Threat Hunting Software

Threat hunting is, quite simply, the pursuit of abnormal activity on servers and endpoints that may be signs of compromise, intrusion, or exfiltration of data. Though the concept of threat hunting isn’t new, for many organizations the very idea of threat hunting is.

The common mindset regarding intrusions is to simply wait until you know they’re there. Typically, though, this approach means that you’ll be waiting an average of 220 days between the intrusion and the first time you hear about it. And even then, it’s typically an external party such as law enforcement or a credit card company that’s telling you.

With threat hunting, you use humans to go “find stuff” versus waiting for technology to alert you. Don’t sit back and wait for a knock on the door. Proactively chase down signs that intruders are present or were present in the recent past. What are you looking for when you’re threat hunting? You look for anomalies things that don’t usually happen.

To do this effectively, you need tools that give you highly granular visibility into the goings‐on in the operating systems of every endpoint and server things like processes that are launched, files that are opened, and network communications that take place.

Tools such as CB Response are tailor made for effective threat hunting across an enterprise.

Threat hunting is systematic. Threat hunters need to be continually looking for anything that could be evidence of intrusion. Threat hunting needs to be instilled as a process that security teams make and schedule time for. The types of threat attributes that are hunted include the following:

1. Processes

Hunters are looking for processes with certain names, file paths, checksums, and network activity. They want to find processes that make changes to registry entries, have specific child processes, access certain software libraries, have specific MD5 hashes, make specific registry key modifications, and include known bad files.

 Width = The MD5 hash, also known as checksum for a file, is a 128‐bit value (like a fingerprint of the file). You can get two identical hashes of two different files. This feature can be useful both for comparing the files and their integrity control.

2. Binaries

Here hunters look for binaries with certain checksums, file names, paths, metadata, specific registry modifications, and many other characteristics.

3. Network activity: This threat attribute includes network activity to specific domain names and IP addresses.
4. Registry key modifications

Hunters can look for specific registry key additions and modifications.

Threat hunting isn’t about just finding “evil” within your systems. Instead, it’s about anything that could be evidence that evildoers leave behind on your systems. With threat hunting, you’re looking for things that indicators of compromise (IOC)‐based detection wouldn’t catch.

Need of Threat Hunting

The definition of insanity is doing the same thing over and over and expecting a different result. Many organizations may work in this insanity pattern because they continue to use passive intrusion detection, which clearly isn’t working (hence the word passive).

Attackers’ initial objectives generally include stealing valid login credentials. These attackers are virtually insiders that seek out “live off the land” activities of organizations’ networks, systems, and applications. But like the personnel whose login credentials they’ve stolen, attackers use these credentials to carry out search‐and‐steal (or search‐and‐destroy) missions, using tools and techniques that end‐users don’t use. These are the anomalies that threat hunters should be actively looking for.

Instead of passive intrusion detection, you need threat hunting for the following reasons:

• Malware stealth: Passive intrusion detection doesn’t work because of the stealthy techniques used by cybercriminal organizations and the malware they produce. Today’s malware is able to easily evade antivirus software through polymorphic techniques that enable it to change its colors like a chameleon.
• Evolving attack vectors: Attackers are innovating at a furious rate, which results in new forms of attack that are developed regularly.
• Dwell time: You can’t afford to wait weeks or months to learn about incidents. From the moment of intrusion, the cost, damage, and impact from a breach grow by the hour and by the day. The average time to detection of 220 days is no longer acceptable.

Your stakeholders will want to know what your organization is doing to seek out and detect the advanced attacks, with a skilled human being on the other side. Threat hunting is the answer.

Threat hunting is becoming a part of infosec table stakes: the essential tools and practices required by all organizations. Threat hunting will soon be a part of the due care for information protection expected by customers, regulators, and the legal system.