Somebody asked me for best resources on THREAT HUNTING, and that reminded me that I wanted to write a linklist blog post on this very topic. Below are some of Anton’s favorite threat hunting links, in no particular order:
- Incident Response Hunting Tools (by @sroberts) has a whole bunch of tools.
- Incident Response is Dead…Long Live Incident Response (by @sroberts) has hunting contrasted to IR
- Hunting, and Knowing What To Hunt For (by Harlan Carvey) has some lateral wisdom.
- Cyber Hunting: 5 Tips To Bag Your Prey (by David Bianco) reminds us to PIVOT.
- A Simple Hunting Maturity Model (by David Bianco) [I think he also wrote this guide to hunting] has fun stuff on maturity
- The Who, What, Where, When, Why and How of Effective Threat Hunting (by SANS) is a longer guide with more …ahem…basics. Not basic basics, mind you – more like advanced basics :–)
Please share your favorite threat hunting links and I will update the post.
P.S. Don’t believe the marketing hype! Effective threat hunting remains the domain of the well-resourced, super-security-mature, extra-skilled security 1%-ers… If you want an extra-cynical version, essentially ~5 people on the planet know how to do it well and can explain to others ….
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
I can’t argue with the idea that hunting is a kind of elite activity right now, but it doesn’t have to be! There’s a perceived barrier that “it’s hard”, which holds some people off. More importantly, though, I think most teams are still playing catchup with detection/response basics.
I feel strongly that it needs to not be just a 1% capability!
Sorry for delayed response. I agree that it needs to expand beyond that and (IMHO) any and all tools that can help such expansion would be great to have on the market….
As Richard Bejtlich in The Practice of Network Security Monitoring says on Analysis:
“Analysis is the process of identifying and validating normal, suspicious, and malicious activity. IOCs expedite this process. Formally, IOCs are manifestations of observable or discernible adversary actions. Informally, IOCs are ways to codify adversary activity so that technical systems can find intruders in digital evidence. For example, the Mandiant APT1 report (http://www.mandiant.com/apt1/) released in February 2013 listed more than 3,000 IOCs, including IP addresses, domain names, and MD5 hashes of tools used by Unit 61398 of the People’s Liberation Army. (Mandiant identifies certain threat groups with the prefix APT, followed by a number, such as APT1, APT2, and so on.)
I refer to relying on IOCs to find intruders as IOC-centric analysis, or matching. Analysts match IOCs to evidence to identify suspicious or malicious activity, and then validate their findings.
Matching is not the only way to find intruders. More advanced NSM operations also pursue IOC-free analysis, or hunting.
In the mid-2000s, the US Air Force popularized the term hunter-killer in the digital world. Security experts performed friendly force projection on their networks, examining data and sometimes occupying the systems themselves in order to find advanced threats. Today, NSM professionals like David Bianco (http://detect-respond.blogspot.com/) and Aaron Wade (http://forensicir.blogspot.com/) promote network “hunting trips,” during which a senior investigator with a novel way to detect intruders guides junior analysts through data and systems looking for signs of the adversary. Upon validating the technique (and responding to any enemy actions), the hunters incorporate the new detection method into a CIRT’s IOC-centric operations. (Chapter 10 and Chapter 11 contrast the matching and hunting methodologies to demonstrate the strengths and weaknesses of each.)
Hunting is not special. It’s just an analysis technique. It doesn’t need these complicated guides. You take a few network or memory capture assessments, gather and/or categorize the artifacts, and analyze them.
The tools and techniques for analysis are what is interesting. When I compare something like Stamus Networks SELKS to SO, I contend there is further value there. Same between Rekall and Volatility, but perhaps less defined. The tools get better, but the techniques are really where the power is.
Take NetSA (or FlowBAT) and compare it to Cloudera OpenNetworkInsight. Take any SIEM, even MozDef, and compare it to Apache Eagle. Once you integrate modern querying techniques against Big Data, it contrasts the old-school way of doing things pretty heavily.
FIR and CRITs have nothing on MISP. Moloch is a sad technique compared to OpenNetworkInsight. There are nice things to say about the NoSQL in Elastic, but the ELK stack itself is having components such as LogStash all-but replaced by Heka, or at least supplanted with Kafka (or both). It’s not about using GRR or MIG, but how you use them against adversaries (and the OPSEC and CI HUMINT involved — way more strategic than commercial EDR).
The big picture for cyber operations, defense, and investigations is in the lifecycle and frameworks, but with a consistent platform. These piecemeal components don’t add up to a singular view. Leverage streaming to Flume and Hadoop… the automation can inquiry the analysts to do the rest. But do build the domain knowledge into your bespoke platform — don’t assume it will do it for you!
I don’t recommend hunting to anyone until they can secure their own world. I’ve seen too many instances where organizations are doing great intelligence work but could not secure a paper bag.
Yes, of course, this will create way too much work since you will always find an attacker [or a dozen!] on a poorly secured network 🙂