Threat hunting
Advanced and sophisticated threats can get past traditional and automated cybersecurity defenses, or can be overlooked by tier 1 and 2 analysts. Establishing a successful threat hunting program is based on your environment's data quality and your ability to surface insights generally not found through day-to-day correlation activity. Security teams need to conduct investigations and threat hunting across the entire attack surface and from a single tool. You should have a tool like Splunk Enterprise Security in place, collecting data. When data is easily collected, normalized, accessed and analyzed, this provides valuable clues for your team's threat hunters to chase down threats. In addition, this tool must automatically analyze, enrich, and validate alerts, eliminate false positives, group related events into incidents, and prioritize them by organizational risk to facilitate rapid and effective investigations and threat-hunting activities.
What are the benefits of an effective threat hunting program?
An effective threat hunting program reduces the time from intrusion to discovery, and in most cases limits the amount of damage that can be done by attackers. Sophisticated attacks often lurk for weeks, or even months, before discovery. On average it takes more than 200 days before most organizations discover a data breach has occurred. Attackers wait patiently to siphon off data and uncover enough confidential information or gain privileged credentials to unlock further access, setting the stage for a significant data breach and a place that no organization wants to be part of.
Threat hunting is quickly becoming a vital and favorite role in many organizational cybersecurity programs since it ensures a level of situational awareness that other methods might not reach so quickly. The benefits of enabling a threat hunting program are:
- Proactively uncover threats. Become aware of hidden threats and, using flexible searches, proactively identify advisories that may have found ways to establish a foothold in your organization's network.
- Improve the speed of identifying root causes and searching additional evidence of potential incidents. Ad-hoc investigation can often identify activity or patterns that may already be present in your environment.
- Aid cybersecurity analysts in understanding the organization. Gain a better understanding of your organization's current security state and posture and how you can defend against attacks.
- Help achieve appropriate mitigation of threats through proper defense. Deeper insights into your networks and systems and the threats they may face aids in establishing layered controls.
- Reduce false positives and improves SOC efficiency. Create hypothesis-driven, proactive, and repeatable processes. Applying human investigative techniques alongside the implementation of effective tools means false positives and reduced and efficiency in detection and resolution increased.
- Utilize predictive analytics within Splunk User Behavior Analytics to identify unknown threats with machine learning
- Initiate and optimize hunting activities with integrated threat intelligence (Splunk Threat Intelligence Management)
What are threat hunting best practices?
A threat hunter's job is to find the unknowns. Threat hunters conduct analysis through vast amounts of security data, searching for hidden malware or signs of attackers by looking for patterns of suspicious activity that may not have been uncovered by tools. They also help develop in-depth defense approaches by understanding attacker tactics and techniques so they can help prevent that type of cyberattack. They use common frameworks such as MITRE ATT&CK or Kill-Chain to help adapt them to the local environment.
Types of threat hunting
Hunters begin with a hypothesis based on security data, threat intelligence indicators or event actions. Their hypothesis steers them into a more in-depth investigation of potential risks. These deeper investigations can be structured, unstructured or ad-hoc.
Structured investigation
A structured investigation is based on threat intelligence data such as an indicator of compromise (IoC) or through tactics, techniques, and procedures (TTPs) of an attacker. Threat actors can be identified even before the attacker can cause damage to the environment by understanding the TTPs they employ. MITRE ATT&CK is a popular framework that threat hunters perform structured investigation from.
Unstructured investigation
Unstructured investigation is often started through an action or event occurring where one or more indicators of compromise (IoC) are detected. This type of event leads a threat hunter to focus on pre-event and post-detection patterns. They piece searches together with other connected incidents to build a holistic picture.
Ad-hoc investigation
Ad-hoc investigation can occur for a variety of reasons. Threat trends, active vulnerability analysis, risk assessment, or external leads. Leads can be discovered from crowd-sourced attack data which reveal the latest TTPs of current cyberthreats. A threat hunter uses these tiny clues to then search for these specific behaviors within their environment.
How does Splunk Enterprise Security help with threat hunting?
What threat hunting processes can I put in place?
Splunk recommends following the Prescriptive Adoption Motion: Threat hunting. This guide walks you step-by-step through threat intelligence types, data contextualization, and enrichment.
- Checking for files created on a system
- Find out when and where files have been created on a system, helping you hunt for threats or drive automation.
- Detecting AWS network ACL activity
- These searches help you check for bad configurations and malicious activity in your AWS network access controls.
- Detecting AWS security hub alerts
- These searches help you uncover alerts from AWS Security Hub, which collects and consolidates findings from AWS security services enabled in your environment.
- Detecting AWS suspicious provisioning activities
- These searches allow you to detect adversaries as they begin to probe your AWS environment.
- Detecting a ransomware attack
- How to use Splunk to detect ransomware attacks by investigating programs or binaries that execute on infected systems and look for other hallmarks of attacks.
- Bcdedit boot recovery modifications
- File write spikes
- High file deletion frequency
- High process termination frequency
- Registry key modifications
- Schtasks.exe registering binaries or scripts to run from a public directory
- Schtasks.exe used to force a reboot
- Server Message Block (SMB) traffic connection spikes
- Shadow copies deleted
- TOR traffic
- USN journal deletion
- Wbadmin delete backup files
- Wevtutil.exe abuse
- Windows event log cleared
- Wmic.exe launching processes on a remote system
- Detecting BlackMatter ransomware
- You need to be able to detect and investigate unusual activities that might relate to BlackMatter ransomware.
- Detecting brute force access behavior
- Learn how to detect when brute force attempts at access are taking place.
- Detecting changes to Windows user group
- How to compare Windows security logs against your organization’s incident register to ensure that each user modification has an associated incident record.
- Detecting Clop ransomware
- You need to be able to detect and investigate unusual activities that might relate to the Clop ransomware.
- Detecting DarkSide ransomware
- You need to be able to detect and investigate unusual activities that might relate to DarkSide ransomware, and these searches help you to do that.
- Detecting domain trust discovery attempts
- Identify malicious attempts to gather domain trust information that can be used to identify lateral movement opportunities in Windows environments.
- Detecting FIN7 attacks
- Detect activities that relate to FIN7 JS implant and its JSSLoader, with searches you can run in Splunk to look for FIN7's payload, data collection and script execution.
- Detecting indicators of Remcos RAT malware
- How to use Splunk software to monitor for Remcos exploitation, with processes to help you find file writes associated with its payload, screen capture and more.
- Detecting Log4j remote code execution
- You are a security analyst who needs to look for the presence of Log4j executing remote code in your systems.
- Detecting malicious activities with Sigma rules
- Sigma is a useful tool for sharing threat detection information, focused on detecting anomalies in log data such as computer processes, commands, and operations associated with malware or malicious tools.
- Detecting malicious file obfuscation using certutil.exe
- Detect obfuscation used by attackers to hide files, with searches you can run in Splunk to find evidence of these tactics being used in your environment.
- Detecting masquerading
- Masquerading is quite common with some utilities because the existence of that utility on certain systems may trigger alarms for organizations. Here's how to detect it.
- Detecting Netsh attacks
- You need to be able to detect activities and various techniques associated with the abuse of Netsh.
- Detecting network and port scanning
- How to use Splunk software to see if scanning activity is coming from someone other than an authorized person internally.
- Detecting Office 365 attacks
- These searches help you detect attacks against Microsoft 365.
- Detecting password spraying attacks within Active Directory environments
- How to identify instances where a user, host, or process attempts to authenticate using an unusually high number of unique users in AD environments.
- Detecting print spooler attacks
- How to use Splunk to detect print spooler attacks by examining program and binary executions, connections between infected machines and other devices, and more.
- Detecting ransomware activities within AWS environments
- How to detect when users in your AWS environment are performing activities that are commonly associated with ransomware attacks.
- Detecting recurring malware on a host
- How to use Splunk to search antivirus logs to find systems on your network that are experiencing multiple infiltrations.
- Detecting REvil ransomware infections
- Investigate ransomware by attempting to reconstruct the events that led to the system being infected and learn the full scope of the security breach.
- Detecting software supply chain attacks
- You want to leverage JA3/s hashes as a high fidelity data point to bring anomalous activity close to the forefront.
- Detecting Supernova web shell malware
- You want to look for signs that your systems have been compromised by a zero-day vulnerability that installed a trojanized .NET DLL.
- Detecting the use of randomization in cyberattacks
- You can use Splunk software to calculate the randomness of domains accessed on your network and how closely related they are to legitimate domain names.
- Detecting TOR traffic
- How to use use firewall data to find TOR traffic on your network.
- Detecting Trickbot attacks
- Detect Trickbot attacks with searches you can run in Splunk to identify activities relating to Trickbot's payload, process injection, shellcode execution and data collection.
- Detecting usage of popular Linux post-exploitation tools
- How to use Splunk searches to detect instances where malicious actors have used tools to search for opportunities to exploit Linux hosts.
- Detecting Windows file extension abuse
- Detect Windows file extension abuse with searches you can run in Splunk to identify signatures of the techniques used in these attacks.
- Detecting XMRig CPU or GPU mining
- Detect XMRig CPU/GPU mining, including looking for file writes associated with its payload, process command-line, defense evasion and more.
- Detecting Zerologon attacks
- Detect activities relating to the Zerologon CVE-2020-11472, with Splunk searches you can use to identify attempts to reset the Domain Controller computer account.
- Finding interactive logins from service accounts
- Most service accounts should never interactively log into servers. You want to actively monitor your servers so you can quickly investigate if this happens.
- Finding large web uploads
- You want to protect your organization by finding large file uploads that could point to data exfiltration in your network.
- Investigating Gsuite phishing attacks
- Some employees have recently reported receiving suspicious-looking files delivered over GSuite Drive file-sharing and you need to investigate.
- Monitoring AWS S3 for suspicious activities
- These searches allow you to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors.
- Monitoring a network for DNS exfiltration
- You need to set up monitoring to watch for hackers using DNS to control compromised hosts and exfiltrate data.
- Monitoring command line interface actions
- You can use Splunk to view command line strings, calculate their length, and determine how much time has passed since their related processes ran.
- Monitoring DNS queries
- How to monitor DNS queries to help you hunt for issues and potentially drive automation.
- Monitoring for signs of a Windows privilege escalation attack
- Use these procedures in Splunk to detect and investigate behaviors that attackers may use to elevate their privileges in your Windows environment.
- Monitoring full DNS transaction data
- How to monitor DNS queries to help you hunt for issues and potentially drive automation.
- Monitoring user activity spikes in AWS
- You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.
- Monitoring Windows account access
- How to use Splunk software to monitor authentications and login times, as well as create reports that support compliance reporting.
- Prescriptive Adoption Motion - Threat hunting
- Cyber threat hunting involves using a combination of techniques to identify and analyze suspicious activities or anomalies in network traffic, system, or endpoint logs.
- Protecting a Salesforce cloud deployment
- How to use Splunk software to monitor queries, downloads of records and files, and set up searches to alert you to other high-risk events.
- Visualizing processes and their parent/child relationships
- You want to trace the activity or relationships of processes that have signs of malicious activity.