable of detecting stealthy and novel tradecraft before adversaries achieve their objectives. If you missed it, check out The Myth of Part-time Hunting, Part 1: The Race Against Ever-diminishing Breakout Times, where we explore why shrinking adversary breakout times mean that threat hunting must be performed around-the-clock.
The Power of Human Ingenuity
Adversaries are constantly striving to identify new techniques to blend into their target environment and evade technology-based detections. To be truly effective, threat hunters need to be a step ahead. This is why it is so crucial that threat hunting is a full-time job. Defenders performing ad hoc hunts as one of their multiple competing responsibilities will struggle to dedicate the time or develop the deep expertise required to produce effective hypothesis-driven hunting leads. Through constant immersion in intrusion telemetry, human analysts develop and hone their capability to derive malicious human intent from machine telemetry and begin to recognize aberrant patterns of behavior.
CrowdStrike’s Falcon OverWatch™ team combines human ingenuity with the power of technology to operate at scale to form, test and refine hypotheses about how to catch the next adversary. Successful hypotheses are added to an extensive collection of hunting leads developed over years to provide human analysts with timely cues of potential adversary activity. OverWatch is highly specialized — focused exclusively on threat hunting — which ensures that our relentless pursuit of stealthy adversaries is not diluted by other functions.
Beware the Unknown Unknowns
In today’s rapidly evolving threat landscape, it’s not enough to have a threat hunting team that’s capable of detecting only known threats, no matter how fast they hunt. To be truly effective, threat hunters must be able to find the unknown unknowns — that is, novel tools or techniques that represent changes in adversary tradecraft. With the OverWatch team’s hundreds of years of collective hunting experience, it is not unusual for “a hunch” about where these unknowns might be found to turn into a highly tailored and effective hunting lead.
Human-led hunting offers unparalleled flexibility — it facilitates proactive and experimental approaches to understanding and uncovering adversary activity. In one such case, an OverWatch hunter suspected that investigating rare scheduled tasks may reveal otherwise undetected malicious activity. Querying across our extensive customer dataset, the hunter zeroed in on scheduled tasks that were globally rare based on a range of features including file naming. In analyzing the results, the hunter found a rare scheduled task that leveraged
regsvr32.exe to register a suspicious DLL file. Further analysis of that DLL file, and the associated scheduled task, found that they were part of a temporary persistence mechanism used by a previously unseen first-stage implant. The CrowdStrike Intelligence team attributed the implant to a new targeted intrusion adversary that was using it for focused political espionage purposes. The implant had been developed by highly skilled software engineers who used several measures to avoid detection, such as strong in-memory discipline and avoidance of privilege escalation beyond user mode. Had this first-stage implant remained undetected, the adversary would have likely used a second-stage component to perform actions on objectives. Based on what OverWatch knows of targeted intrusion campaigns, it is likely that the adversary had tested the novel first-stage implant against all endpoint security products to ensure it would not be flagged, leaving OverWatch threat hunting as the critical last line of defense.
There is no autopilot in cybersecurity, and artificial intelligence and machine learning have their strengths but also their limitations. To hunt with speed and at scale, human-led hunting needs to seamlessly integrate with technology, as illustrated by two examples: one where human analysis built on OverWatch’s existing hunting patterns detected a novel adversary tool, and the second showing how human insights were used to enhance OverWatch’s technology-based hunting capabilities to systematically speed the identification of malicious activity. The symbiosis between human hunter and technology acts as a significant force multiplier to help defenders against even the trickiest adversaries.
OverWatch’s patented hunting technology enables the rapid evaluation of streaming endpoint telemetry against OverWatch’s curated collection of hunting leads, each finely tuned to enable the identification of potentially malicious behaviors. Hunters take the output of this analysis and overlay it with context and expert insights that enable them to discern what is malicious and what is just noise. This overlay of human ingenuity takes the process to the next level by looking for “patterns among patterns.”
For example, an OverWatch hunter hypothesized that we could find potentially malicious behavior by identifying occurrences where multiple hunting patterns hit in the context of the same individual process (e.g., psexec.exe) over a certain period of time. Through testing this hypothesis, the hunter uncovered a newly observed remote access tool (RAT) that was targeting cryptocurrency exchanges. CrowdStrike Intelligence assessed that a targeted intrusion adversary not only developed the RAT, but did so in a way that was designed and tested to evade automated defenses. The RAT is read from an encrypted file, decrypted then manually loaded into memory before being executed. Human-led hunting again provided an essential layer of defense to detect and disrupt this threat.
Other times, hunting hypotheses streamline the hunting process by honing ways of more quickly identifying known malicious activity. For example, OverWatch took action after recognizing a growing trend of ransomware affiliates gaining initial access by abusing remote desktop protocol (RDP) connections in conjunction with previously acquired valid accounts. Striving to uncover these types of attacks as quickly as possible, hunters closely analyzed them and found that these actors used recurring clusters of related filenames for their tools. The names themselves weren’t unique or predictable enough to be used as individual hunting leads; however, the hunters hypothesized that looking for a rapid burst of executable file writes with these name components would provide an effective hunting lead. After testing and tuning this approach, OverWatch was able to hone the technology to help more rapidly uncover these attacks, enabling even more timely and effective responses to potential ransomware threats.
Let the Human Element Give You the Edge
In the race between hunter and hunted, adversaries are quick to abuse the power of human ingenuity to find gaps in automated security controls. Human-led threat hunting shifts the balance back in favor of defenders, employing this same ingenuity to find adversaries where they hide. Effective threat hunting also needs to be grounded in systematic and repeatable processes, such as the OverWatch SEARCH threat hunting methodology, which ensures that findings are continuously fed back into the hunt. Hunters themselves should be immersed in finding and disrupting adversary activity wherever it occurs — they should not be operating on a part-time basis, torn between competing responsibilities.
OverWatch is composed of elite threat hunters, with breadth and depth of experience from every corner of public and private industry. These hunters perform continuous analysis on an unmatched quantity of forensic-level intrusion telemetry from the CrowdStrike Threat Graph® database. OverWatch regularly develops and tests hypotheses that enhance the hunt and curtail adversary attempts to evade technology-based defenses. The combined power of human ingenuity and technology enables OverWatch to uncover and disrupt adversaries with greater speed and accuracy each and every day.
Human-led threat hunting complements and augments technology to protect customers against both known and unknown threats. In today’s rapidly evolving security landscape, the human element is not simply a “nice to have” — it’s a must.
- Read about the latest trends in threat hunting and more in the 2021 Threat Hunting Report.
- Learn more about Falcon OverWatch proactive managed threat hunting.
- Watch this video to see how Falcon OverWatch proactively hunts for threats in your environment.
- Read more about how hunting part-time is simply not enough in this CrowdStrike blog.
- Learn more about the CrowdStrike Falcon® platform by visiting the product webpage.
- Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.