Threat Hunting I: Let’s Go Hunt Some Threats
How do you think computers are secured nowadays?
You might think with firewalls or anti-virus solutions like Windows Defender. If you want to get fancy perhaps a VPN like [insert name of VPN which keeps coming up every time I want to watch a YouTube video] or something cool like a Yubikey / fingerprint scanner to unlock your computer. If you work for an enterprise you might answer with “DDoS (Distributed Denial of Service) protection”, “a email gateway to filter malicious emails”, or “a really expensive Microsoft product”. Either way, all of these security solutions — and many others like IDS (Intrusion Detection Systems), EDR (Endpoint Detection Response), and WAF (Web Application Firewall) — are passive defences which a security team will put up to stop an attacker gaining access to their systems. You can think of them as walls designed to block entry and protect your precious treasure. In cybersecurity they are means of ensuring the confidentiality, integrity, and availability of data (the fabled CIA triad).
Walls are good. If I was a medieval king and my castle was being besieged then I would want to be behind a few walls. However, I would also want to fight back and defend my castle! This is where threat hunting comes into play. Threat hunting is “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions” (TechRepublic). It’s the blue team’s equivalent of actively defending their castle from an ongoing siege.
The “blue team” is the name given to the people trying to defend an organisation, while the “red team” is the name given to attackers.
A threat hunter will investigate a bad guy’s or girl’s (women can be criminals too) activity before there has been a warning of a potential threat from one of the many systems organisations use to protect themselves. They do this in numerous ways. They could think like an attacker and try to emulate what they would do to breach an organisation, and then search for this activity. They could use analytics with machine learning or UEBA (User and Entity Behaviour Analytics) to calculate risky or uncommon behaviour patterns among users and then investigate these users. They could use threat intelligence derived from OSINT (Open Source Intelligence) or private intelligence feeds to search for a particular threat actor or IOC (Indicator of Compromise) in their environment. Threat hunters merge red and blue team tactics (attack and defence) to better product their organisation from threats that traditional security solutions miss. This is why they are so important to modern security teams in today’s cybersecurity landscape.
That said, not every organisation can afford or may benefit from a threat hunter or cyber threat intelligence (CTI) team. There are people/procedures/processes that an organisation must instantiate before they can even think about investing in a threat intelligence department. An organisation must have a basic IT setup in-place (network infrastructure, an Active Directory environment, etc.) with traditional cybersecurity protections implemented to reach a base level of security (anti-virus, hardened servers, etc.). Next, they need to ensure that they have accurate and timely log sources which cover their entire estate so that they can effectively monitor what is actually happening in their environment. This needs to feed into a platform which can manage all of this data (e.g. a SIEM). Then they need to rollout EDR on all their endpoints to gain greater visibility and so that they have some built-in protection if an attacker decides to attack/disable the organisation’s log sources. Finally, once all that is setup, they need an efficient way of managing their security by either outsourcing it to a managed service provider or creating their own in-house SOC (Security Operations Centre) that uses technologies like SOAR or XDR to efficiently respond to threats. Then, and only then, can the organisation consider bolstering their active defences with a CTI team. Note, this list of pre-requisites is by no means complete, there’s also email security, physical security, and a whole bunch of other passive measures that need to be deployed as well. This is one of the reasons good cybersecurity is so expensive!
Once an organisation reaches a decent level of cybersecurity maturity, they can then look at developing a CTI team to further enhance their resiliency to cyber attacks.
This is where I, and this series, comes in!
In this series I will teach you how to the fundamentals of becoming an effective threat hunter and, hopefully, develop you cybersecurity knowledge enough so that you can perform threat hunts in your own environment (be it a home lab or enterprise). This series will first demonstrate how to create your own environment for threat hunting using the HELK stack (Hunting ELK). Then we will attack this environment using legitimate threat actor TTPs (Tactics/Techniques/Procedures), hunt for these threats using Kibana, and write custom detection rules to mitigate these threats in the future. Once we have covered the basic threat hunting process, we will shift our focus to how threat hunting can be done at scale to protect an entire enterprise environment by looking at adversary emulation, automation, and, everyone’s favourite, documentation. We will then expand our threat hunting repertoire to hunt for other things like suspicious network activity, hunting with data analytics, and so on.
Hope you’re ready to enjoy the ride!