Six Steps To Successful and Efficient: Threat Hunting
Six Steps To Successful and Efficient: Threat Hunting
Six Steps To Successful and Efficient: Threat Hunting
Introduction 3
Closing thoughts 12
38% missed
Of advanced, emerging threats are missed by
traditional security tools, according to a report
published by Cybersecurity Insider
Threat hunting can help combat these challenges. Rather than waiting for an alert, threat
hunters proactively assume that an advanced adversary operates inside the network and
operates to find their existence. This paper talks about threat hunting, why it’s essential,
and how you can enable your team to adopt efficient hunting strategies with the Sen-
tinelOne Platform.
“
Threat hunting is defined as “computer security
incident response before there is an incident
declared,” others define it as, “threat detection using
the tools from incident response” or even “security
hypothesis testing on a live IT environment.”
Unlike the Security Operations Center (SOC) and Incident Response (IR) teams, threat
hunters not only respond to threats; they actively search for them. This process involves
making hypotheses on the existence of potential threats, which are then either confirmed
or disproven on the basis of collected data and analysis. Threat hunting is also quite a differ-
ent activity from either incident response or digital forensics. The purpose of DF/IR meth-
odologies is to determine what happened after a breach was discovered. In contrast, when
a team engages in threat hunting, the aim is to search for attacks that may have already
slipped through your defensive layers. Threat hunting also differs from penetration testing
and vulnerability assessment too. These attempt to simulate an attack, ask questions such
as what ‘could’ happen if someone compromised my security. Whereas threat hunters work
from the premise that an attacker is already in the network and then look for indicators of
compromise, lateral movement, and other tell-tale artifacts that may provide evidence of
the attacker.
191 days
On average, cybercriminals spend 191 days inside a
network before being discovered, and that’s more
than enough time to cause some damage.
Simply stated, if you aren’t looking for threat actors inside your
network, you may never know they are there. What if the attackers
lock you out of the systems before you notice that you are under
attack? With an efficient threat hunting program, you don’t have to
stress over such possibilities.
Just having the raw data is not enough; you also need to ensure that you have context sur-
rounding the data. Knowing which data to combine, correlate, or extend is critical. Ideally, you
want tools that allow a clear overview of all the above data with powerful capabilities to auto-
matically contextualize and correlate different events into unified detections that minimize the
amount of manual sifting through raw logs.
3. Develop a hypothesis
Many hunts start from an intel source that uses Indicators of Compromise (IoCs), hash
values, IP addresses, domain names, network or host artifacts provided by third-party data
sources such as Information Sharing and Analysis Center (ISAC or the FBI. Hunts can also
be incident driven; given any incident, you need to answer how and when it happened.
However, not all threats are known. In fact, a large number of threats are unknown, so
hunting cannot solely rely on utilizing known methodologies.
• Penetration testing
attackers tend to use tools similar to those applied by experienced pen testers. Therefore,
studying pen-testing practices creates a treasure trove of knowledge for generating threat
hunting hypotheses.
SentinelOne’s patented Deep VisibilityTM lets you quickly and iteratively query and
pivot across endpoint telemetry captured from endpoint devices to validate hy-
potheses. SentinelOne automatically correlates all related objects (processes, files,
threads, events, and more) of a threat. For example, a process modifies a different
process by injecting code. When you run a query, all interaction between the source
process, target process, and parent process shows clearly in the cross-process de-
tails. This lets you quickly understand the data relationships: the root cause behind a
threat with all of its context, relationships, and activities. Analysts can also leverage
historical data to map advanced threat campaigns across time to enable efficient
hypothesis generation.
You can create powerful hunting queries with easy-to-use shortcuts. As a threat
hunter, the MITRE ATT&CK framework has likely become one of your go-to tools.
SentinelOne makes hunting for MITRE ATT&CK Tactics, Techniques, and Procedures
(TTPs) fast and painless. It’s as easy as entering the MITRE technique ID and using
this to perform a hunt.
The threat can be added to Exclusions, marked as resolved, and notes can be added
to explain the rationale behind the decisions taken. SentinelOne also offers full Re-
mote Shell capabilities to give your security team a quick way to investigate attacks,
collect forensic data, and remediate breaches no matter where the compromised
endpoints are located, eliminating uncertainty and significantly reducing any down-
time that results from an attack.
SentinelOne also can detect threats in advance through the aid of its machine learn-
ing and intelligent automation. It can anticipate threats and attacks by deeply in-
specting files, documents, emails, credentials, browsers, payloads, and memory
storage. It can automatically disconnect a device from a network when it identifies a
possible security threat or attack.
SentinelOne is designed to lighten the load on your team in every way, and that in-
cludes giving you the tools to set up and run custom threat hunting searches.
With Storyline Auto-Response (STAR) custom detection rules, you can turn Deep Vis-
ibility queries into automated hunting rules that trigger alerts and responses when
rules detect matches. STAR gives you the flexibility to create custom alerts specific
to your environment that can enhance alerting and triaging of events.
SentinelOne can also automatically mitigate detections based on the policy for sus-
picious threats or the policy for malicious threats or can put endpoints in Network
Quarantine. Alerts are triggered in near-real-time and show in the Activity log in the
Management Console. You can enable alerts in Syslog that can be used for triage and
SIEM integration.
After running the query in Deep Visibility and investigating, you can select an Au-
to-Response for the rule to automatically mitigate the rule detections. With that,
you have set your SentinelOne solution to automatically protect your environment,
according to your needs, from every
threat, every second of every day.
Modern adversaries are automating
their techniques, tactics, and pro-
cedures to evade preventative de-
fenses, so it makes sense that enter-
prise security teams can better keep
up with attacks by automating their
manual workloads.
Please contact us or request a demo to see how SentinelOne can help you develop an
efficient hunting program.
Additional Resources
Deep Dive - Hunting with MITRE ATT&CK
Visit SentinelOne Platform page
Learn more about Rapid Threat Hunting with Storyline
Visit Sans Threat Hunting Report - Automating Hunt
Read Gartner Report - Threat Hunting for Proactive Threat Detection
97 % 97 %
Of Gartner Peer Insights™ Customer
‘Voice of the Customer’ Reviewers Satisfaction (CSAT)
recommend SentinelOne
B R E ACH
E CT)
AUGUST 2020
R 4.9
R
ES
PONSE (
P
HIPAA Attestation
About SentinelOne
More Capability. Less Complexity. SentinelOne is pioneering the future of cybersecurity
with autonomous, distributed endpoint intelligence aimed at simplifying the security stack
without forgoing enterprise capabilities. Our technology is designed to scale people with
automation and frictionless threat resolution. Are you ready?
sentinelone.com
Threat_Hunting_Guide_01072021
© SentinelOne 2021
SENTINELONE WHITEPAPER