Cyber Threat Hunting
For more technical information on threat hunting, see Sqrrl’s Threat Hunting Reference Guide.
Today’s threats demand a more active role in detecting and responding to sophisticated attacks. Traditional security measures like firewalls, IDS, endpoint protection, and SIEMs are only part of the network security puzzle. Cyber Threat Hunting refers to proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools. It includes using both manual and machine-assisted techniques, and aims to find the Tactics, Techniques and Procedures (TTPs) of advanced adversaries.
Hunting goes beyond rule or signature-based detection and instead utilizes a hypothesis-driven approach is often supported by behavioral analytics. From large corporations to SMBs, there are many levels of hunting maturity, but many organizations are already hunting for threats whether they realize it or not; alert assessments, query-based log analysis, and incident investigations utilize basic hunting techniques. However, finding advanced threats requires moving beyond these simple techniques and demands more sophisticated and powerful hunting approaches.
Hunting is an iterative process that should be carried out in a loop to continuously look for adversaries hidden in vast datasets. Hunting begins with a hypothesis (aka “trailhead”). Sqrrl’s Threat Hunting framework defines three types of hypotheses:
- Intelligence-Driven: Created from threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans
- Situational-Awareness Driven: Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends
- Analytics-Driven: Machine-learning and User and Entity Behavior Analytics, used to develop aggregated risk scores that can also serve as hunting hypotheses
The outcomes of hunting trips, including newly discovered IoCs and TTPs, should be stored and used to enrich automated detection systems and analytics, as well as to form the foundation of future hunts.
Hunting with Linked Data
You need data to hunt, and the more data you have, the more detailed and thorough your hunting trips can be. An enterprise will want to store as much data as possible, such as flow data and proxy logs, host authentication attempts, and even non-security focused information. Making sense of Big Data is no easy task however, so advanced analytic techniques are critical. Sqrrl can ingest huge quantities of disparate datasets, and visualize that data dynamically through a powerful technique called Linked Data Analysis capability at its heart makes exploring the data contextual and intuitive.
Hunting consists of spending a lot of time searching for something that is elusive by nature. To locate entrenched threats, your hunt needs to be dynamic and adaptable. You need to be able to easily pivot from one dataset to another in order to evaluate the full context of the attacker’s digital footprints. From their starting point, hunts can follow different paths depending on the questions that the hunter asks at each step.
An analyst hunts through a case of Lateral Movement found by Sqrrl’s TTP detectors
The Sqrrl Advantage:
Sqrrl Enterprise is built to streamline the hunting experience as a powerful Threat Hunting Platform. Security analysts may have the domain knowledge to hunt, but not the advanced data science skill sets to directly manipulate and filter Big Data. As such, automated algorithms and prioritization are needed to make sense of the power big data affords. As an optimal hunting platform, Sqrrl Enterprise enables a hunter to filter and prioritize Big Data while iteratively asking the data questions and explore the relationships in the data. Sqrrl provides the scalability, visualization, and analytics that help analysts track down advanced threats via more advanced hunting techniques, turning data gatherers into data hunters. Download our eBook on Threat Hunting below to learn the fundamentals of hunting that all security executives and professionals should know:
To learn more about threat hunting, also check out Sqrrl’s other resources, including our: