Threat hunting is an important part of any cybersecurity strategy that should never be overlooked, but rather matured. Developing multiple data sets for threat hunting engagements can further mature the program, which will aid in the discovery of the unknown.
Threat hunting driven by results is quickly becoming a necessity- creating a threat hunting program from the ground up can seem overwhelming at first, especially if an organization’s resources are restricted. To be effective, IT security leaders do not need to use top-tier products. Even on a limited budget, cash-strapped security experts can establish their own threat hunting program using SIEM, logs, and analytics.
Security leaders must have access to some form of log or set of logs to hunt through in addition to having the requisite expertise. Each log source will have a set of behaviors or event types that they should pay attention to.
CISOs should have a central repository for logs that are fed into a Security Information and Event Management (SIEM) or database. They could query each endpoint’s event logs individually, but it would take forever. If security teams have access to security event logs from every device in the environment, they can create a list of event IDs to search for that could signal malicious behavior.
Setting a strategy before diving in will prevent security professionals from browsing through millions of events that may or may not lead to anything. Filtering and sorting will aid in the detection of anomalous events. However, the presence of a specific event ID does not automatically imply that a device is infected. Additional forensics and pivoting around such data may be required to determine the root cause.
It’s worth considering filtering this data from view while hunting as security experts establish a baseline of consistent, normal patterns of end-user activity. This will help focus on the anomalies that occur on their network by removing distractions.
These preliminary measures will assist them in getting their programme off the ground, but it is only the beginning. The purpose of any threat hunting program should be to develop it further and appropriately staff it.
As the program matures, CISOs should examine which tools will provide the best results. Security event logs can only help accomplish so much. The threat hunting engagements can be taken to the next level by collecting registry activity, process execution events, network connections, file movement, and so forth. Using an endpoint detection and response (EDR) tool can provide a wealth of information worth investigating. There are numerous security solutions available today, as well as a number of freeware utilities that will provide the required visibility.
It’s time to think about establishing alarms or detection signatures now that security teams have this information. These will enable firms to respond quickly to high-severity threat activity, allowing for the development of lower-severity events for threat hunting purposes. Lower severity events may result in a large number of false positives, but each of those detections can be fine-tuned.
It’s critical for security leaders to connect these detections with an attack matrix like the MITRE ATT&CK methodology as they develop them. This open-source framework comprises a knowledge base of opponent methods that have been seen in the wild. It is not necessary to establish detection for each and every technique available, but it is critical to do so over time.
It can be beneficial to concentrate initial detection efforts on areas that are likely to result in a high-severity event. Developing detections for Abuse Elevation Control Mechanism, OS Credential Dumping, Remote Service Exploitation, and Masquerading, among other things, will generate events for level 1 analysts to respond to. Creating signatures for the threat hunting team to pivot off of, such as Scheduled Task Jobs, Account Creation, Lateral Movement, Account Discovery, and so on, can be utilized to look for adversary activity.
These detections can be created locally by a tool or server-side within the SIEM. Developing multiple data sets for threat hunting engagements, in either case, will only help the program mature and expose the unknown.
For more such updates follow us on Google News ITsecuritywire News.