Cyber Threat Hunting
For more technical information on threat hunting, see Sqrrl’s Threat Hunting Reference Guide.
Today’s threats demand a more active role in detecting and responding to sophisticated attacks. Traditional security measures like firewalls, IDS, endpoint protection, and SIEMs are only part of the network security puzzle. Cyber Threat Hunting refers to proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools. It includes using both manual and machine-assisted techniques, and aims to find the Tactics, Techniques and Procedures (TTPs) of advanced adversaries.
Hunting goes beyond rule or signature-based detection and instead utilizes a hypothesis-driven approach is often supported by behavioral analytics. From large corporations to SMBs, there are many levels of hunting maturity, but many organizations are already hunting for threats whether they realize it or not; alert assessments, query-based log analysis, and incident investigations utilize basic hunting techniques. However, finding advanced threats requires moving beyond these simple techniques and demands more sophisticated and powerful hunting approaches.
Hunting is an iterative process that should be carried out in a loop to continuously look for adversaries hidden in vast datasets. Hunting begins with a hypothesis and should be carried out based on questions that the analyst wants to answer. Sqrrl’s Threat Hunting framework defines three types of hypotheses:
- Intelligence-Driven: Created from threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans
- Situational-Awareness Driven: Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends
- Analytics-Driven: Machine-learning and User and Entity Behavior Analytics, used to develop aggregated risk scores that can also serve as hunting hypotheses
The outcomes of hunting trips, including newly discovered IoCs and TTPs, should be stored and used to enrich automated detection systems and analytics. Strengthening your automated detection systems is the ultimate goal of hunting.
The Linked Data Advantage
You need data to hunt, and the more data you have, the more detailed and thorough your hunting missions can be. An enterprise will want to store as much data as possible, but having a variety of data, including flow, proxy, authentication, and DNS, is also helpful. Making sense of Big Data is no easy task however, so an analyst should be able to leverage various kinds of automated analytics to parse through the data. Sqrrl can ingest huge quantities of disparate datasets, fusing them together into a united model, and visualize that data dynamically through a powerful technique called Linked Data Analysis. These linked models make exploring data contextual and intuitive.
Hunting consists of spending a lot of time searching for something that is elusive by nature. To locate entrenched threats, your hunt needs to be dynamic and adaptable. You need to be able to easily pivot from one dataset to another in order to evaluate the full context of the attacker’s digital footprints. From their starting point, hunts can follow different paths depending on the questions that the hunter asks at each step.
An analyst hunts through a case of lateral movement found by one of Sqrrl’s TTP detectors
Hunting with Sqrrl
Sqrrl Enterprise is built to streamline the hunting experience as a powerful Threat Hunting Platform. Security analysts may have the domain knowledge to hunt, but not the advanced data science skill sets to directly manipulate and filter Big Data. As such, automated algorithms and prioritization are needed to make sense of the power big data affords. As an optimal hunting platform, Sqrrl Enterprise enables a hunter to filter and prioritize Big Data while iteratively asking the data questions and explore the relationships in the data. Sqrrl provides the scalability, visualization, and analytics that help analysts track down advanced threats via more advanced hunting techniques, turning data gatherers into data hunters. Download our eBook on Threat Hunting below to learn the fundamentals of hunting that all security executives and professionals should know:
To learn more about threat hunting, also check out Sqrrl’s other resources, including our: