Have you ever played the game “Where’s Waldo”? If you have, you may already understand how this blog relates to threat hunting.
If you haven’t or aren't aware of the books, the object is to locate the Waldo character within a picture filled with many other graphics and people.
Spotting Waldo is difficult, and identifying him from the crowd is downright frustrating in some of the illustrations. It is a game of patience, visual acuity, and methodical review of graphics.
To that end, a modern spoof on the game has graphics with nearly every person being Waldo. The objective is to find everyone that is not Waldo. This is a common analogy for false positives when performing threat hunting and the reason the analogy is so important.
So, for new readers, what is threat hunting? Threat hunting is the cybersecurity act of processing information and process-oriented searching through networks, assets, and infrastructure for advanced threats that are evading existing security solutions and defenses.
Firewalls, Intrusion Prevention Solutions, and Log Management are all designed to detect and protect against threats—even if they are zero-day threats and have never been seen before. Threat hunting is the layer below this. What threats are actively running in my network that I am missing, and how I can find them?
The simple solution for most companies is to provide better inspection of the data already being collected. That includes diving deeper into log files, looking at denied logon access, and application events correlated from denied application control solutions. But that is not really threat hunting. That is performing security best practices and adhering to the guidelines in many regulatory standards from PCI to NIST for log management and review.
Threat hunting can be an automated or a manual process to find hidden threats. The process involves processing multiple sources of data simultaneously and correlating information with an inherent knowledge of the systems, mission, and infrastructure producing the information.
While this may sound like a canned answer, it is not. Security Information Enterprise Managers (SIEM) are designed to ingest this information but only allow limited tagging of data by source and type to apply a business element. They fail, like many technologies, to apply the human element.
To aid with this, and provide data intuition, this process can be automated using behavioral analytics or machine learning. It raises the bar for identifying patterns as a repetitive process, but that is all that it does; it has no knowledge of what the meaning is for the patterns.
For threat hunting to succeed, security professionals need to start with a hypothesis. This hypothesis assumes a threat and maps the patterns and manual review of data to the conclusion (that a threat is actively occurring). Common hypotheses include:
- Analytics Driven: Patterns in analytics automation can be assigned risk ratings and used to determine if a high-risk pattern is occurring
- Situational: High-value targets—including data, assets, and employees—are analyzed for abnormalities
- Intelligence: Correlation of threat patterns, intelligence, malware, and vulnerability information to draw a conclusion
Therefore, for threat hunting to succeed, we need to meet the following requirements or our data and hunt will be flawed:
- Crown Jewels and Sensitive (Privileged) Accounts are properly identified for data modeling.
- Sources of information can be correlated by CVE, IP address, and host name reliably. Changes due to DHCP and even time synchronization (poor NTP implementation) can jade threat hunting results. We need to trust the data nearly implicitly.
- Consolidation tools like a SIEM are collecting all applicable data sources for pattern recognition.
- Threats to the business, like a game over breach event, are established and used to build a hypothesis.
- Tools for risk assessments, intrusion detection, and attack prevention are up to date and operating correctly. If these systems are faulty, your first lines of defense are in jeopardy.
- Documentation: Network maps, descriptions of business processes, asset management, etc. are critical. Threat hunting relies on the human element to correlate information to the business. Without being able to map a transaction to its electronic workflow, a hypothesis is blind as to how the threat occurred and is remaining persistent.
Threat hunting is much like “Where’s Waldo?”. You know he exists, you kind of know what he looks like, but you cannot find him.
While threat hunting may not know what the threats actually are, it is a safe assumption to say they are doing something wrong or staging to do something malicious in the future. If you can find those hidden threats, you can find Waldo.
Think of the problem, puzzle, and game with clear objectives and leverage the tools you have—not just a correlated black box report or an alert.
Threat hunting requires you to dig in deep, use a magnifying glass, and rely on your senses to help find the threat. Having security best practices to begin with is an absolute requirement for success, since everything you do for threat hunting depends on it.
