Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
The Foundations of Threat Hunting

You're reading from   The Foundations of Threat Hunting Organize and design effective cyber threat hunts to meet business needs

Arrow left icon
Product type Paperback
Published in Jun 2022
Publisher Packt
ISBN-13 9781803242996
Length 246 pages
Edition 1st Edition
Arrow right icon
Authors (3):
Arrow left icon
William Copeland William Copeland
Author Profile Icon William Copeland
William Copeland
Chad Maurice Chad Maurice
Author Profile Icon Chad Maurice
Chad Maurice
Jeremiah Ginn Jeremiah Ginn
Author Profile Icon Jeremiah Ginn
Jeremiah Ginn
Arrow right icon
View More author details
Toc

Table of Contents (19) Chapters Close

Preface 1. Part 1: Preparation – Why and How to Start the Hunting Process
2. Chapter 1: An Introduction to Threat Hunting FREE CHAPTER 3. Chapter 2: Requirements and Motivations 4. Chapter 3: Team Construct 5. Chapter 4: Communication Breakdown 6. Chapter 5: Methodologies 7. Chapter 6: Threat Intelligence 8. Chapter 7: Planning 9. Part 2: Execution – Conducting a Hunt
10. Chapter 8: Defending the Defenders 11. Chapter 9: Hardware and Toolsets 12. Chapter 10: Data Analysis 13. Chapter 11: Documentation 14. Part 3: Recovery – Post-Hunt Activity
15. Chapter 12: Deliverables 16. Chapter 13: Post-Hunt Activity and Maturing a Team 17. Other Books You May Enjoy Appendix

Why is threat hunting important?

Reactive detection methods, such as utilizing signatures of known malicious files (hashes) or monitoring for behaviors synonymous with an attack (heuristics), can fail for a number of reasons. Detection based on known hashes can easily fail as it is simple to change a known malicious file just enough to bypass standard and even advanced antivirus solutions. Any free hex editor can be used to modify a file with a single bit and bypass this defense. Heuristics can also fail as they rely on known bad behaviors while attempting to account for expected administration behavior on the network. This does little for the unknown bad behaviors that are evolving in the threat actors' environments.

Taking the opposite approach and whitelisting known good behavior and applications is a method that an enterprise can take to create a zero-trust environment. The truth behind this concept is that very few organizations can and should fully implement this type of construct. This method is extremely resource-intensive to deploy across an enterprise while keeping services up to date as software and people change. Even then, someone who is masquerading as a legit user following that user's normal behavior could operate under the defense's thresholds.

A proactive detection method such as threat hunting doesn't wait for an alert and doesn't require the administrative overhead to whitelist all approved actions. Threat hunting takes into account the current vulnerabilities, environment, and processes to apply human expertise against the evidence. Threat hunting allows an organization to apply a force multiplier to their cybersecurity processes by augmenting the automated and administrated defenses.

Another reason why threat hunting is important is that it provides a focus for cybersecurity that is from an entirely different point of view (POV) than is normally found in a Security Operations Center (SOC). This different POV eschews the alarms and tools associated with them. Threat hunting wants to look directly at the evidence on the endpoints to determine whether there was some activity that was missed or the SOC tools haven't been updated to detect.

While there are many different methods of detecting adversarial behavior on a network, they can all be put into one of two categories – reactive or proactive. Think of reactive detection like a building alarm that is triggered when a window is opened. Once triggered, security will go and investigate what happened and why that window was opened. Proactive detection, of which threat hunting is one method of detection, does not wait for an alarm to go off. Using the same analogy, this would be a security guard who patrols the building looking for unlocked windows even though no alarms have gone off.

The following is a real-world example:

  • Location: High-security facility.
  • Reaction detection methods: Alarms on doors and windows; each door is automatically secured with a locking mechanism; entry is protected by a radio frequency identification (RFID) badging in/out system; motion detectors for after business hours or in restricted/unoccupied spaces.
  • Behavior (heuristics) tracking methods: Each individual is issued an RFID picture badge to scan into the facility and enter restricted spaces. Members have unique accounts to log in to systems that track what system or resource was accessed at a specific time.
  • Proactive detection methods: Security guards will patrol the building and review access/personnel for abnormal or malicious activity and stop random individuals for security checks of bags and accesses. If anything appears out of the ordinary, the security guards have the authority to intervene and review the facts around the particular event before allowing it to continue further.

Without this proactive detection method employed across the building, any activity that mimics an insider or unknown threat would be almost impossible to detect.

Definition

True positive: An alert that is triggered by reactive defenses that is valid, in that it meets the intent of the signature or heuristics for which it triggered, for example, an antivirus signature alert of a trojan that was downloaded.

True negative: The lack of a trigger by reactive defenses during the analysis of normal and expected system behavior or communications.

False positive: An alert that is triggered by reactive defenses that is invalid, meaning that it does not meet the intent of the signature or heuristics for which it triggered, for example, an intrusion prevention system firing on someone searching the internet for testmyids.com.

False negative: The lack of a trigger by reactive defenses on abnormal or malicious system behavior or communications during analysis, for example, an adversary emulating an administrator in order to successfully exfiltrate data from the network.

You have been reading a chapter from
The Foundations of Threat Hunting
Published in: Jun 2022
Publisher: Packt
ISBN-13: 9781803242996
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime