Security teams in the private and public sector are increasingly recognizing the need to actively “hunt” for threats targeting their organizations. Larger, well resourced organizations may have the ability to mount proactive threat-hunting operations of their own, while others are looking to outside providers to fill this need.
As a provider of managed hunting services, CrowdStrike’s Falcon Overwatch team has developed a methodology for aggressively seeking out sophisticated threat behaviors that may elude even the best automated security systems. The following excerpt from the CrowdStrike white paper, “The Role of Proactive Hunting in Stopping the ‘Mega Breach’” provides an overview of this methodology:
According to research firm Gartner, triggers for proactive threat hunting typically fall into three major investigation initiator categories. The first is hypothesis-driven investigation, such as knowledge of a new threat actor’s campaign based on threat intelligence gleaned from a large pool of crowdsourced attack data. In these cases, threat hunters will look into currently unknown attack details and try to find those behaviors within their specific environment. The second category involves investigations that are based on known IOC (Indicator of Compromise) triggers, which spur threat hunters to look deeper into a specific system’s activities to find potential compromise or ongoing malicious activity. Finally, there are analytics-driven investigations where threat hunters pursue potential leads based on advanced
analytics and machine learning.
Regardless of how the hunting is initiated, the process typically follows a three-step course of action:
Trigger: Some form of advanced tooling helps focus the threat hunting analyst on a specific system or area of the network to investigate further. Often, a hypothesis about a new detection method can be a trigger for proactive hunting.
Investigation: This step requires technology such as EDR (Endpoint Detection and Response). Using EDR, skilled threat hunters will utilize analytical frameworks to take a deep dive into potential malicious behavior and associated activity on a system. The investigation will continue until either the behavior is deemed non-malicious or a complete picture of malicious behavior and/or compromise has been developed.
Resolution: Threat hunters will pass on relevant malicious behavior intelligence to their operations and security counterparts to perform incident response and achieve appropriate mitigation of threats. When done correctly, data gathered by threat hunters about both malicious and non-malicious behavior can be fed back into automated technology to further its effectiveness without human intervention.