Cyber threat hunting
Cyber threat hunting is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions."[1] This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), and SIEM Systems, which typically involve an investigation after there has been a warning of a potential threat or an incident has occurred.
Methodologies
Threat hunting can be a manual process, in which a security analyst sifts through various data information using their own knowledge and familiarity with the network to create hypotheses about potential threats, such as, but not limited to, Lateral Movement by Threat Actors. To be even more effective and efficient, however, threat hunting can be partially automated, or machine-assisted, as well. In this case, the analyst utilizes software that leverages machine learning and user and entity behavior analytics (UEBA) to inform the analyst of potential risks. The analyst then investigates these potential risks, tracking suspicious behavior in the network. Thus hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis. There are three types of hypotheses:
- Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses"[2]
- Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends"[2]
- Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans"[2]
The analyst researches their hypothesis by going through vast amounts of data about the network. The results are then stored so that they can be used to improve the automated portion of the detection system and to serve as a foundation for future hypotheses.
The DML (Detection Maturity Level) model [3] expresses threat indicators can be detected at different semantic levels. High semantic indicators such as goal and strategy, or tactics, techniques and procedure (TTP) are more valuable to identify than low semantic indicators such as network artifacts and atomic indicators such as IP addresses. SIEM tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.[4]
Solution providers
Representative notable vendors of threat hunting software and services include:
- Carbon Black
- CrowdStrike
- Cybereason
- Sqrrl
- ExtraHop Networks
- Endgame, Inc.
- Haystax Technology
The SANS Institute has conducted research and surveys on the effectiveness of threat hunting to track and disrupt cyber adversaries as early in their process as possible. According to a survey released in 2016, "adopters of this model reported positive results, with 74 percent citing reduced attack surfaces, 59 percent experiencing faster speed and accuracy of responses, and 52 percent finding previously undetected threats in their networks."[5]
See also
References
- ↑ "Cyber threat hunting: How this vulnerability detection strategy gives analysts an edge - TechRepublic". TechRepublic. Retrieved 2016-06-07.
- 1 2 3 "Cyber Threat Hunting - Sqrrl". Sqrrl. Retrieved 2016-06-07.
- ↑ Stillions, Ryan (2014). "The DML Model". Ryan Stillions security blog. Ryan Stillions.
- ↑ Bromander, Siri (2016). "Semantic Cyberthreat Modelling" (PDF). Semantic Technology for Intelligence, Defense and Security (STIDS 2016).
- ↑ "Threat hunting technique helps fend off cyber attacks". BetaNews. 2016-04-14. Retrieved 2016-06-07.