In this post, we will expand into the types of analysis required when hunting, keeping it basic and building on the overview explained in part 1 of this series.
One of the common questions SOC teams face when building out a Threat Hunting capability into an organisation or operation is; “Where do I look?”
If we think of a threat as the children’s book character Wally. Then Threat Hunting is essentially a big game of “Where’s Wally?”. You have to know where to look to be more successful.
The Security Operations Centers of today are built on mass amounts of data, logs, security events and even tooling that make the start of hunting campaigns hard to see. and obscure the ability to know where to look. When in reality it can be broken down into 3 key areas of focus:
- Log Analysis – Security Events, System Audits, Alerts and Alarms. Most commonly fed into some form of log aggregation tooling or SIEM.
- Network Analysis – Netflow, Packet Capture (PCAP) and Network Telemetry off the wire that details who went where and by what means.
- Host Analysis – Granular, detailed and contextual data regarding the activities, process and potential violations on endpoints.
Log Analysis, for me, tends to be the best starting point in a hunt campaign. Often the most basic form of an event, however, holds the simple IOCs and context needed to quickly identify if there is any presence of an indicator in your environment. Utilising a SIEM provides teams with the ability to run mass queries across a number of sources in one quick search. Any detection found gives a Hunter a point to pivot from and assess the related logs in-depth, or interrogate utilising the other methods detailed below.
In the most basic form, log analysis is a manual task completed by hunters. However, detections on logs can be automated by a number of free and open-source threat feeds integrated into a SIEM, retrospectively applying these feeds and IOCs to data in the past right up to real-time. This form of Tactical Intelligence provides a “quick win” for SOCs to implement Threat Hunting.
Network Analysis tends to be a little trickier, as often requires specific tooling. However is absolutely key when trying to detect any form of a covert channel, command & control (C2) server or malicious DNS traffic.
A real benefit of network analysis is the ability to see the source, destination and port/service detail. For example, if during your hunt you discover a number of sources communicating with a C2 server from the same network location, e.g. Human Resources Department, a logical pivot point would be to assess for possible malware on the hosts and delivery of the payload to the department employees, i.e Phishing.
Last, but by no means least. Host Analysis. This requires the most manual effort in the majority of cases. Identifying TTPs and Tools used by attackers are reportedly the toughest artefacts to collect and assess (see Pyramid of Pain). Yet provided the greatest context and factual evidence for the presence of a threat.
As a Threat Hunter, looking into system processes, registry changes and file integrity can be challenging. There are a number of host-based tools that can make host analysis easier (check out Redline by FireEye). The reality is that if you are looking into a specific host for the granular detail, after using both log and network analysis, then there is a good chance you have identified the presence of a threat, and thus should be spinning up the CSIRT or other response mechanisms available to you.
The key part of the host-based analysis is collecting the evidence of the threat, then searching your environment wider and ingesting/sharing this evidence into a Threat Intelligence Platform/Service.
When looking to build out a Threat Hunting capability, assess what types of analysis are available to you.
- Do you have sufficient and accurate log data?
- Are you able to assess traffic on the network layer?
- How easy is it to collect evidence from a host?
After that, Threat Hunting will be far more achievable and practical for you and your organisation.
Hopefully, this article helps you understand where you should begin to start looking when Threat Hunting and the capability seems less complex than before.
Thank you for reading, happy hunting!