Advanced and sophisticated threats can get past traditional and automated cybersecurity defenses, or can be overlooked by tier 1 and 2 analysts. Establishing a successful threat hunting program is based on your environment's data quality and your ability to surface insights generally not found through day-to-day correlation activity. Security teams need to conduct investigations and threat hunting across the entire attack surface and from a single tool. You should have a tool like Splunk Enterprise Security in place, collecting data. When data is easily collected, normalized, accessed and analyzed, this provides valuable clues for your team's threat hunters to chase down threats. In addition, this tool must automatically analyze, enrich, and validate alerts, eliminate false positives, group related events into incidents, and prioritize them by organizational risk to facilitate rapid and effective investigations and threat-hunting activities.
What are the benefits of an effective threat hunting program?
An effective threat hunting program reduces the time from intrusion to discovery, and in most cases limits the amount of damage that can be done by attackers. Sophisticated attacks often lurk for weeks, or even months, before discovery. On average it takes more than 200 days before most organizations discover a data breach has occurred. Attackers wait patiently to siphon off data and uncover enough confidential information or gain privileged credentials to unlock further access, setting the stage for a significant data breach and a place that no organization wants to be part of.
Threat hunting is quickly becoming a vital and favorite role in many organizational cybersecurity programs since it ensures a level of situational awareness that other methods might not reach so quickly. The benefits of enabling a threat hunting program are:
- Proactively uncover threats. Become aware of hidden threats and, using flexible searches, proactively identify advisories that may have found ways to establish a foothold in your organization's network.
- Improve the speed of identifying root causes and searching additional evidence of potential incidents. Ad-hoc investigation can often identify activity or patterns that may already be present in your environment.
- Aid cybersecurity analysts in understanding the organization. Gain a better understanding of your organization's current security state and posture and how you can defend against attacks.
- Help achieve appropriate mitigation of threats through proper defense. Deeper insights into your networks and systems and the threats they may face aids in establishing layered controls.
- Reduce false positives and improves SOC efficiency. Create hypothesis-driven, proactive, and repeatable processes. Applying human investigative techniques alongside the implementation of effective tools means false positives and reduced and efficiency in detection and resolution increased.
- Utilize predictive analytics within Splunk User Behavior Analytics to identify unknown threats with machine learning
- Initiate and optimize hunting activities with integrated threat intelligence (Splunk Threat Intelligence Management)
What are threat hunting best practices?
A threat hunter's job is to find the unknowns. Threat hunters conduct analysis through vast amounts of security data, searching for hidden malware or signs of attackers by looking for patterns of suspicious activity that may not have been uncovered by tools. They also help develop in-depth defense approaches by understanding attacker tactics and techniques so they can help prevent that type of cyberattack. They use common frameworks such as MITRE ATT&CK or Kill-Chain to help adapt them to the local environment.
Types of threat hunting
Hunters begin with a hypothesis based on security data, threat intelligence indicators or event actions. Their hypothesis steers them into a more in-depth investigation of potential risks. These deeper investigations can be structured, unstructured or ad-hoc.
A structured investigation is based on threat intelligence data such as an indicator of compromise (IoC) or through tactics, techniques, and procedures (TTPs) of an attacker. Threat actors can be identified even before the attacker can cause damage to the environment by understanding the TTPs they employ. MITRE ATT&CK is a popular framework that threat hunters perform structured investigation from.
Unstructured investigation is often started through an action or event occurring where one or more indicators of compromise (IoC) are detected. This type of event leads a threat hunter to focus on pre-event and post-detection patterns. They piece searches together with other connected incidents to build a holistic picture.
Ad-hoc investigation can occur for a variety of reasons. Threat trends, active vulnerability analysis, risk assessment, or external leads. Leads can be discovered from crowd-sourced attack data which reveal the latest TTPs of current cyberthreats. A threat hunter uses these tiny clues to then search for these specific behaviors within their environment.
How does Splunk Enterprise Security help with threat hunting?
Would the ability to proactively find growing threats in one place simplify your threat hunting processes? Would flexible threat data usage for open source, commercial, and internal indicators of compromise close your visibility gaps? Would threat data coverage for short and long term analysis lower the time a malicious actor has access to your systems?
Splunk Enterprise Security offers all of this, plus customization options that enable your organization to grow and mature in your threat hunting efforts. Key features include:
- An incident review dashboard that shows notables you can drill into to quickly decide what you need to investigate
- Audit dashboards that give visibility into the retrieval, normalization, persistence, and analysis of threat data
- Multiple options for getting threat intelligence data into the environment, including a wide range of apps on Splunkbase for new threat and source visibility
- Multiple options for optimizing threat hunting performance, such as data modeling to accelerate searches and store results
Watch the following video to learn more.
What threat hunting processes can I put in place?
Splunk recommends following the Prescriptive Adoption Motion: Threat hunting. This guide walks you step-by-step through threat intelligence types, data contextualization, and enrichment.
- Detecting AWS security hub alerts
- These searches help you uncover alerts from AWS Security Hub, which collects and consolidates findings from AWS security services enabled in your environment.
- Detecting BlackMatter ransomware
- You need to be able to detect and investigate unusual activities that might relate to BlackMatter ransomware.
- Detecting Clop ransomware
- You need to be able to detect and investigate unusual activities that might relate to the Clop ransomware.
- Detecting DarkSide ransomware
- You need to be able to detect and investigate unusual activities that might relate to DarkSide ransomware, and these searches help you to do that.
- Detecting data exfiltration activities
- Detect data exfiltration activities with searches to help you identify data identification, collection, and staging tactics used by attackers.
- Detecting domain trust discovery attempts
- Identify malicious attempts to gather domain trust information that can be used to identify lateral movement opportunities in Windows environments.
- Detecting FIN7 attacks
- Detect activities that relate to FIN7 JS implant and its JSSLoader, with searches you can run in Splunk to look for FIN7's payload, data collection and script execution.
- Detecting IcedID attacks
- Find evidence of IcedID attacks with searches you can use in Splunk to identify common IcedID attack signatures.
- Detecting indicators of Remcos RAT malware
- How to use Splunk software to monitor for Remcos exploitation, with processes to help you find file writes associated with its payload, screen capture and more.
- Detecting Log4j remote code execution
- You are a security analyst who needs to look for the presence of Log4j executing remote code in your systems.
- Detecting malicious file obfuscation using certutil.exe
- Detect obfuscation used by attackers to hide files, with searches you can run in Splunk to find evidence of these tactics being used in your environment.
- Detecting Netsh attacks
- You need to be able to detect activities and various techniques associated with the abuse of Netsh.
- Detecting Office 365 attacks
- These searches help you detect attacks against Microsoft 365.
- Detecting password spraying attacks within Active Directory environments
- How to identify instances where a user, host, or process attempts to authenticate using an unusually high number of unique users in AD environments.
- Detecting print spooler attacks
- How to use Splunk to detect print spooler attacks by examining program and binary executions, connections between infected machines and other devices, and more.
- Detecting ransomware activities within AWS environments
- How to detect when users in your AWS environment are performing activities that are commonly associated with ransomware attacks.
- Detecting REvil ransomware infections
- Investigate ransomware by attempting to reconstruct the events that led to the system being infected and learn the full scope of the security breach.
- Detecting the disabling of security tools
- Detect the disabling of security tools by attackers with searches you can run in Splunk to identify malicious attempts to prevent them from running properly.
- Detecting Trickbot attacks
- Detect Trickbot attacks with searches you can run in Splunk to identify activities relating to Trickbot's payload, process injection, shellcode execution and data collection.
- Detecting usage of popular Linux post-exploitation tools
- How to use Splunk searches to detect instances where malicious actors have used tools to search for opportunities to exploit Linux hosts.
- Detecting WhisperGate malware
- Detect WhisperGate malware, including looking for suspicious process execution, command-line activity, downloads, DNS queries and more.
- Detecting Windows BITS abuse
- Detect BITS abuse with searches you can run in Splunk, helping you find evidence of attackers abusing BITS to download, execute, and clean up after running malicious code.
- Detecting Windows file extension abuse
- Detect Windows file extension abuse with searches you can run in Splunk to identify signatures of the techniques used in these attacks.
- Detecting XMRig CPU or GPU mining
- Detect XMRig CPU/GPU mining, including looking for file writes associated with its payload, process command-line, defense evasion and more.
- Detecting Zerologon attacks
- Detect activities relating to the Zerologon CVE-2020-11472, with Splunk searches you can use to identify attempts to reset the Domain Controller computer account.
- Monitoring AWS S3 for suspicious activities
- These searches allow you to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors.
- Monitoring command line interface actions
- You can use Splunk to view command line strings, calculate their length, and determine how much time has passed since their related processes ran.
- Monitoring for signs of a Windows privilege escalation attack
- Use these procedures in Splunk to detect and investigate behaviors that attackers may use to elevate their privileges in your Windows environment.
- Monitoring use of Git repositories
- You can use Splunk software for statistical analyses like frequency, patterns of access, and time of day information.
- Prescriptive Adoption Motion - Threat hunting
- Cyber threat hunting involves using a combination of techniques to identify and analyze suspicious activities or anomalies in network traffic, system, or endpoint logs.