The increasing rate of cybercrimes and attacks has prompted most security operations centers to resort to various programs related to threat hunting. People are concerned about their safety and security in cyberspace. Also, the worst part is, these advanced-level cyber threats can circumvent an organization’s high-end cyber security controls. Yes, antivirus, firewalls, and more are okay, but in addition to these, a threat-hunting campaign is a must to understand the threats that can evade the traditional tools.
Adopting the right threat hunting methodologies helps detect new threats and prevent those from wreaking havoc. Here are some efficient threat hunting tips to help you glide in cyberspace safely:
1) Tunneled communications are problematic: Is imitation of regular traffic happening? How will you understand this? Through the detection of tunneled communications. For instance, suppose your company firewall doesn’t have a problem with outward-bound DNS traffic; chances are that the threat actors will conveniently implant their communications in the DNS traffic.
2) Understand the characteristics of the threat: After you are done detecting a threat, try to understand the key attributes of the threat, such as the URLs. Do not forget to fish out as many unique characteristics as possible because it will facilitate easy sorting of the dataset later. Suppose your company decides to deploy a penetration testing team; they can go on to come up with forensic artifacts based on the unique factors which will make the segregation of the attributes convenient.
3) Scoping of the data: As long as you do not forget to place parameters around the data volume you will examine, you can use various data sources for effective threat hunting. Apart from network logs and data logs, you can consider SIEMs as a valuable source. According to the expert’s recommendation, the volume indicates the usage of the dataset of one week to one month, but no more than that. The selection of data points is imperative in this case that must reflect the kind of activity you are looking for.
4) Don’t Probe before you take a thorough pass at the data: Make it a habit to take a high-level pass to filter the data first and only then carry on the investigation. Try to avoid the urge of detailed scrutiny of anything you notice immediately. Use the first pass as a bookmark for what seems crucial, which you can later prioritize and analyze once through with the first pass.
5) Sorting the data sets can ease the job: Sorting is a handy tool. When it comes to finding which datasets to look for possible data threats, one can sort the same. There can be multiple strategies to sort the datasets. For example, one can try to sort the datasets based on file sizes. The sizes of the files can be analyzed first, and this can be done by sorting. Once the file sizes are in order, the larger files can be checked first for any instance of possible threats. Then, the menace can also be found by sorting on HTTP methods. The HTTP ‘PUT’ method is commonly used in the case of web traffic, and sorting for this method can help identify probable threats.
6) Reverse exclusion is a good idea: We generally associate exclusion with excluding bad things. However, we can exclude the known good when searching for bad things. This helps to narrow down our search. In terms of web traffic, we can say that all the communication between sources and destinations that can generally be described as okay communication is known-good traffic. There is a fine line to watch out for in this case. We should not make any assumptions regarding the traffic and always verify all traffic twice before ruling out. There may be some traffic that would need a closer look before ruling them out.
7) Abnormal is not good; service oddity: Network anomalies are described as service oddities in web traffic. It means the general flow of things is not being observed. These happen when a particular port or protocol is used abnormally. For example, TLS/SSL traffic uses Port 443, but any HTTP traffic on the same port is a service oddity that requires careful threat evaluation.
Threat hunting is an effective activity to understand the overall robustness of your IT infrastructure and find some network misconfigurations and weaknesses during this exercise. So, threat hunting will make you more knowledgeable about your IT systems and their condition. You can rectify any issues to make them robust.
