How threat hunting enhances incident response

Threat hunting is already seen as key way to help determine if attackers have already penetrated an organization’s defenses. In addition to helping company’s figure out if they’re under attack threat hunting can also help incident response teams.

When the incident response team is called in to handle a security incident unearthed during a hunt, they’ll be better equipped to handle the situation since a significant amount of scoping and triaging was completed during the hunt. Your organization’s hunters have analyzed the data they collected. They grasp the problem, know what machines are affected and understand the incident impact. All of this information is passed along to the incident response team. With the some of the preliminary work done, incident response team will have less work to do and can remediate the threat quicker.

How to use threat hunting to detect advanced attacks

A hunt is probably the best approach to deal with attacks that use advanced threats like fileless malware or PowerShell. Fileless techniques are becoming the bad guys’ preferred attack vector since this method uses legitimate programs to mask malicious behavior and evade detection by most security tools.

Let’s say a hunt at a large manufacturing company revealed all kind of suspicious activities. The hunting teams spotted a service named TCP/IP NetBIOS Helper with a command line argument showing PowerShell with bypass hidden calling off regular named ps file, a tactic used to maintain persistence in an environment. There’s data exfiltration using PowerShell where files are uploaded to a remote location through your proxy. The hunt also looked at how PowerShell performed DNS queries by doing data stacking between process execution and DNS requests. This revealed that PowerShell was establishing a network connection to the Internet. The question then became what outside addresses were being talked to; was PowerShell making DNS queries to domains that the company didn’t own.

So what happens after the hunting team identifies these activities? First, they need to be escalated to the level of an incident since there’s proof that malicious activity is occurring in the environment.

Then, the information from the hunt can be used to establish an intelligent prevention program. For example, if the hunting team discovers that 99 percent of PowerShell activity in the company occurs on servers and the remaining one percent is on clients and it’s all malicious, PowerShell could be blocked on end user systems, especially if they’re not being used for administrative purposes.

Or use the application control capabilities in your company’s antivirus software to prevent browsers from spawning PowerShell or Windows Management Instrumentation from spawning PowerShell. If you use PowerShell scripts in your server environment and not in your client environment, anchor those scripts to a specific directory and then sign them so that you only run signed PowerShell scripts from a specific location. This builds resiliency into the environment.

Following this approach allows hunting to strengthen the organization's security posture while slowing down the adversary and decreasing their dwell time. The results of a hunt can be used to build new prevention mechanisms, ensuring that the discovered security incidents do not happen again.