8. Threat Hunting – Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations

© Morey J. Haber 2020
M. J. HaberPrivileged Attack Vectorshttps://doi.org/10.1007/978-1-4842-5914-6_8

8. Threat Hunting

Morey J. Haber1 
Heathrow, FL, USA

If you’ve ever played the game, “Where’s Waldo?” you may already understand how this section relates to threat hunting. For those who have not heard of the game, the object is to find a picture of Waldo within a picture filled with other graphics and people. Spotting Waldo is difficult, and identifying him from the crowd is downright frustrating in some of the illustrations and illusions intentionally created by the artist. It is a game of patience, visual acuity, and a methodical review of graphics. To that end, a modern spoof on the game has graphics with nearly every person being Waldo. The objective is to find everyone that is not Waldo. This is a common analogy for false positives when performing threat hunting and the reason why this analogy is so important.

So, for new security professionals, what is threat hunting? Threat hunting is the cybersecurity act of processing information and process-oriented searching through networks, assets, and infrastructure for advanced threats that are evading existing security solutions and defenses. Firewalls, intrusion prevention solutions, and log management are all designed to detect and protect against threats—even if they are zero-day threats and have never been seen before. Threat hunting is the layer below this. What threats are actively running in my network that I am missing, and how I can find them? It assumes the basic premise that the environment has already been compromised and a threat exists within it. In the universe of privileged access, how can you determine if a privileged session is being executed by an authorized team member or has been compromised by a threat actor? Figure 8-1 illustrates the typical steps in the threat hunting process.
Figure 8-1

Threat Hunting Process Steps

The simple solution for most companies is to provide better inspection of the data already being collected. That includes diving deeper into log files, looking at denied logon access, and processing application events correlated from application control solutions. But that is not really what threat hunting is. Those steps are merely security best practices and adhering to the guidelines in many regulatory standards from PCI to NIST for log management and review.

Threat hunting can be an automated or manual process to find hidden threats. It assumes the threat is already there; you just need to find it. The process involves processing multiple sources of data simultaneously and correlating information with an inherent knowledge of the systems, mission, and infrastructure producing the information. While this may sound like a canned answer, it is not. Security information enterprise managers (SIEM) are designed to ingest this information, but only allow limited tagging of data by source and type to apply a business element. They fail, like many technologies, to apply the human element. To aid with this and provide data intuition, this process can be automated using behavioral analytics or machine learning. It raises the bar for identifying patterns as a repetitive process, but that is all that it does; it does not know the meaning of the patterns detected. For threat hunting to succeed, security professionals need to start with a hypothesis. This hypothesis assumes a threat and maps the patterns and manual review of data to the conclusion (a threat is actively occurring). To determine whether privileged access is being used by a threat actor or appropriately within an environment, consider these common hypotheses:
  • Analytics-Driven: Patterns in behavior (or outlier events) can be assigned risk ratings and used to determine if a high-risk pattern is occurring.

  • Situational: High-value targets are analyzed, including data, assets, and employees, for abnormalities and unusual requests.

  • Intelligence: Correlation of threat patterns, intelligence, malware, sessions, and vulnerability information to draw a conclusion.

Therefore, for threat hunting to succeed, we need to meet the following requirements, or our data and hunt will be flawed:
  • Crown jewels and sensitive (privileged) accounts are properly identified for data modeling. This includes monitoring of when they are used, who is using them, and what actions are being performed.

  • Sources of information can be reliably correlated by CVE, IP address, and hostname. Changes due to DHCP, and even time synchronization (poor NTP implementation), can jade threat hunters. We need to trust the data almost implicitly.

  • Consolidation tools, like an SIEM, are collecting all relevant data sources for pattern recognition. As a general rule of thumb, the more security data, the better. Extra data can always be filtered out, purged, or suppressed.

  • Threats to the business, like a game-over breach event, are established and used to build a hypothesis. If a threat actor did “this,” could my business ever recover, and what would be the cost?

  • Tools for risk assessments, intrusion detection, and attack prevention are up-to-date and operating correctly. If these systems are faulty, your first lines of defense are in jeopardy.

  • Documentation, such as network maps, descriptions of business processes, asset management, and so on, are critical. Threat hunting relies on the human element to correlate information to the business. Without being able to map a transaction to its electronic workflow, a hypothesis is blind as to how the threat occurred and is remaining persistent.

Threat hunting is much like “Where’s Waldo?”. You know the threat actor exists, you kind of know what he looks like, but it may be very difficult to find him.

While a threat hunter may not know what the threat actually is, it is a safe assumption that the threat actor(s) exist and is doing something wrong, or staging to do something malicious, in the future. If you can find that hidden threat, you can find Waldo. Think of the problem, puzzle, and game with clear objectives and leverage the tools you have to go beyond just a correlated black box report or an alert of an unauthorized login. Threat hunting requires you to dig in deep, use a magnifying glass, and rely on your senses to help find the threat. Having security best practices to begin with is an absolute requirement for success since everything you do for threat hunting depends on it. Also, skilled threat actors will leverage your existing security tools against you to remain hidden. This is yet another reason why best practices must be rock-solid before you embark on threat hunting. After all, if a threat actor is in your environment, and current solutions cannot find him, you need to question the privileges they are executing with in order to remain hidden. Those are definitely the privileges you should be actively monitoring every single day.