This post was originally published here by Danny Akacki.
“How do I hunt?” This is the instinctual first question uttered by anyone seeking to build a threat hunting program. Like all good philosophies, the answer should change over time. You get new information, gain new experiences, etc. The only sure answer is never a singular one. Any threat hunting initiative is a daunting task. It’s not even the actual technical competencies that are hard, it’s the logistics of it all. This post endeavors to define a starting point by offering varied plans of attack, defining how they influence the success of a hunt team, and explaining how Sqrrl can help with those plans. Let’s begin.
Data-Driven Hunting
A natural starting point to drive hunting activities is to generate hypotheses via data observations. In simpler terms, you figure out what you can hunt for by looking at the data you already have. For example
- Have proxy logs? Start by looking at things such as uncommon User-Agent Fields.
- Got netflow? Large volumes of transmitted data where there shouldn’t be is a good place to start.
- DNS data can be utilized to find “The Weird” in a number of ways. Abnormal/infrequent outbound requests and long/randomized domain names are just a couple easy wins to be found in DNS data.
How can Sqrrl help?
Analysts can use any of the data sources ingested into Sqrrl as the basis for generating hypotheses by creating queries or reports that identify strange or anomalous behavior. These observations can be automated in Sqrrl using dashboards of reports that identify and visualize the behaviors, enabling analysts to review and explore the evidence on a regular basis. In Sqrrl, report visualizations provide a “drill down” capability that serves as an entry point to the Security Behavior Graph which facilitates link analysis of the data observations.
Simply stated, you work with the data you know you have. An additional natural byproduct will be identifying where you are blind.
Intel-Driven Hunting
Threat data and intelligence can provide organizations with rich opportunities for hunting. Unfortunately, this can be a difficult model on which to build your hunting program. Organizations need to be cognizant both of the varied level of fidelity in commercial intel feeds and the utility but often sparse nature of cultivating internal intel based off things such as incident response activities.
How can Sqrrl help?
Enter the Security Behavior Graph. Sqrrl provides analysts that which so many are lacking, context. Context is king, without it we’re just shooting blind, often missing our targets completely. The Security Behavior Graph provides critical integration points, processing and analysis capabilities allowing the analyst to actual make productive use of threat intel to drive and enrich hunting activities.
We make it easy to integrate threat data from commercial and open sources into the Sqrrl platform where it is fused with other data. This fusion provides the basis for turning threat data into hunting hypotheses, as analysts can search for and match indicators, while retaining all of the features and details from the original source. Most importantly, Sqrrl lets the analyst visualize and explore the relationships of indicators to their enterprise assets. Ultimately, analysts can transform the threat data into actionable intelligence using Sqrrl’s Risk Framework.
Finally, let’s talk about Risk Triggers. Risk Triggers put the power of fidelity in the analysts hands. The reason so many intel feeds get a bad reputation is that they lack the context that tells the analyst if/how much they should care about the intel being presenting. With Sqrrl, analysts can apply risk to implicated enterprise assets which reflects their confidence in the source, behavior and data. The applied risk annotations now serve as processed intelligence that can inform the hunts and investigations of all of the organization’s analysts.
Entity-Driven Hunting
Your network is a big, complex landscape. No matter the size of the team, you need to prioritize your hunting activities to maximize your success. It’s entirely possible, and too often the norm, to burn valuable daylight being spread a mile wide and an inch deep. Enter entity-driven hunting, constructing hunts around high risk / high value entities such as crucial intellectual property and network resources.
Adversaries will typical target certain high value or high risk assets or users in an organization (e.g., a server where R&D is kept, a domain controller, or a system administrator account). More and more organizations are proactively identifying what these assets are before an adversary does it for them. A famous example of adversary targeting of high value assets was displayed with the breach of cleared personnel information at the U.S. Office of Personnel Management (OPM) in the US Government. Sqrrl assists in identifying and remediating threats to those entities.
How Can Sqrrl Help?
Sqrrl assists hunters in conducting these hunts by creating normalized risk scores for all entities in the Security Behavior Graph. Analysts can quickly see a risk timeline for that entity, create new Risk Triggers for the entity class, and then conduct a hunt around an entity using Sqrrl’s link analysis capabilities.
TTP-Driven Hunting
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.” – Sun Tzu.
The fantastic thing about the security community is the abundance of attacker information at our disposal. So much more important than just static indicators (domains/IPs/hashes), if we wish to truly make a dent in an attacker’s success rate we must begin to know and understand their Tactics Techniques and Procedures. What tools do they use, when do they use them, how do they use them. Where does the attacker start? What are they after? How do they accomplish their mission? These observations are excellent hunting material as they provide contextual starting points that lend themselves more to human analysis than automated resolution. To assist in this style of hunting, Sqrrl provides a number of automated analytics that generate TTP-based observations.
How Can Sqrrl Help?
To complement these analytics, Sqrrl has created playbooks that provide analysts with hunting guidance for each of the TTP observation categories. By using the built-in analytics and their associated playbooks, hunters can begin to move toward the Hunting Maturity Model (HMM) Level 2 hunting capability. Following these pre-built hunt procedures provides novice and experienced hunters with the platform experience that will help them begin to formulate their own individualized TTP-hunting scenarios and heuristics.
Bringing it all together (aka The Hybrid Hunt)
In reality, any successful hunt will be a blend of any number of the aforementioned battle plans. For example, a hunt could be shaped by threat intel around a certain adversary, which informs the analyst of the types of TTPs the adversary may use and the critical assets that the adversary may target (i.e., a hybrid threat intel/entity/TTP hunt). The greater theme here is to start where you are. If you’re strong on intel, we have a plan for that. Lacking actionable intel but have your data feeds on point? We’ve got a plan for that too. Start where you are, the rest will come with time, planning and dedication. Through every integration of your hunt plans, Sqrrl has a solution to assist you.