If you’re living off the land, there are a few different methods you can use to survive, such as setting traps or finding edible plants. However, some animals are too smart to get caught and some plants remain hidden. To find what you need, you must hunt.
The same is true of cybersecurity because there are no silver bullets that identify 100 percent of threats, 100 percent of the time. The ability to block advanced threats improves each year, but we face adversaries who are determined and creative, and their techniques evolve just as quickly. This raises a few questions: When prevention fails, what do we have left to protect our organizations? How can we discover gaps as fast as possible? Having techniques in play to detect and respond to ongoing attacks quickly is as important as prevention. Threat hunting is a critical discipline that more organizations are using to disrupt stealthy attacks before they become mega breaches.
Threat hunting is the active search for “unknown unknowns,” which describes new and novel attack behaviors that aren’t detected by current automated methods of prevention and detection. It is, by nature, a “hands-on-keyboard activity,” driven by humans. Just like hunting in nature, anyone can do it, but the right experience and tools can make you much more effective.
Equipping For The Hunt
Initially, threat hunting requires individuals armed with a clear understanding of the threat landscape, and what they’re hunting for. To gain this understanding, you must start with a reliable source of threat intelligence, so your hunters know what to search for, and which leads to follow. Having the latest information on adversary motivation and tradecraft enables threat hunters to cross-reference organizational data with external threat trends and stay ahead of adversaries. This knowledge allows threat hunters to develop sound hypotheses around what sorts of tracks a sophisticated adversary might leave, and with that information, they can begin the hunt.
Fertile Hunting Grounds
Successful threat hunting also requires data and the tools to query that data effectively. The data needs to be accurate, timely and meaningful, and should provide a complete picture of the kinds of behaviors you’ve decided to hunt for. For instance, If your organization is concerned about PowerShell as a threat vector, then you will need to begin with a central repository of PowerShell audit logs. You will also need tools you can use to query the repository in real time. Armed with these resources, it’s simple to begin reviewing PowerShell commands that are suspiciously encoded or executed by users who have never done so before.
Learn and Automate
How do you know if your hunt was successful? In nature, it’s obvious; the hunter comes home with food for the table. Cyber threat hunting is different. Ideally, you find nothing because your organization is secure and there is nothing to find, at least not for today. However, regardless of today’s outcome, each hunt is an opportunity to learn and improve your organization’s security posture. The first time you hunt for a new behavior, you will have put thought and effort into how you identify it. With this experience under your belt, you have all the pieces you need to perform that search more efficiently moving forward, and you are free to move on to other new and novel hunting tactics. Threat hunting doesn’t always surface critical breaches immediately, but done properly, it always drives efficiency and effectiveness.
The Value of a Comprehensive, Integrated Threat Hunting Program
The cybersecurity marketplace is rapidly accumulating tools that claim to help with threat hunting. CrowdStrike® delivers results by providing comprehensive threat hunting as an integrated part of the CrowdStrike Falcon® platform, giving you the option to augment your existing hunting capabilities with the following solutions:
- CrowdStrike Falcon X™ gives your staff the expert-level knowledge they need on the threat landscape, tailored for your organization.
- CrowdStrike Falcon Insight™ delivers data and search capabilities by continuously monitoring and recording hundreds of different types of security-related events. Falcon Insight makes this data available to your hunters, on-demand, within seconds.
- CrowdStrike Falcon OverWatch™ provides an expert team of threat hunters working on your behalf. The OverWatch hunting team detects intrusions, malicious activities and adversaries that may otherwise go undetected, becoming an extension of your own team’s efforts.
Learn more about why managed threat hunting capabilities are a must-have in this white paper: Proactive Hunting: The Last Line of Defense Against the “Mega Breach.
Learn how CrowdStrike Falcon Intelligence™ and Falcon X can jump start your threat hunting program, through deep knowledge and automation, in this white paper: Threat Intelligence, Cybersecurity’s Best Kept Secret.
Get an in-depth understanding of true “next-gen” endpoint detection and response (EDR) capabilities in this white paper: EDR — Automatic Protection Against Advanced Threats.