In Part 1 of this two-part series, Cysiv senior threat hunter Corey Milligan introduced you to the art and science of threat hunting. In Part 2, he reveals the specifics of a successful threat hunt, how the Cysiv platform supports threat hunting, and where threat hunting is going in the future.
Q: What are the key elements of a successful threat hunt?
Corey Milligan: For me, every threat hunt is successful because you always learn something new about the environment you are hunting in. Having said that, for a formal, scoped threat hunt, there are elements that you need for it to be successful. You need specific objectives, access to the required data sources, collection and analysis tools, and organizational and threat intelligence. Access to data sources and having appropriate collection and analysis capabilities are more dependencies than keys really. You can’t perform a threat hunt without them. Objectives and intelligence, on the other hand, aren’t strictly required to perform a threat hunt, but they do play an important role in scoping a threat hunt to make it more effective and efficient.
Q: What's an example of a successful threat hunt that you've recently participated in?
Milligan: A couple of years ago, Drupal, a popular open-source content management system for building websites, reported a new high severity vulnerability that was eventually dubbed Drupalggeddon 2. It was a remote code exploitation vulnerability where an attacker could target a Drupal website, inject code, and then do basically whatever they wanted to the website.
When the vulnerability was announced, the company I was with at that time identified it and began researching it to see how it could potentially be exploited. From that research, I was able to identify specific artifacts that would indicate if a web server was vulnerable and if someone was attempting to exploit it. Armed with that intel and knowledge of our customer’s environments, I performed a threat hunt and was able to confirm that attempts to scan for and, in some cases, exploit the vulnerability were already taking place. With that validation of the threat, we were able to develop a signature and begin protecting our customers weeks before security vendors delivered a signature.
I was also able to identify some malware files that threat actors were attempting to deliver through this vulnerability. We provided these files to our antivirus vendor and were able to get ahead of those campaigns as well. This wasn’t one of my original objectives, but it further illustrates the value that is gained from threat hunting.
Q: How is threat hunting integrated into Cysiv SOC-as-a-Service?
Milligan: Threat hunting is integrated in and supports our SOC-as-a-Service (SOCaaS) offering in multiple ways. The most direct way is as part of our threat detection process. Our SOC analysts are constantly looking at our customer’s logs. When they aren’t investigating a detection generated by our next-gen SIEM platform or collaborating with our customers, they are proactively searching for undetected threats in customer logs. The results of these ad hoc hunts not only provide a measure of proactive protection to our customers, but they also provide valuable feedback to further improve our platform. We also use threat hunting knowledge to analyze new data sources for filter and rule development. Beyond that, we apply threat hunting knowledge to almost every stage of a customer’s onboarding to ensure that when we reach steady state operations the foundational data and knowledge has been collected to enable a threat detection and threat hunting service that will best serve that customer’s expectations.
Q: What role do customers have as active participants in the threat hunting process?
Milligan: Customer buy-in, organizational intel, and timely feedback are absolutely critical to effective threat hunting. Customer buy-in streamlines the processes of getting access to the right data sources and deploying tools to enable collection and analysis. Organizational intelligence provided by the customer helps to identify critical assets, high priority threats, and the documentation that should establish what is normal for their environment. These pieces of intelligence form a foundation that make threat hunting effective for that customer. Once threat hunting operations are underway, timely feedback for escalated events further increases the effectiveness of the threat hunting service, enabling the whitelisting of normal or accepted events and allowing the anomalous and malicious events to stand out.
Q: How do you see threat hunting evolving in the next year or two?
Milligan: As a community, threat hunting is always evolving to keep up with new adversary techniques and campaigns. Over the next year or two, I expect that to continue, especially in the form of new cloud-based analytical capabilities that allow threat hunters to effectively process larger volumes and varieties of data. In addition to that, and similar to the growth in the SOC-as-a-Service market, I see threat hunting being increasingly as a stand-alone service, as well as being integrated with red team and penetration testing services.
You can see it starting to happen now with events like Black Hat and DEFCON, which have been classically hacker-focused or red team-focused. Now, these events are bringing in more blue team and purple team (red+blue team) elements and having competitions not only to see who's going to be the best at breaking into this piece of software or system, but who's going to be the best at defending it. That's one trend that I see in the community. Even on the offensive side, they're getting more into trying to collaborate and to help out the defensive side, and threat hunters are a big part of that.
Q: You mentioned community twice. Do threat hunters share and if so, how?
Milligan: There is a community of threat hunters. Like other security and developer communities, threat hunters leverage all the tools and venues that you would think of for sharing and collaboration, like GitHub, Slack, Discord, and conferences. Anyone looking to connect with the threat hunting community can do so via SANS, Black Hills Information Security, or Spectre Ops.
Q: What final thoughts or advice do you have for an organization thinking about threat hunting?
Milligan:Threat hunting plays an essential role in protecting your organization once you’ve addressed security best practices such as CIS top 20. With that in mind, make sure you’ve got someone with the right skills and experience to do a decent job. Remember, there’s art to this science, and a more experienced threat hunter will find things that a less experienced analyst or hunter might miss as well as help better defend your organization. Also, be very clear about your objectives and expectations for a threat hunting program, and make sure you’re equipped with access to the required data sources, collection and analysis tools, and organizational and threat intelligence. Good hunting!
Interested in learning more about Cysiv SOC-as-a-Service and how we bring together the people, processes, and technology needed for a modern SOC? Download this data sheet for a quick overview of Cysiv SOC-as-a-Service and the benefits it can provide to your enterprise.