Threat Hunting -How to start and what are the Metrics ?
Introduction : Adversaries are becoming smarter day by day and are bypassing defense mechanisms .Automation tools are not enough to detect and prevent the advanced attacks
Although there is an advancement from the proactive side of things to defend against these attacks but still the dwell time is quite high .Fireeye reports in 2020 it is 24 days
This means an Intruder is in the Network for around a Month .
So more is needed — Threat Hunting is Needed .
What is Threat Hunting(TH) : The aim is to reduce the dwell time which helps to remove/prevent the attacker to be in the network
“TH is a proactive approach done by Humans to search data and discover Cyber Threats” The Hunter detects the threat which the traditional protection mechanisms do not detect . TH is an offensive approach and requires good understanding of Cyber Kill chain , Mitre Framework etc .
And another important point is “the Quality of Data for Hunt”
How to Start Hunting : To start with , we need to collect the Data which is related to the Purpose of our hunt . the data should not contain unwanted logs . The data may come from Hosts and Networks
Other Important Points for Data :
a) How far can we go back and do a search-Old data availability ?
b) Consistency of data from different data sources .
I am not going to go into the details of Data Governance but we have to have solid Baseline to say what is Normal on a Particular host or Network before hunting -like what are normal — connections , services, processes , applications ,users , time when user login , location from where user logs in , All these details should be understood well in advance by the Threat Hunter.
ELK ,SIEM tools like Splunk , Qradar can be used for search operations .
Define the Hypothesis : Hunt begins by defining Hypothesis :
a) What particular behavior we want to Hunt for ?
b) then what is the technique behind it ( Mitre can be used here)
c) which data we need and how old that data should be
A LAB environment : Whatever we have gathered so far , it should be tested or rather replicated in an isolated environment . This is additional cost and requires more time but by doing so ,we observe clearly what data , logs , alerts we get and it will help to make our Defense Mechanisms stronger which we can build by analyzing these results
Learnings from the LAB or Simulation Environment :Once we know the deviations from Baselines ,Deviations from normal processes /connections , Abnormal registry changes We are ready to say that our Hypothesis is correct or incorrect for a Specific Threat Activity .
Now we can extend the Hunt to more systems and increase the scope of Hunt . We have to keep in Mind the duration of the Hunt . It could be 2 weeks -4 weeks depending upon the data size and the Criticality of the Systems under the Hunt Scope .
Metrics : Hunting Metrics are very important . What if we do not find anything ?
Does it mean that our Hunt fails ? Not necessarily . there is a possibility that Network or Host is clean and there is no Anomaly
So Hunting Metrics allow us to track the progress of our hunt . The Important Points in relation to Metrics while reporting them to management are :
a) Frequency of Hunt
b) How much we covered -Network ,Hosts
c) how much old logs we covered or analysed
d) Attack technique and Procedures .
- Threat Hunting is Human-Centric Approach
- Threat Hunter should have knowledge of various types of attacks ,Mitre ATT&CK
- Hunting Hypothesis should be defined
- Metrics to be calculated
We have seen the Basics Requirements to start Threat Hunting and how important it is to have Data Governance . In future posts, we can see more on how to obtain IOCs , how to use Threat Exchange information , creating YARA rules .