July 5, 2017 • Amanda McKeon
Sharing insights on the tools, technologies, and processes that underpin threat intelligence is one of the primary aims of this podcast. One of the processes that’s getting a lot of attention these days is threat hunting.
In this episode, we’ll talk about what exactly threat hunting is, how it’s done, and its value to organizations looking to strengthen their security posture, gain situational awareness, and of course, enhance their threat intelligence.
To get past the buzzwords and down to business, we have as our guide Keith Gilbert, a security technologist at Sqrrl, a firm that specializes in the art and science of threat hunting.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and thanks for joining us for episode 13 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire. Our focus on this podcast is, of course, threat intelligence. There are other methods and tools that can combine with threat intelligence to help strengthen your security posture. One of those is threat hunting. It’s popular enough these days to have reached buzzword status. To help us get a better understanding, we’ve got Keith Gilbert, security technologist at threat hunting specialists Sqrrl, to be our guide. Stay with us.
If you look back historically, you see there was a lot of focus on prevention. Then, obviously that has shifted to detection and response. I think it’s a natural continuation of that shift. People are realizing that … and have been for some time, that the products that they are using are not infallible. They’re not going to catch 100% of malicious actors, or malware samples, or what have you. It’s useful to be able to explore your network and determine what those products have missed, to the best of your ability. Then, the idea and goal is to use the information that you collect to … feedback and make it possible to implement methods for detecting those in the future. It’s really all about continuous improvement.
Let’s go through a definition. What are we talking about when we’re talking about threat hunting?
Threat hunting, similar to threat intelligence, is a term that seems to be subject of common debate within the industry. Depending on the maturity level of an organization, a definition may differ based on what their capabilities are. From our perspective, a true hunting capability is the ability to essentially form a hypothesis, collect the information you need, analyze that information, and determine whether or not your hypothesis was correct. A negative result in a hunt is not a failed result. It’s still a positive outcome.
The key factor here is, you have to know, or have some idea of what you’re looking for, rather than just a free for all. That tends to really not be super productive, also not repeatable. You have to be able to collect the information that you need to answer that question. Then, ideally, whoever is conducting the hunt has the expertise required to analyze the data collected and make a determination. If it’s a positive outcome and there’s a new action or compromise on the network that is discovered, the ideal scenario is to then take that information and be able to develop a proactive measure of detection, or potentially prevention, that the organization can use going forward.
Take me through a real-world example of someone setting up a typical hunting scenario.
One that we often start out with is one that we try to use to meld people’s familiarity with indicators of compromise and discrete data, such as IPs and domains, and one with a more freeform hunting aspect. When you combine those two, there are a lot of orgs that will match or block based on lists of data or information. That is definitely a valid approach and useful for detecting known things. Part of the purpose of hunting is finding unknown things. Combine those two, you may come up with a theory that there are compromised hosts on your network communicating with a domain that the majority of other hosts are not.
In that case, it’s network-based data that you’re collecting and going to be analyzing. The first thing you might do is use a frequency analysis to determine whether or not there are any domains that only a few hosts on your network are reaching out to. When you do that frequency analysis, if you find that every domain observed on the network is widely observed, then you may end up stopping there with that particular hypothesis. On the flip side, if you find that there are, in fact, some domains you’ve found that may be two or three hosts throughout a network, or a network segment they’re communicating with, then you start down the road of investigating those domains.
Are they known? Are there any indications that they are malicious? If they are not known and there’s no indications, do we have any supporting information that can help me make that determination regarding these hosts? In that case, you may start to bring in additional support data. If you have host-based data, you can determine what processes are reaching out and making those calls. It may be simple enough, depending on the size of the organization, to call the users and see if it’s anything that they are aware of on those hosts. They also depend upon function of the systems in question.
Based on the data available, you can piece together as complete a scenario as you need and/or are able to. From there, make a decision of whether or not the activity is worth a deeper investigation or if you are able to explain it in some way. Depending on the outcome, it may be positive or negative for maliciousness, but you are at least able to go from start to finish for a defined question. That would complete your hunt for that period of time.
In terms of the size of a company, is there a size at which threat hunting becomes a practical thing? If I’m a small business owner, how do I know if threat hunting is for me?
In general, when you mention small business owner, that’s probably not the general type of organization that’s going to be carrying out the activity. In fact, I mean a small business owner, quite frankly, is often not going to have any IT staff or security staff on hand at all. It’ll much more often be contracted out, maybe not a full-time function depending on how small. When you start to get to medium or large organizations, what we find a lot of times is that folks don’t think they have time to do something like this.
What we often suggest: you don’t need a dedicated team in all instances doing just hunting. For instance, if you have an incident response team and they are not fully utilized 40 hours a week or, in many cases, 40 plus hours a week, it can be a very useful task for them to engage in while they’re not responding to an active incident. In a lot of cases, it can help feed active incidents or it can discover other areas that may be valuable to enact some detective mechanisms that were not identified prior.
Now, if you’re a larger organization and there’s good funding and that sort of thing, you may very well have a dedicated threat hunting team. In that case, the eventual goal should be to help support the other functions to bolster defenses across the organization.
One of the things I’ve talked to folks at Recorded Future about is how sometimes it’s hard to define things. When something becomes a buzzword, when something achieves buzzword status in the industry, and I think threat intelligence has had that and certainly threat hunting had that, you go to a trade show and suddenly it’s something that everyone has to be offering, because it’s the hot thing. As a supplier of that sort of thing, how do you cut through that noise?
I think we find the best way is to really demonstrate what we’re talking about, and simply ask customers or potential customers to compare that versus what they’re seeing elsewhere. It’s not a flashy task, and it doesn’t need to be. The goal is not to look good while you’re doing it. It’s to improve your defenses.
How can threat hunting integrate with a threat intelligence strategy?
Absolutely. This is one area that we find both a good input and output use for. I always like to start these types of discussions with the differences or overview from what actually threat intelligence is versus what a lot of folks refer to it as. I always use the comparison of threat data, threat information, and then threat intelligence. That follows a more traditional intelligence-type funnel.
Oftentimes, I mentioned very early on that the blocking of domains or IPs or detection using those lists is a valid approach for some threats. However, I would not consider that actual threat intelligence. Those lists may be threat data if they are simply lists. If they have a little bit of context, they may be threat information. Without a strategic application, they do not become threat intelligence. One of the primary areas, given that there’s a hypothesis generation aspect for threat hunting, actual threat intelligence should include more than static indicators of compromise.
Oftentimes, they will include types of behaviors or actions that are higher on the Pyramid of Pain, which some of the listeners may be familiar with. In those cases, those are the types of data points that we want to use to generate our hypothesis to conduct a hunt. As an input, threat intelligence can provide the necessary supporting information to help produce the relevant hypotheses for hunts, particularly if that intelligence is catered to my organization or my industry or that sort of thing.
As an output, on the end of the … I guess there’s not really an end of a circle, but as one of the final steps in the cycle for hunting is the feedback mechanism. Developing the potential detective measures, but then also using the confirmation or perhaps denial of the hypothesis can help inform the threat intelligence function within the organization of whether or not they were vulnerable, whether or not it was something that was, in fact, observed, used against them. If we can continue to improve the sharing between those two cycles or the overlap, there should be measurable gain.
If someone’s on the fence, and threat hunting is something that they’re considering adding to their spectrum of ways to defend themselves, what are the take homes for you? What do you say to that person who is trying to decide if this is something worth investing in?
The best way to go about it is to start small, and start with something that you can currently do. Determine if you feel that that’s going to start producing an impact. Once you determine whether or not your current sources allow you to conduct any measurable improvement, you can make an informed decision of what sources you need to eventually add to improve that.
You may find that currently you do not have enough log collection sources or perhaps not the staffing level needed, so it may very well inform a gap analysis as well. If it’s something that you’re interested in, you know you want to work towards, you can use that to begin to make changes with your current infrastructure, current collection mechanisms. Use that to improve or work down a path to get to that level.
Now, if you have just network data currently, for instance, you can do a lot with just that, with hunting. You’ll want to form your hypotheses such that they cater to that data. Once you feel like you’ve exhausted that, you can start to move into maybe the host side or a combination of the two. Eventually, you’re probably going to determine that you did, in fact, see a positive benefit. The assessment at that point becomes whether or not your current tools can handle your activities.
If there are efficiencies to be had, particularly if you’re on the fence with the staffing decision, one of the possible methods for moving down that route is to try to cut down the amount of time it takes to both conduct a hunt, as well as implement potential detective measures as a result afterwards.
Our thanks to Keith Gilbert for joining us.
You can learn more about Sqrrl and threat hunting on their website at sqrrl.com.
While you’re online, don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
You can also find more intelligence analysis at recordedfuture.com/blog.
We hope you’ve enjoyed the show, and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.