Cybersecurity is often seen as a reactive endeavor. We are responding to incidents after the fact. It’s built right into the Incident Response title. Something happens. We see an alert about it. We respond. Or, often, our systems respond for us automatically. But that very concept of being reactive misses out on the chance to be proactive. To actively look into the depths of our environments and try to find problems before they turn into a newsworthy event. That’s where the art of Predictive Threat Hunting comes into play.
The idea is that rather than wait for some kind of event to throw up a flag, someone on the Security Operations team goes digging through the environment looking for signs of trouble. It flips the reactive paradigm on its head in an effort to get ahead of the curve.
Predictive Threat Hunting is not Penetration Testing
While they share some concepts, this isn’t penetration testing where you’re replicating an attack by using the same tools and techniques your adversaries employ. While you are looking for some of the same issues, like system and process vulnerabilities, the goal isn’t to exploit them yourself to make a point. The goal is to see if there is any evidence that someone has exploited them already and is lurking somewhere in your environment. Or, to see what else may be going on when the cybersecurity suite has thrown an alert.
In many cases, Predictive Threat Hunting is actually triggered by an event, rather than being part of a continuous activity. Though with the “assume breach” posture, it’s not unreasonable to start hunting even without a known event putting it in motion. Still, that initial event gives the hunters a starting point. They know there was something going on in some corner of the environment and they can work their way out from there.
What Are You Hunting for Today?
How you position the hunt depends partially on what tools you have and how you want to approach it. For example, there’s the obvious “we know someone has done <insert event here>, let’s see what we find from that starting point.” That’s the initial event described above and is a starting point to work through the environment looking for known IOC (Indicator Of Compromise) and IOA (Indicator Of Attack) signs. This is a good place to loop in the information available in the MITRE ATT&CK framework.
The other common starting point is “oh, look, a new Zero Day and we’re vulnerable” or the related “threats have started doing <insert technique here> and that might work on us.” In either case, you’re coming from the perspective of a novel threat that’s been seen in the wild and you’re hunting for any evidence of the new TTP (Tactics, Techniques, Procedures) in your environment. That’s predictive threat hunting. This is not unlike the approach above, except that you’re looking for something new and novel rather than something that you are relatively sure has already happened.
Right Tools for The Job
How you conduct the hunt depends on your tools. If you have a mature cybersecurity stack, you are seeing data from your firewalls, network monitoring, access logs, EDR (Endpoint Detection and Response), etc. It’s a huge amount of data and the activities you’re hunting for are in there somewhere to find.
The challenge in some cases is picking out the indications you’re looking for. Your SIEM has hopefully brought everything into a single interface, rather than make you crawled through all that data in silos, but it’s still a ton of data to sift through.
Hunters Gonna Hunt – With Their AI Hunting Guide
That’s where machine learning driven security and risk analytics comes into play. Starting with risk scores, you can already see some of the threats floating up out of the data. By adding in new TTP information, and basing your searches on that, security analytics will highlight what you’re looking for and let you find the threats even before they percolate to the top and show up as a high-risk entity.
Basically, you’re leveraging the mass of telemetry in the data lake to isolate and highlight suspicious behaviors. While the analytics platform is going to highlight risks automatically, when you’re predictive threat hunting you’re digging deeper to look at things that may be a threat even before their behavior raises any red flags.
Watch the Webinar
If you want to learn more about how Gurucul’s Risk Analytics platform can help the predictive threat hunting program in your organization, check out our webinar presentation.