In part 1 of this series, we outlined the current state of cyber threat hunting as it was profiled in SANS’s recent survey of 464 companies on the handling of proactive cyber threat detection. In this section, we’ll discuss specifically what types of hunting practices these companies use to track and remove threats in their systems, and we will take a look ahead to see how threat hunting will continue to grow in the future.
In addition to the process of data collection, automation is used to speed up certain parts of the hunting process so that analysts can focus on what’s really valuable, as opposed to having to spend time gathering and parsing through large, disparate data sets. When SANS asked the survey participants what percentage of their threat hunting capacity is automated, the responses were fairly split, with each option (1 - 10%, 11 - 25%, 26 - 50%, 51 - 75%, 76-99%) each receiving about 20%. Each stage in the Threat Hunting Loop provides opportunities for automation that can make the hunting process much more efficient. When forming a hypothesis, automated risk scoring and heat mapping can highlight where to start looking; when investigating, automated visualizations with predetermined pathways and prescribed hunting techniques help you reach your target sooner; automated TTP detection analytics allow you to easily uncover and identify threats; and feeding data back into automated tools to enrich your analytics will only make the process quicker and more powerful for the next hunt.
Based on the top three triggers that companies specified for starting a hunt (anomalies in the environment, items or events that have been communicated in groups or media, and new vulnerabilities found in the environment), human effort in finding these triggers can be handily assisted by automated capabilities. After hunting tools pick up anomalies and weaknesses quickly and effectively, analysts can interpret them to verify or discount a hypothesis.
When it comes to the types of data that companies want to leverage in their threat hunting, more data is always better, and everybody seems to want access to everything. Given a choice of 13 distinct data feeds, and being asked to indicate which feeds are necessary to conduct a hunt, the polled companies’ responses indicated that no one feed stands out as being wildly more or less important than the others. The most valuable asset was IDS/IPS feed information, with 75% of companies reporting a need for it, and the least valuable was DHCP information, with 43% of companies wanting it. Something important to note about data, though, is that the quality of data is much more important than the quantity of it. A lot of data to weed through without some sort of program to help you is going to ultimately waste your time.
Tools like Sqrrl are available to help solve the data problem by fusing disparate data sets together and highlighting the connections between them via comprehensive visualizations, including a linked data graph. Visualizations and User and Entity Behavior Analytics (UEBA)can turns terabytes of otherwise confusing data into easy-to-understand information that can generate hypotheses and speed up a hunt, saving you huge amounts of time and energy.
With regard to tools, 85% of companies surveyed reported using existing infrastructure tools like SIEM feeds for their hunting, while slightly more than half reported using configurable, customizable tools, and less than 40% use third-party or open-source tools. This is indicative of how the current state of large-scale threat hunting looks today. As the SANS survey puts it, “based on the current immaturity of the threat hunting market, the data . . . aligns with exactly what we would expect to see.” At this point, most organizations are still trying to figure out their own threat hunting environment and are not yet investing in tools that can rapidly scale their maturity and hunting capabilities.
As companies become more accustomed to the needs of threat hunting, they will discover that, with the right tools, the learning curve for hunting can actually be lowered. Though manipulating data with tools like Sqrrl’s can seem daunting at first, the quality of information it provides and the contextual way it presents that information simplifies the entire search process.
With all of these factors considered, the final question to ask is: what’s next? What steps will be taken in the future by companies to fix the problems that exist in threat hunting? Participants in the SANS survey said they were focused on improving three threat hunt-related areas in the future: better threat detection, more automated tools to connect dots between data points, and more staff to conduct searches. Sqrrl can serve as a powerful resource for improving detection. While Sqrrl can’t hire staff for an organization, it can also lower the barrier to entry of hunting, so that less experienced staff members can undertake hunts as well. Because it presents data to the user in a visual, graph-based format, Sqrrl reveals links between entities and allows for efficient detection of threats by providing information that is both understandable and interactive. The advent of advanced threat hunting tools will help organizations involved in threat hunting push forward and seriously increase their own hunting capabilities. This will benefit the the hunting maturity of the overall industry as well, because when the threat hunting data of many organizations is combined together and shared, everybody seeking to protect their information benefits.