The semi-subversive leisure activity of expert cyber analysts has evolved, over the last two years, into a hot trend in the cybersecurity world – organizations have started 'hunting' their attackers. The foundation for this hunting activity is the assumption that the organization has already been hacked and the attackers are currently doing things inside the organizational network that leave behind "digital footprints". An experienced threat hunter knows how to spot and track these footprints, understand the activity taking place according to these footprints, spot the breach and patch the security loophole.
The term "threat hunting" was probably coined by security analyst Richard Bejtlich, who wrote in 2011: "To best counter targeted attacks, one must conduct counter-threat operations (CTOps). In other words, defenders must actively hunt intruders in their enterprise." The SANS Institute defines threat hunting as follows: "Threat hunting is a focused and iterative approach to searching out, identifying and understanding adversaries that have entered the defender's networks." Even the analyst firm Gartner Inc. covers this activity.
Over the last two years, with the increasing sophistication of cyberattacks and the relative failure of information security systems in dealing with these attacks, a need arose for a proactive approach. The "threat hunter" is an expert analyst to whom severe security incidents are escalated for investigation, analysis and remediation.
That experienced analyst, mostly at Tier 3, searches for threats on a daily basis so he/she must possess extensive skills and profound understanding of the information security world. Among other things, he/she should command the management and operation of information security systems and possess understanding and practical knowledge of hacking, be the recipient of qualification certificates from the security world (GCFE, GCFA, GCIH, GCIA, CISSP and so forth), possess experience in reverse engineering and pentresting, and a few years' experience as analyst in the Security Operations Center (SOC) of a major organization.
The Objective: Outgoing Communication
Threat hunting can be executed through a large number of information sources that exist within the organization: logs of IT systems and security systems, the data regarding the Internet communication between the organization and the outside world, analysis of files stored in end units and analysis of user behavior patterns. Threat hunting can also utilize external threat intelligence data in order to enrich the information available and "incriminate" specific activities by regarding them as suspicious activities.
One source of information that is critical to threat hunting is the proxy server located between the internal network and the Internet. This information is critical as the overwhelming majority of sophisticated attacks require communication with the outside world in order to download malware, receive orders from a command and control server or leak sensitive information out of the organization being attacked. The proxy server records the entire communication, so it contains all of the indicators of the malicious activity.
Any suspicious operation (for example, accessing malicious IP addresses or attempts to access TOR networks) will be promptly blocked or marked. Hackers are aware of that, so they disguise their outgoing communication using a "standard" operation, by accessing normal IP addresses and websites, so that traditional security systems will not normally regard this activity as suspicious.
One of the ways to effectively identify such an attack is by using an algorithm capable of searching for indicators in the communication coming out of the organization (which involves many terabytes of data) and grouping the data into different "clusters", based on activity/incident characteristics such as IP address, host name, time and so forth.
Once the system has (automatically) identified some suspicious activity, the analyst will receive the entire information associated with the "incident" – the infected stations, the external IP addresses, the traffic characteristics and so forth, so that he may easily understand the scope of the breach and its implications and so prepare and respond accordingly.
This is of particular significance in an era of information security and privacy regulations (like GDPR in Europe and even the information security standard issued by the Israel Cyber Authority), which compel organizations to notify the parties affected by a cyberattack within the shortest possible time. The threat hunter plays an important role in the organization's ability to understand what was attacked, what information was leaked and to whom it is critical, through his/her comprehensive understanding of the attack – unlike a SIEM analyst who only handles individual alerts.
Is Threat Hunting Appropriate for all Organizations?
Threat hunting is an activity that requires specialized knowledge, tools, time and input elements. Most organizations deal with the basics of information security with very limited success, while some organizations suffer from a shortage of skilled, experienced personnel.
However, advanced organizations that possess sensitive information (defense, business or personal) have realized that the traditional information security activity is insufficient. Evidently, the global average time to detect a cyberattack against an organization is about 100 days. This is a very long period of time which enables the attacker to accomplish all of his objectives, and it leaves the organization exposed and vulnerable.
The Israel Cyber Authority should be noted for having recently published the "Organizational Cybersecurity Doctrine" document, which includes recommendations for threat hunting. The section of that document dealing with proactive cybersecurity states: "This document recommends that threat hunting be implemented by setting forth a structured, cyclic program of monitoring the organizational activity longitudinally (organization – world) and laterally (inside the organization), along with such other sources as external intelligence, hunting of potential threats by analyzing and correlating information, and responding to the threats, whether they were actually spotted in the context of the threat hunting activity or as a preparatory measure for blocking even before they occurred.
Gilad Peleg is the CEO of the SecBi Company, which develops a threat hunting support system