What is Cybersecurity Threat Hunting and Incident Investigation & Why Do You Need It?
—excerpts from a presentation by Splunk at the #AZShowcase via cStor
The chances are very high that hidden cyber-threats are already in your organization’s networks. Cyber-threat prevention systems and tools help reduce opportunities for adversaries and enable analysts to operate more effectively.
The key, however, is to constantly look for attacks that get past security systems and to catch intrusions in progress, and early, rather than after attackers have completed their objectives and done the worst damage to the business. This process is referred to as “cyber threat hunting,” or, ”the collective name for any manual or machine-assisted techniques used to detect security incidents.”
Many will say, “we have been doing this for years” so what is new? Meanwhile, IT spend levels on Threat Hunting are on the rise.
Some 62% of the respondents are planning to increase their spending on threat hunting in the coming year, with over 42% increasing it by 25% or more, and less than 5% reducing their expenditures. —Open Season on the Adversary, SANS April 2016.
There are four key differences between Threat Hunting and Incident Investigation/IR:
1. Threat hunting is proactive but covers both the detect and response phases
2. Threat haunting uses hypothesis to detect and respond to security incidents
3. Threat hunting is often standalone as a function (not ops focused)
4. Basic techniques in threat hunting are already in use by incident investigation teams (log analysis, alert assessments, IR)
The recent focus on threat hunting is not about rebranding what many defenders have endeavored to do over the years; it is about placing an appropriate, dedicated focus on the effort by analysts who purposely set out to identify and counteract adversaries that may already be in the environment. Threat hunting requires some special analytic skills, such as familiarity with the enterprise and the ability to generate and investigate hypotheses. Hunting benefits from analysts using automation to make these hunts faster, easier, more frequent and more accurate
Threat hunting is aptly focused on the human behind the threats. To be a threat, an adversary must have three things: the intent, capability and opportunity to do harm. Threat hunters focus the search on adversaries who have those three characteristics and who are already within the networks and systems of the threat hunters’ organization, where they have authority to collect data and deploy countermeasures.
The majority of organizations report an average time of 1-8 hours to detect and respond to a threat (Note this is massively optimistic as many of have very immature threat hunting programs. Can extend out to 6 months to a year (ATP). (Open Season on the Adversary, SANS April 2016).
Benefits of threat hunting are many. The key indicators that organizations are gaining value from threat hunting focus on reducing the attack surface (74%), reducing exposure (63%) and increasing the speed of containing and controlling damage (59%). These are also very useful metrics you can use to sell threat hunting to your executives and show a positive ROI for their investment in threat hunting. (Open Season on the Adversary, SANS April 2016).
NB: Models Used in TH:
Especially skilled hunters (of the more mature organizations) will be familiar with security models that can be applied to the active defense and intelligence categories of the Sliding Scale of Security Maturity. Expert hunters know when and how to use these models as they apply to their organizations, but they do not rely solely upon them. While models are meant to help analysts structure data and their responses, they should never be allowed to limit a defender’s options or creativity in an exceptional situation. Nonetheless, models can serve as a great catalyst for even the most senior analysts.
Two cyber threat intelligence models that have been widely used in the industry tie directly into the Hunting Maturity Model. These models, the Cyber Kill Chain and the Diamond Model of Intrusion Analysis, help to identify intrusions and look past the idea of a single intrusion and toward an identification and understanding of adversaries’ campaigns. Both of these feed into the Active Cyber Defense Cycle.
The Cyber Kill Chain is an adaptation of the U.S. military’s kill chain process, which attempts to identify the phases of action adversaries take to achieve their goals. The Kill Chain has been used in a variety of ways. One of its most important uses is in detailing the phases of individual intrusions, extracting indicators for each phase and identifying patterns across multiple intrusions. Defenders can combine key indicators, such as the human aspect of intrusions, and related intrusions into a grouping representing an adversary’s campaign.
The Diamond Model of Intrusion Analysis directly complements this kill chain analysis. It is often used for generating intelligence, as opposed to the consumption of it, so it exists outside the scope of this paper but is worthy of study for those interested in the topic. The Diamond Model helps analysts structure indicators observed in the Cyber Kill Chain to define and understand adversary campaigns. This ability to group intrusions into campaigns allows threat hunters to counter adversaries’ efforts over long periods of time instead of countering single intrusions.
The Active Cyber Defense Cycle takes the threat intelligence generated from the use of the first two models and puts it into context of an active defense This model is used to ingest threat intelligence and identify and respond to threats while taking advantage of defender strengths. The model consists of four phases that are meant to act as a continual process: threat intelligence consumption, asset identification and network security monitoring, incident response, and threat and environment manipulation. The cycle’s strong suit is that defenders can evolve through interactions with adversaries while leveraging their knowledge of the environment.
These interactions with adversaries feed back into the Cyber Kill Chain and the Diamond Model, creating a back-and-forth process that allows for the generation and consumption of threat intelligence. It is in this process that effective hunting models can be realized and utilized.
These three models come together for generating and consuming intelligence to support the threat hunting process.
Threat hunting is experiencing an evolution. Many organizations still conduct threat hunting in an adhoc manner without a defined repeatable process yet some are now looking at new machine learning driven approaches to accelerate their maturity and success. Contact a cStor expert who will review current approaches to threat hunting and explain how Splunk can support & accelerate your threat hunting maturity.