Skip to main content

Hunting for threats on a budget

HP Wolf Security
(Image credit: HP)

Threat hunting programs are now a must-have for any organization concerned by advanced cyberattacks that constantly grow more sophisticated, targeted and difficult to detect. Discovering and containing such attacks can take weeks, months - even years to - by which time the damage is already done. 

Establishing a threat hunting program may initially seem like a huge and extremely costly task - but it doesn’t have to be. Indeed, security professionals can undertake several paths to start their very own threat hunting program, and can do so even on a very limited budget. How? They can start by using logs, Security Information and Event Management (SIEM) and analytics. Let’s take a look at what you should consider when starting your own threat hunting program.

Building your program

Any viable threat hunting program contains three key components: visibility, analysis and conducting research.

Visibility: you need access to some type of log or set of logs to hunt through. Each log source brings with it a set of behaviors or event types that you will want to focus on. 

Analysis: you need a centralized repository of logs that get fed into a Security Information and Event Management (SIEM) system or some type of database. You can query each endpoint’s event logs individually, but that would be highly inefficient. Instead, have a central lake of information to work with - that avoids spreading your effort across a number of scattered puddles.

If you’re intimidated by the potential expense of a SIEM, there are options. When I first launched my own threat hunting program years ago at a previous company, we didn’t have a SIEM, so I used a spare Linux server with some storage to aggregate the data.

For organizations on a budget, there are myriad great open-source tools available for log capture and analysis, host and memory forensics, reverse engineering malware, etc. You can set up an alternative and cost-effective SIEM alternative using an “ELK” (Elastic Search, Logstash and Kibana) stack, all wrapped into one. 

Conducting research: If you have access to security event logs from all devices in your environment, you have the foundation you need to conduct adequate threat hunting research. First you’ll want to construct a list of event IDs to look for; each of these may indicate malicious activity. 

Before you get underway, be sure to establish a plan of action. This will help you avoid wasting time scrolling through millions of events that may lead nowhere. Filtering and sorting are invaluable aids in helping to identify anomalous events. Remember: The existence of a particular event ID doesn’t always mean there's a threat lurking on a device. So determining the root cause may require additional forensics and pivoting around that data. 

Once you have established a baseline of normal, consistent patterns of end-user activity, you should filter this data from view when threat hunting so you can focus on anomalies occurring on your network.

Tools that provide the best ROI

With your threat hunting program up and running, you will want to develop it to become part of the normal rhythm of your working week - not just something you do when you have the time. 

As the program matures, start researching the types of tools that can provide the most return for your organization. Security event logs are effective, but truly up-leveling your threat hunting requires you to collect inputs such as process execution events, registry activity, file movement, and network connections. Incorporating an endpoint detection and response (EDR) tool can provide you with a treasure trove of data worth exploring. You have a wide number of security solutions to choose from, along with a range of freeware utilities that provide the necessary visibility, such as Microsoft’s Sysmon.

Once you have expanded your data sources, start building alarms or detection signatures. This will help you respond immediately to high severity threat activity, as well as to generate lower severity events for threat hunting purposes. Lower severity events may generate a number of false positives, but each of those detections can be tuned to make them more effective. 

As you develop these detections, you need to align them with an attack matrix such as the publicly available MITRE ATT&CK framework, which contains a knowledge base of adversary tactics and techniques observed out in the real world. The matrix is divided into 14 areas including Reconnaissance, Execution, Credential Access and Exfiltration, which are further broken down into sub-techniques you can focus on. You don’t need to create a detection for every available technique, but it’s important to build them out over time. 

It is probably most effective to focus your initial detection on areas that generate a high severity event. Developing detections for OS Credential Dumping, Abuse Elevation Control Mechanism, Masquerading, Exploitation of Remote Services, etc. will lead to events that require response from level 1 analysts. After that, you can develop signatures for the threat hunting team to work from such as Creation of Accounts, Scheduled Task Jobs, Account Discovery, Lateral Movement, etc., which can all be used to seek out nefarious activity. 

These detections can be developed server-side within your SIEM, or locally using a tool such as Sysmon. By developing various data sets for threat hunting engagements, you can enhance your program and help uncover the unknown. 

Getting a better view

Frequency analysis provides another solid threat hunting technique to consider when searching through command line activity or network connections. You can make it even more effective by pairing it with additional meta-data attributes. If you’re looking at outbound connections by process, for example, name and pair it with an executable’s current signature status, such as unsigned. You can quickly develop a listing of infrequent connections being made by potentially suspicious processes. 

Tools like Sysmon may only give you a view into what’s occurring across the environment in the present. Why might a historical view prove useful? Because the past can be just as critical as the present when attempting to uncover attack activity. Once you are confident in detections for your endpoint logs, you should consider more proactive techniques to collect existing data from each device in your enterprise, such as specific registry keys. 

Analyze targeted scans with utilities such as YARA, an open-source, multi-platform tool that can be downloaded for free on GitHub. This will provide the historical view to deliver insight into attacks that have occurred already and may have been missed. YARA is used by malware hunters, incident responders, etc., to detect malware that’s based on certain characteristics or rules.

In conclusion, threat hunting is a critical component of your cybersecurity program. The more threats you can identify, the more opportunity you may have to expand the program with an additional budget. The good news is that you can make a quick and inexpensive start to a threat hunting program with open source, multi-platform tools and utilities, and provide a strong foundation to your cybersecurity defenses moving forward.

Tim Bandos, CISO and VP Managed Security Services, Digital Guardian