5 Threat Hunting Tips from a Seasoned Hunt Team
By Josh Campbell at Cyborg Security
The threat hunting community is quite small. As a result of that, the threat hunting community is also very tight knit. This can make breaking into the field a challenge, especially when you are just starting out and looking for advice. I spoke with our hunt team at Cyborg Security and gathered 5 threat hunting tips that individuals and hunt teams can put into practice today.
Threat Hunting Tips #1 — Know what is normal for your environment, then you’ll be able to spot the abnormal easier.
Too many organizations have tried to jump off the deep end of the threat hunting pool without first knowing their environment — a recipe for chasing squirrels and rabbits and getting very little accomplished. Threat hunting is ultimately the practice of looking for the unknown in an environment, therefore understanding what is considered “business-as-usual” compared to “suspicious” or even “malicious” is critical.
In order to learn the environment, make sure you have access to as much information as possible, including network diagrams, previous incident reporting, and any other documentation you can get your hands on and make sure you have logs at the network and endpoint level that will support your hunts.
Threat Hunting Tips #2 — When building a hunt, start general and work your way to specific based on your hypothesis. By doing this it creates context and understanding of what it is you are looking at in your environment
When threat hunters are first getting their feet wet in structured threat hunting, many of them struggle with building their first hypotheses. The reason many find this process challenging is often because they have tried to be a bit too specific. Instead of jumping straight to the details, first try and be more general in your hypothesis. By doing this, you will better shape your hunt, and add additional context along the way.
Threat Hunting Tips #3 — Sometimes better to hunt on things you understand and know and then pivot vs hunting on things outside your expertise and trying to pivot to something you know
One of the most common challenges new hunters encounter is that it is very easy to get out of your depth very quickly. Not every information security professional is an expert in all areas. The same is equally true in threat hunting.
Whether you are starting out or have some time behind the keyboard hunting, the same advice is true: hunt for things you understand, and then dig through that data by pivoting. This ensures that you understand what you are looking at and allows you to make sense of the data and comprehend how you got there.
If you instead try to hunt on data you don’t know, you are more likely to favor data you do understand, and pivot on it, which may or may not actually result in a meaningful and worthwhile hunt.
Threat Hunting Tips #4 — Not every hypothesis will be successful and sometimes it might fail. But don’t be discouraged, go back and test again!
Unlike things like threat protection and threat detection, threat hunting is far from a sure thing. In fact, the very nature of threat hunting means that you are looking for the unknown. Because of this, not every hypothesis you hunt on will be successful. In fact, most hunters know that while they may spend hours digging into a rabbit hole they uncovered, it is more likely that that hole will lead to a power user using PowerShell to save some time, rather than an advanced adversary looking to encrypt your domain controller.
Don’t let these moments discourage you! Document your findings, don’t be discouraged, and keep hunting. It will pay off in the long run!
And finally… #5 — Knowing your toolset and its data capabilities is just as important as executing your hunt. False Negatives lurk around every corner if you aren’t validating the expected data even exists in your tools.
While nearly everyone in the IT space understands that every tool and piece of technology is different and has specific limitations, sometimes security folks — and especially threat hunters — can take that for granted.
One of the most important concepts about “knowing your technology” is understanding what it is, and isn’t, capable of, and what are its limits. If you charge ahead without understanding that you are likely to generate false negatives, giving security teams a false sense of security.
Before building out your hunt too much, it is critical that you test and validate your hunt queries to make sure they return what you expect them to. This can be done by using a lab environment or using tools like the validation packages found in our HUNTER Platform.
Threat hunting continues to be a hot topic in the infosec community, but true threat hunting remains very elusive especially for those just starting out. The important thing to remember is that threat hunting is an iterative process, both in doing it and in learning it. So, practice, practice, practice…. And if you are trying to get into threat hunting, why not try out our free threat hunting workshop!