One of the most critical skills information security teams can have is the ability to proactively find threats in their environment - a process known as threat hunting. Great hunting is the combination of deep knowledge about your environment with the ability to understand the details of changes that are taking place in your environment in real-time. Knowledge is the greatest advantage information security teams have when facing an adversary. Think about it this way - the attacker must perform extensive reconnaissance to find weak spots to exploit. You, as the defender, have an asymmetric advantage by knowing what normal looks like in your environment and the visibility to see what is going on.
Look at the activity patterns in your typical office. People tend to come in at same time every day and consistently use the same resources and tools. Deviations from these patterns aren't always nefarious, but they're worth investigating. For instance, if the interns in your finance department don't normally install system administration tools, such as a remote screen viewer like VNC, that activity should raise some eyebrows. This is the crux of hunting; combining knowledge about your environment with observations of current activity to tip you off when something is wrong.
Take network scanning as an example. Your system administrators don’t need to scan their environment to figure out which machines do what. They already (hopefully) know that. This means any scanning activity you see in your internal network (aside from what’s done by your security team) is inherently suspicious.
Remote administration tools are another great example. Companies select and standardize on a set of administration tools in order to deploy software consistently. This means that all software deployed in an enterprise environment will arrive in one of two ways; either pushed out by the IT support team, or installed by a user. Any remote administration tools that users have installed themselves should stand out, especially those installed by non-administrators. Any remote access tools that users don’t remember installing could be proof of an intrusion.
Hunting is the process of sifting through these behaviors and identifying which ones are suspicious and which ones are malicious. Let’s be honest - lots of strange things happen on our networks. Some of them, like poor user decisions, are explainable while others are not. Once you have a suspicion based on something you saw in your security tools, you need to run down whether it’s malicious or benign.
To your adversaries, the perfect attack would look like this; they would quickly establish a foothold in your environment, find what they’re looking for whether it’s competitive data, intellectual property, or the CFO’s MacBook and exfiltrate it. They’d be in and out before you could detect them, with your crown jewels in their clutches.
In reality, attackers make mistakes. They chase dead ends, wander around the network, and waste time scouring systems for files that aren’t there. They’re noisy because they don’t have time to blend in by studying your company’s users, systems and activity patterns. The longer they’re active in your environment, the more likely they are to get caught. Their actions stand out from normal user activity because they can’t possibly know the location of what they’re looking for prior to accessing your network. Knowing your environment is your strongest ally as a hunter.
Security teams need to study their network, understand their users and use tools that give them the insight to discern the good from the bad. Use this insider knowledge to its full potential.
Will Lefevers is a senior security researcher at Cybereason.
