When you think threat hunting, what comes to mind?
For most enterprise security staff, the answer is “Hmmm, not sure if that’s for me”. It’s true that threat hunting is a bit daunting:
What goals am I going to achieve?
What will I do if I actually find an adversary?
Do I have the skills needed? Isn’t this just going to generate more work and “issues” to track down?
A recommended approach is to start with limited, clear objectives – ones that you really can’t ignore.
Our first example: Post-compromise.
Here’s the scenario: you identify the endpoints that have malware on them and you remediate them. But you have no idea if the adversary has established additional footholds within your network.
Since “Hope is not a strategy”, you should initiate an active response to try and find him.
Now it’s time for a bit of threat hunting.
Hunting boils down to two steps:
- Defining a hypothesis
- Testing that hypothesis (as effectively and cheaply as possible)
Defining and Testing a Hypothesis
In our particular case, the hypothesis is “The adversary has compromised additional endpoints using tactics similar to what we saw with the one we found.” To test this theory, we can use Deception to deploy assets that are likely to trick the adversary into trying those same tactics on the fake assets. If he does, we’ll have exposed him.
An Acalvio customer did exactly this in early 2020. They identified and mitigated an infected endpoint, which they determined was compromised via SMBv1. They then deployed a number of fake decoys with SMBv1 enabled (which was a rare configuration in this network). Sure enough: multiple compromised endpoints took the bait and attempted to compromise the decoys, revealing their positions. This made it easy to isolate and mitigate them.
We should note that this is a much better approach than traditional threat hunting, which uses passive techniques such as log analysis and correlation to test the hypothesis. It’s faster, easier, and more effective.
The obvious recent example of this situation is the SolarWinds SUNBURST fiasco. If you have SolarWinds Orion, you need to research how this attack works (no shortage of that info on the Web), and use that to inform your threat hunting tactics.
Threat Intelligence and Deception working together can also be used for this class of threat hunting: If you have threat intel that’s relevant to you (e.g. the type of target organization), you can use the TTPs for that threat actor as your blueprint for your threat hunting, with ShadowPlex’s automated capabilities to help you roll out your deception assets at scale.
Note that we haven’t gotten into the more advanced threat hunting scenarios, such as when you try to engage an adversary, rather than just trying to wipe him from your environment – we’ll save that for another blog. In the meantime, consider the example above as potentially your first foray into the world of Threat Hunting – a situation that’s inevitable in virtually all networks.