When it comes to cybersecurity, too many enterprises remain on a reactive footing. This ends up being a drag on their efforts because, rather than getting ahead of the threats that target their systems, they spend too much of their time reacting to security alerts and incidents within their environments.
While being able to react to attacks quickly is important for any security team, it’s also important to get out in front of potential risks to identify threats lurking within your systems before they become active.
In this post, we’ll explain how threat hunting within one’s environment can help to break that reactive cycle and improve the effectiveness of any security program.
Threat hunting defined
Before going forward, let’s first take a step back and define what we mean by threat hunting. Essentially, threat hunting is the proactive search for evidence of undetected malicious activity or compromise. These threats can include anything from remote-access tools beaconing to an attacker’s command and control server to malicious actions of an employee or other trusted insider.
Threat hunting is essential for effective security for many reasons. First, defensive security technologies such as intrusion detection/prevention systems and anti-malware software will never successfully identify and block all malware or attacks. Some things are just going to get through. Second, by finding malware and threats that made it past your defenses, you’ll be able to more effectively secure your systems and make your environment much harder for attackers to exploit. Finally, getting adept at finding threats in your environment will improve your organization’s overall ability to respond to threats and, as a result, over time dramatically improve your security posture.
Because threat hunting entails looking for things that have yet to trigger alerts — if they ever would trigger alerts, to begin with — it is important to look deeper for evidence of compromise. Fortunately, you don’t need a large security organization or any special security tools to start to proactively threat hunt; any security team can start threat hunting, and often using the tools they already have.
For instance, many of the data sources used in threat hunting will be found in firewall, proxy and endpoint logs. While these sources of data probably aren’t alerting on anything malicious, they still hold a considerable amount of security data that can point to potential indicators that an environment has been breached under their radar.
Other readily available tools are helpful for threat analysis, such as Bro (https://www.bro.org/), RITA (https://github.com/activecm/rita), or OSQuery (https://osquery.io/). These tools will help provide additional visibility into network and endpoint data that could provide insights into potential compromise. With these tools, teams can monitor internal network activity, such as virus outbreaks and lateral movements of data. Monitoring East-West network traffic in addition to what is moving through the firewall provides critical insights to the overall health of your network.
The investigation capabilities of Code42 Next-Gen Data Loss Protection (DLP) can be extremely helpful for threat hunting, for determining how widespread a file is distributed in the environment, and to give information about file lifecycle, all of which provide context around whether a file is business-related or suspicious. For example, with Code42 Next-Gen DLP, you can search by MD5 hash or SHA-256 to find all instances of a sensitive file in your organization, or determine if known malware has been detected in your organization.
New tools and new ways of thinking may seem overwhelming at first. However, threat hunting doesn’t have to be all-consuming. You can start with committing a modest amount of time to the hunt, and incrementally build your threat hunting capability over weeks and months to find malicious files and unusual activity. Also, as a direct benefit to your security program you will be able to eliminate noise in your environment, better tune your security tools, find areas of vulnerability and harden those areas, and enhance your security posture at your own pace.
Now, get hunting.
Webinar: Policy-Free DLP