Threat Hunting – Finding and Thwarting Mr. Robot

The concepts of threat hunting and threat intelligence went mainstream in 2016 bringing with it a whole new paradigm to threat mitigation and cybersecurity. But what is threat hunting and what use cases does it serve?

As cyber-attacks become more sophisticated, today’s security teams need to adapt a more proactive role in detecting and responding to these attacks. Firewalls, SIEMs, intrusion detection, and endpoint protection and only part of the pie. Alert-oriented data generated by rule-based detection systems are not only difficult to prioritize, they provide little context about the alert, the object it’s alerting on, and even what that object relates Hell or High Water 2016 online streaming

Instead, threat hunting, according to DLT partner Sqrrl, refers to the act of:

“…proactively and iteratively searching through networks or datasets to detect and respond to threats that evade traditional rule- or signature-based security solutions. It includes using both manual and machine-assisted techniques, and aims to find the Tactics, Techniques and Procedures (TTPs) of advanced adversaries.

If you’re looking to thwart Mr. Robot – whether he’s probing your network, already inside, or in the process of exfiltrating data – threat hunting can help.

Because it builds a more comprehensive narrative of an attack than other contemporary solutions, threat hunting optimizes not only your ability to find advanced threats but to enhance incident response efforts too.

Every organization is likely already under-taking some form of threat hunting, whether it’s alert assessments, query-based log analysis, and incident investigations.  But moving beyond these simple techniques, threat hunting can help undertake some of the following use cases, explains Sqrrl.

Advanced Persistent Threats (APTs) – Detecting APTs involves finding adversaries that avoid traditional detection systems. By detecting adversarial TTPs along the kill chain, threat hunting can help analysts find threat actors and put measures in place to prevent APTs.

Data Breach Detection – Using tools such as Sqrrl’s anomaly detection, TTP-oriented detectors, and Behavior Graph, analysts can easily pinpoint an outward flow of data from their network.

Malware Detection – Using advanced analytics (e.g. machine learning), analysts can baseline entity activity and calculate risk to identify security anomalies (aligned to behaviors such as lateral movement and malware command and control that indicate host machine compromise). Anomalies such as these went undetected at OPM leading to the biggest government data breach in history.

Insider Threat Detection – No matter whether the threat is from an internal or external source, TTP detectors, such as data staging and exfiltration detection, can detect anything suspicious on the inside.

From here, your incident response and investigation processes and workflows kick in. Alert triage tools provide analysts with all the information they need to determine the scope of an alert, including risk scores and related anomaly detection. While Sqrrl’s Behavior Graph and risk scoring empowers analysts to investigate the full context of an alert or IOC, quickly and effectively.

These are just some of the use cases that threat hunting brings to an organization. Check them all out here.