What Is It? The very thought of “threat hunting” often suggests the dramatized scenes from movies and TV shows of a group of people perfectly coordinated in an area with the latest technology, dimly lit but for glowing screens, and able to electronically able to see and hear everything while deploying the heroes anywhere globally in minutes. Those of us that work in this industry usually sit back as these scenes play out with a sarcastic smile, coffee in hand, and resist the urge to tear the flaws apart so our partners and friends can believe that what we do is, in fact, “that cool”.
I digress. Threat Hunting is a very proactive defence technique that seeks out what could happen rather than what has already happened. It’s a highly-specialised discipline that I have found only very few practice, and those that do think unconventionally, are incredibly skilled at what they do, and are nearly impossible to find through the existing employment methods. Place an ad on a job board like Seek for someone to perform Threat Hunting and you are far more likely to get someone that almost exclusively deals with incidents that have already happened. Again, think proactive rather than reactive.
Threat intelligence is gold and the ability to understand what is happening, how it could happen and more importantly, how it could impact you, is critical. A great example provided by the Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) in this regard involved them providing an organisation with intel about a specific threat likely to send spear phishing emails to employees to obtain information about a certain topic. The organisation, in turn, used this information to identify who had access to the information in question to verify mitigation strategies were in place. This included email filtering, logging, and log analysis for these employees. Obviously, there is lot more to the story, but you get the point.
So really, we’re trying to seek out the information that helps you act to mitigate the threats before they even occur. Think of it in a way where you try to understand your adversaries nearly to the point you know what they’re going to do before they do. What’s the old expression? An ounce of prevention is worth a pound of cure?
How about another example. Let’s say the police issue a non-specific report that they believe break-ins may increase because of a downturn in the economy driving people to commit more crimes. Because of reading or hearing this, you check and service the locks on your doors and windows, install some simple security around your home like motion sensor lights, and keeping valuables hidden out of view and secured.
As part of its Microsoft Defender Advanced Threat Protection (ATP) offering, Microsoft provides the “Advanced Hunting” tool. Advanced hunting is query-based and allows you to explore up to 30 days of raw data. While it may be nice to have more data, at least 30 days is current and doesn’t smash your valuable storage resources trying to keep everything. You proactively inspect events in your environment to locate “interesting” indicators and entities. This allows unrestricted hunting for both known and potential threats. Better still, you can leverage these queries to build custom detection rules to check for and respond to events reflective of breach activity and erroneously configured systems.
Where Do I Start? I don’t believe this proactive mitigation strategy comes in a shiny box despite what some vendors may tell you, but there are a ton of products you can use to obtain the intelligence you need as part of this strategy, and those do come from vendors who have access to the most skilled professionals, the large threat networks, and the content delivery means to get this data to you…. for a price. This is a case where you really do need to get the right people involved. If you have the skills and knowledge to take the threat and incident information and put it to work correctly, you’re in a minority of organisations. Fortunately, if you have an existing investment in Microsoft and already pay for the right subscriptions, you probably already have access to Advanced Hunting without even knowing it!
Critically, some questions need to be asked about this intelligence and its value such as:
· Has the organisation already implemented strategies that may be more effective such as Incident Detection and Response which leverages existing intel such as logs and threat feeds?
· Does the organisation have sufficiently skilled and resourced staff with a capable infrastructure that can consume and act on the threat intelligence?
· Is the threat intelligence more comprehensive than simply domains, IP addresses, and other Indicators of Compromise (which resembles reactive signatures and have little to no relevance if rotated regularly or changed per target)?
· Does the threat intelligence have context, ideally tailored to the specific organisation (or at least industry vertical) which reduces false positives and other “noise”? Separating the wheat from the chaff, as it were.
· Is the threat intelligence actionable, assisting the organisation to make informed decisions and take definitive action such as choosing and implementing relevant mitigation strategies? Ideally, this is to identify and prevent incidents based on awareness attacker’s objectives, strategies, tactics, methods, chosen compromise procedures, and even the tools they could or do use.
Rather than being a mitigation strategy in and of itself, this is a combination of tactical advantage towards a long-term strategy. Proper planning and execution are crucial for success and you may find that you are already engaging in some form of Threat Hunting without realising it. Get the right people involved and ask the right questions…. In some cases, the right people know what questions to ask you and help you ask the right ones to others.
I’ve often sat with a client during a strategy session with an external service provider only to discover their strategy is more akin to simply using another layer of reactive technology. Equally, I’ve often found customers have an existing investment they’re not using to its full potential (and the majority of the time, it’s been Microsoft Defender ATP. You’ve paid for it; use it.
How do I make It Work? As much as I’d like to say that you simply design a system, then install and configure it, then maintain it, it’s not that easy. The first thing I recommend is bringing in specialised cyber security specialists to help you on your journey with Threat Hunting if you chose this as a mitigation strategy. Ask around, get referrals, and go beyond the fancy websites and flashy brochures.
Once you have the right people involved, sort out what you have, what you don’t, and what you need. You will have specific business goals, data and systems specific to those goals, and may be susceptible to unique and clandestine hacking methods. The intel that works for a competitor or a similar industry may not be enough for you, so it’s imperative to understand the threats and threat actors out there that may be interested in what you have. The first step to filling these gaps is to identify them.
By this point, you should have some sort of plan, and now you can look at products and services, including those developed specifically for you, to leverage Incident Hunting as a mitigation strategy. Perhaps it’s a subscription to a threat feed for your security strategies. Maybe it’s managed security services that specialise in this area. It can be nearly anything that help you accomplish your goals and those are too numerous to list here. Just keep front of mind this is a mainly proactive strategy rather than reactive, which compose most solutions available.
Using Microsoft Defender ATP Advanced Hunting take a bit of learning but it’s well worth it. You first learn the language (based on the Kutso query language) and it’s not as intimidating as learning programming from scratch. That’s followed by understating the schema (tables and their respective columns) so you know where to look and how to create queries. Thankfully, you can start with pre-defined queries and learn by example. Once you get the knack of it, you can create custom queries and spin these into automating detections and responses.
The queries tend to be the most intimidating part, so that’s where I’d recommend getting some help to either run them or at least learn how to do them. I’ve found the Auto-suggest feature very helpful as well as the Schema Reference where you can simply mouse-over an item for information then double-click it to drop it into the query. When you get your results, you can easily drill-down into them by clicking on the identifier which takes you into Defender Security Centre where a wealth of information can be found.
It takes a few tries when you start to get used to how Advanced Hunting Works, but at least from the results you can refine the information by tweaking the search with explicit criteria (the double-equals ‘==’) and exclusions (exclamation equals ‘!=’) and intuitive operations such as “begins with”, “ends with”, and “contains”. Filters are also available and quite helpful in further refining the data. Still, the best way to learn is by doing.
Pitfalls? It’s easy to think this mitigation strategy should be rated higher, but the reality is that it’s not an easy strategy to implement and, in many cases, is cost prohibitive… especially for smaller businesses. That said, if you already have an existing Microsoft subscription that gives access to Microsoft Defender ATP and the Advanced Hunting Tool, you have a huge advantage. Please understand your current posture and tools at hand before you spend another cent on a solution you may already own.
The ASD / ACSC is correct when they indicate this may have low user resistance but can have high up-front costs and high ongoing costs. With an evolving threat landscape and highly dynamic threat actors, it’s a fight you can begin but may never end.
Ghosts in the Machine? The ghosts in this machine may be in your own machine as a malicious insider. You cannot simply assume that Threat Hunting is external only and the domain of hacking groups or foreign enemies. Keep an eye out for insiders that may be underperforming, about to be dismissed, or planning to resign because these may be the ghosts you are looking for. Also keep track of any tools that could be used against you from the inside and any data that could be exfiltrate such as intellectual property that represents your competitive advantage. Even something like a client contact list can be valuable.
We’re not advocating wholescale distrust; we’re all supposed to be on the same side, but any of us that have been around a while know things can and do happen. We’re just promoting awareness in this regard.
Anything Missing? A deep understanding of what the threats are, where they may come from, and what to do about them when they’re so dynamic isn’t just a skill, but an art. Getting the right people involved and reading between the lines when finding those people is tricky, but they are out there. Take your time and do it right if you choose to adopt this strategy lest you find yourself jumping at shadows and seeing threats where they don’t exist. I just think that if you have the ability to leverage Microsoft Defender ATP and Advanced Hunting, you’re well equipped to implement this strategy.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock