Threat Hunter Profile: Jordan Wigley
Fortune 50 Company
Full packet capture, Proxy logs, DNS logs, Endpoint data
Preferred Hunting Techniques
Baselining, Outlier analysis, Behavioral analysis
NetWitness, Splunk, Wireshark
Who are you?
Hey everyone. My name is Jordan Wigley. For the past 2.5 years, I have been working at a Fortune 50 company where I serve as the team lead for the Threat Hunting and Incident Response team. Prior to this position, I spent over 12 years working in various Information Security roles at a large retailer. My experience mostly consists of threat hunting, incident response, network/endpoint forensics, and network security. Outside of work, I am the husband of an amazing woman, and we have four kids that keep life entertaining!
What is your experience with Threat Hunting and for how long?
I have been a full-time threat hunter for over 5 years. In the 9 years of my InfoSec career prior to being a hunter, I still found myself often using large datasets to find threats in the environment using many of the same techniques that I use in my current role.
Why do you hunt and/or how did you get started?
I have had the opportunity to serve in many different InfoSec roles over the years, and can definitively say that threat hunting is the most interesting and fun role that I’ve ever had. Each day often starts with a clean slate, and you never know what you are going to stumble upon while hunting. It literally never gets old or repetitive, and the challenge of finding malicious activity that other tools miss keeps the pressure on to come up with new and innovative techniques. When I first started hunting, I began by using various methods to analyze proxy log data to look for anomalous behavior. Proxy logs can be a treasure trove for threat hunting, and are a great place to begin for new hunters.
How would you define Threat Hunting?
I define threat hunting as the use of human-based analysis to detect anomalous activity and behaviors that would otherwise go undetected with traditional security tools. Threat hunting can include machine-based analysis, but ultimately requires human logic/analysis in order to be successful.
What hunting techniques, tools, and datasets do you use most frequently?
I absolutely love deep packet inspection (DPI) solutions for network-based threat hunting. NetWitness has been my preferred DPI tool over the years at companies that have it deployed, but other full packet solutions can be just as useful. These types of tools allow for metadata to be parsed/indexed from packets in near real-time, including the ability to write custom parsing logic for specific threat hunting ideas. Network sessions can be tagged using custom rules/logic based on the content and behaviors in those packets. Various combinations of those tags can be used to hunt for network sessions that exhibit suspicious behaviors. For events of interest you can typically download a PCAP file of the traffic and use Wireshark to dive deeper into what actually occurred.
In addition to packet data, I like to utilize Splunk for more advanced correlation and analysis of data sources such as proxy logs, DNS logs, email logs, etc. It’s also a good idea to ingest relevant endpoint data such as event logs, running processes, network connections, powershell commands, etc as storage allows.
From an overall threat hunting approach, you need to have the goal of automating as much of the process as possible to reduce the need for repetitive tasks. You should have something similar to a development lifecycle that is specific to threat hunting. As hunting ideas prove successful, they should be turned into dashboards/reports/alerts/cases that junior level analysts/hunters can use as a starting point for their hunting efforts. This allows the junior hunters to gain experience, while freeing up the senior hunters to focus on more advanced/manual threat hunting activities.
When developing new hunting logic, it is best to start out with an open net and start baselining to understand what “normal” looks like for that particular dataset. You can then start peeling back the normal activity one layer at a time, to allow for anomalous behavior to stand out more easily to the human eye. During this process, you should make notes of what your mindset is when determining if something is “normal” or not. Often times, this provides ideas for how some of the baselining can be partially automated and applied to data at a large scale.
What value do you actively see come out of your hunting activities?
On an ideal day, you will not find any successful intrusions on your network or endpoints. However, there is still value that comes out of hunting activities. It is very common that the anomalous behaviors and events detected via threat hunting efforts will be related to some type of misconfiguration or other various hygiene issues. It is important to partner with the proper teams in your organization, to ensure there is someone ready to accept the information regarding those hygiene issues and remediate them as quickly as possible.
What types of friendly intelligence are most useful for a hunter to have in an investigation? (i.e. not just threat intel feeds, but institutional knowledge and information about your own network)
It is critical to have as many up-to-date data feeds as possible, to ensure smooth operations in a threat hunting program. This includes an accurate asset inventory, IPAM / network inventory, DHCP logs, VPN logs, vulnerability assessment data, critical asset lists, etc. You should also keep track of vulnerability scanners and red team infrastructure, to prevent hunters from over-reacting to suspicious activity originating from those devices. In regards to intelligence feeds, many subscription feeds can be too generic for use in a large organization. Therefore, it is important to have a threat intelligence team that maintains more specific intel data that is relevant to your company, industry, and assets.
What general advice do you have for new Threat Hunters?
Don’t get discouraged when you come up empty-handed. Most organizations have a ton of data, and it is easy to get overwhelmed. Many people equate threat hunting to finding a needle in a haystack. But often times, it’s more like finding a specific needle in a stack of needles. Just dive in and start hunting. If you come up short, tomorrow is a new day!
Learn what “normal” looks like for your organization for a given dataset, and start to peel the “normal” data away from your view. Also, start your hunting efforts with a dataset that you are already somewhat familiar with. For example, if you’ve spent most of your career doing network security, you may find it easiest to start hunting with something like proxy logs or Netflow data. While if you’ve spent your career as a sys admin, you may find it easier to start hunting with Windows event logs or endpoint process tree data. Find your comfort zone and build up your skills from there.
What would you like to see Threat Hunting develop into across the industry in the future?
I want to see Threat Hunting become more of a partnership between red and blue teams (commonly referred to as a purple teaming) throughout the InfoSec industry. One of the most beneficial aspects of a good threat hunting program is to partner closely with red teamers, to adequately test new hunting ideas/logic rather than waiting on a real-world threat to find out if the logic is sound or not. This approach has allowed me to quickly identify faulty hunting logic, as well as to fine-tune good logic to more efficiently detect anomalous activity on the network and endpoints. All too often, it seems that red and blue teamers are competing with each other and do not want to share their “trade secrets” with one another. However, that competitive approach to red/blue teaming is not in the best interests of a solid security program.