The 5 'W's

Figuring out where to start can be challenging when establishing threat hunting exercises within your organization.

The 5 'W's

Your threat hunting team will likely overlap with your incident response team and threat hunting sharpens their skills and response times when faced with a real incident.

Figuring out where to start can be challenging when establishing threat hunting exercises within your organization. Utilizing the five “W’s,” often used in journalism, can be a good way to begin planning out the process.

Why?The up-front investment in proactive threat detection can strengthen an organization’s security posture significantly. The fact is, organized, skilled, and well-funded attackers exist. If you become a target of one of these such groups, they can work diligently looking for a weakness to get in. Sadly, you can’t possibly uncover everything with even the best security tools. This is where threat hunting comes in—its primary mandate is to find just these types of attackers. An added bonus to threat hunting is that carrying out such exercises breeds familiarity with tools and techniques that are so important when an outbreak or breach occurs. Your threat hunting team will likely overlap with your incident response team and threat hunting sharpens their skills and response times when faced with a real incident. It can be looked at as practice for when things go wrong.Identify whoBuilding that threat hunting team may seem as daunting as assembling a team of superheroes to work towards defeating a common enemy. Part of assembling that team is pulling folks together with different skill sets and backgrounds. If you’re a large organization, then the first step may be as simple as setting aside a block of time during the month for a group, or tiger team, to plan, perform, and report on a threat hunting campaign.However, if you’re a small organization with only a couple (perhaps only one!) dedicated IT person, this may not be so easy. Given this, you may want to bring in a third-party, external expertise to help.

Before you can do anything threat-hunting related, you’ll need to ensure you have adequate logging enabled to carry out the hunt.This carries advantages and disadvantages. On the plus side, you’ll likely get access to people that fulfill the skills requirements of threat hunting. However, an external threat hunting team will not be as familiar with the ins-and-outs of your specific network as internal personnel will be. Regardless, there are a mix of core skills needed in a team in order to carry out a threat hunting campaign:

Familiarity with endpoint and network security
This almost goes without saying. You’ll need seasoned members of your SOC or IT team that have an extensive breadth and depth of knowledge around security issues and best practices.

Understanding of data analytics
Oftentimes threat hunting requires teasing patterns out of raw data. Having an understanding of statistical analysis will help to identify patterns in the data. Data visualization is equally important in order to spot and share anomalies that are found.

An innate curiosity
Threat hunting is not a cut-and-dry exercise. It can sometimes be likened to an artistic pursuit. It requires a certain amount of creative thinking, connecting seemingly unrelated items or asking, “I wonder what would happen if…”

One bonus to threat hunting, from the perspective of a security professional, is it’s fun. Threat hunting gives folks in your SOC or IT department a break from the day-to-day reactive nature of their roles and a chance to go on the offense. Such active, fulfilling tasks for employees can often lead to higher retention rates for SOC employees, retaining them in a field where highly qualified people can be hard to come by and often move around.When to huntUltimately, the most successful hunts are those that are planned. You need to set a scope for the hunt, identify clear goals, and set aside a block of time to perform the hunt. When you’re done, you need to assess steps to improve your security posture, establishing security playbooks to address the results moving forward. At other times you may also wish to undertake a threat hunting exercise when you suspect risky behavior may have occurred.

Is a particular user downloading far more data on a given day than normal?

Does a user attempt to log into a system that he or she doesn’t have access to?

Did an administrator appear to clear his or her bash logs?

Many of these behaviors could indicate the actions of a malicious actor having compromised a device and is a fairly straightforward place to begin a threat hunt.Finally, there are times where a threat hunt may crop up unexpectedly. Has a cybersecurity news story that caught your CIO’s attention ever lead to an email or phone call inquiring if the company is vulnerable? This is a perfectly valid question and having a process in place to field inquiries like this can save a significant amount of time and resources.The what and the whereUltimately data is key to any threat hunt. Before you can do anything threat-hunting related, you’ll need to ensure you have adequate logging enabled to carry out the hunt. The fact is, if you can’t see what’s happening on your systems, then you can’t respond in kind. Choosing which systems to pull from will often depend on the scope of the hunt—one hunt it could be endpoints in the Finance department, another could focus on web servers. In some cases, you may even want to install tools within the environment to monitor particular types of traffic. The logs pulled by these temporary systems will then be utilized in the hunt.

Of course, enabling logging can quickly fill up storage assets and gathering logs can easily eat into your team’s time. This may require setting aside physical resources to store logs and setting up basic automation to send them there. In the short term you may have to be selective about how extensively you configure the systems to log. Utilizing tools such as security information and event management (SIEM) software can go a long way towards making the analysis of logs faster and easier.In the first few threat hunting exercises, the result may include a list of questions that couldn’t be answered, based on the logs available. In time it will become clearer which systems need to have logging enabled, and at what level, in order to get the results that are desired.