Threat-Hunting Mastery Guide - Chapter 1

Getting started

Focus on collecting all security data in one place.

A security information and event management (SIEM) solution can help you. SIEM solutions are built to automatically collect the log and flow data from all devices and applications across your network, including firewalls, routers, switches, web proxies to servers, workstations, applications, Active Directory (AD), databases, and more. These solutions collect the data as well as detect known malicious threats without performing any complex configuration.

The next step is to build an exclusive incident detection and response team. This team, or a single analyst, can work with the SIEM solution or a security tool to conduct incident investigation, resolve alerts, and look for potential security threats.

The focus should be to enrich data, develop options to fine-tune your security solution's configuration, and automate your basic incident detection and response activities.

Data sets are the key to a threat-hunting program. Therefore, you must automate security data collection from your devices, servers applications, and endpoints even if the data sets are in the cloud.

Take slow, but steady steps.

Good job!

You've laid the foundation now it's time to step up (Basic)

You have a security tool that can automatically detect the security incidents in your network, and a team of analysts who can respond to the incidents instantly. At this stage, you are already doing some basic searching and hunting. This is a great start.

To move to the next stage of the hunting model, focus on the points below:

Improve the scalability of security data log collection. If you include more security data as input, your hunting results will be better.
Form a team, or dedicate a single analyst, that is trained on the next level of hunting, such as searching for key indicators to find threats in specific data sets. For example, in the Windows environment, one of the best ways to detect threats is to look into the commands executed. Commands, such as those below, are used in the reconnaissance stage of the attack to search for confidential information, and remote machines within your network.
1. net view: Obtains a list of connectable domain resources
2. net user: Obtains the local and domain accounts
3. net localgroup: Obtains the list of users belonging to local groups
4. net group: Obtains the list of users belonging to specific domain groups
5. net use: Gains access to resources
Some commands are executed only in the Windows server OSes. When you find these commands executed on a Windows client OS, it's a serious threat. In such cases, you can assume that attackers are carrying out reconnaissance to exploit or misuse the user accounts. Here are two common examples of these commands:
1. dsquery: Search for accounts in AD
2. csvde: Obtain account information in AD
Develop more hunting procedures, and document the implementation plan for the hunting processes.
Try to automate the threat hunting procedures you developed by scheduling them to run on a regular basis.
Think about integrating your security solution or SIEM tool with a threat intelligence platform.

Almost there!

Just some fine-tuning remains

At this stage, you're already following some threat hunting procedures which helped secure your network.

Now, your focus should be to:

Create an exclusive hunt team including analysts who have security and data analysis expertise to understand and apply different types of data analysis, and hunting techniques to fine-tune your threat hunting program.
Focus on expanding your hunting procedures based on your security concerns, and the type of threats that you're seeing in your organization.
Create a process for fully automating the hunting procedures that you develop. This will help save you time by automating repeating hunts, and finding new things to hunt for.
Try expanding the threat intelligence base of your SIEM solution, or any other security tool.

You're an expert!

Stay updated and fight the battle

If you're at this stage, you have a cutting-edge threat hunting program. All you need is to focus on scaling your team and enhancing efficiency. Stay updated to exceed the evolving security concerns and needs of your organization.

Threat hunting fundamentals

Let's be honest.

Prerequisites for setting up a threat hunting program

Tell us what do you do now, and we will tell you how to devise your threat hunting program.