Threat hunting has become an important cybersecurity practice. Building on the presumption that sophisticated attackers have already successfully penetrated many enterprise networks, threat hunting seeks to uncover evidence of these compromises, enabling a rapid response.
While few of the organizations I work with are conducting threat hunting activities, many of them are talking about it. Security leaders often view threat hunting as an aspirational goal that requires a significant investment of time and money to achieve. But I believe that most organizations already have in place the technology they need to perform threat hunting and would benefit from simply changing how they use those products.
Let’s take a look at five ways you can leverage your existing security infrastructure to take a proactive approach to defending your network.
Use Your Next-Generation Firewall
Almost all organizations now deploy NGFW capabilities. The advanced intrusion detection and prevention features of these systems are useful only if they are carefully monitored by security teams. Make sure your security analysts follow up on events flagged by the firewall as they seek signs of a potential intrusion. You can get even more value out of your NGFW by enabling SSL decryption features that allow you to extend your protection across both encrypted and unencrypted network traffic.
Keep an Eye on the Sandbox
Modern malware protection solutions incorporate sandboxing technology that allows them to discern the intentions of unknown executables. If your malware protection system starts flagging potentially malicious software on your network, that’s a good sign that something questionable is taking place. Investigate where that traffic originated and keep an eye out for other signs of intrusion.
Ratchet Up Email Protection
Email protection isn’t the most glamorous realm of cybersecurity, but email is consistently the most common vector used by attackers to gain initial access to a targeted network. Make sure that your email filtering software is working effectively and pay particular attention to messages containing embedded links and executable content. A sudden surge in these messages often marks the beginning of an intrusion attempt.
Treat Endpoint Alerts as the Starting Point of an Investigation
You have many lines of defense in front of your endpoints. Malware that reaches an endpoint likely had to pass through a firewall, content filters, intrusion prevention systems and other defenses. When your endpoint protection solution triggers an alert, pay careful attention. In addition to cleaning the infected system, try to trace the path of the infection to identify other threats lurking on your network.
Correlate Patterns with Your SIEM
Modern attacks are sophisticated, using a series of small steps to gain significant access on a network. A security information and event management solution serves as the central point of aggregation and correlation for security alerts. When you engage in threat hunting, pay particular attention to the use of administrative accounts logged by the SIEM. SIEM correlation can help you identify, say, if an account that was targeted by spear phishing yesterday was suddenly used to make a remote connection to a web server and then connected to several other systems before elevating to administrative privileges. Without the centralized aggregation of those logs, such activity might go unnoticed.
The modern threat environment is challenging. Attackers have tremendous resources and the patience to engage in slow, coordinated attacks. Threat hunting assumes that these attackers will occasionally gain access to your systems and helps you seek out signs of those intrusions to eradicate them as quickly as possible. You can begin threat hunting today with the equipment and information that you already have on hand. Don’t wait!
This blog post brought to you by: