Six Steps To Successful and Efficient: Threat Hunting

Download as pdf or txt
Download as pdf or txt
You are on page 1of 14
At a glance
Powered by AI
The key takeaways are that threat hunting is a proactive approach to identifying threats in the network before they can execute attacks. It involves making hypotheses about potential threats and searching for evidence to confirm or disprove them. Traditional security tools often miss emerging threats, so threat hunting is important to uncover these stealthy threats.

Threat hunting is the process of actively searching across networks and endpoints to identify threats that evade security controls before they can carry out attacks. It involves making hypotheses about potential threats and analyzing data to confirm or disprove those hypotheses.

Threat hunting is important because traditional security tools often miss emerging threats that can lurk undetected for months. Threat hunting takes a proactive approach to uncover these stealthy threats before they can execute attacks.

SentinelOne White Paper

Six Steps to Successful


and Efficient
Threat Hunting

SENTINELONE WHITEPAPER January 2021


Table of Contents

Introduction 3

What is Threat Hunting? 4

Why do you need to incorporate threat hunting? 5

Six steps to creating an efficient hunting program 6

Closing thoughts 12

SENTINELONE WHITEPAPER SIX STEPS TO SUCCESSFUL AND EFFICIENT THREAT HUNTING 2


01 Introduction

38% missed
Of advanced, emerging threats are missed by
traditional security tools, according to a report
published by Cybersecurity Insider

Cybersecurity often feels like a game of cat and mouse. As our


solutions get better at stopping an attack, adversaries have often
already developed and started utilizing new tactics and techniques.
According to Verizon DBIR, advanced threats lurk in our environment
undetected, often for months, while they stealthily look to gather
valuable information to steal or data to compromise. If you wait until
these threats become visible or an alert is generated by traditional SOC
monitoring tools, it can be too late.

Threat hunting can help combat these challenges. Rather than waiting for an alert, threat
hunters proactively assume that an advanced adversary operates inside the network and
operates to find their existence. This paper talks about threat hunting, why it’s essential,
and how you can enable your team to adopt efficient hunting strategies with the Sen-
tinelOne Platform.

SENTINELONE WHITEPAPER SIX STEPS TO SUCCESSFUL AND EFFICIENT THREAT HUNTING 3


01 What is Threat Hunting?
Threat hunting is the process of searching across networks and
endpoints to identify threats that evade security controls before they
can execute an attack or fulfill their goals. Rather than simply relying
on security solutions to detect threats, threat hunting is a proactive
approach to finding threats hidden in your network.


Threat hunting is defined as “computer security
incident response before there is an incident
declared,” others define it as, “threat detection using
the tools from incident response” or even “security
hypothesis testing on a live IT environment.”

Unlike the Security Operations Center (SOC) and Incident Response (IR) teams, threat
hunters not only respond to threats; they actively search for them. This process involves
making hypotheses on the existence of potential threats, which are then either confirmed
or disproven on the basis of collected data and analysis. Threat hunting is also quite a differ-
ent activity from either incident response or digital forensics. The purpose of DF/IR meth-
odologies is to determine what happened after a breach was discovered. In contrast, when
a team engages in threat hunting, the aim is to search for attacks that may have already
slipped through your defensive layers. Threat hunting also differs from penetration testing
and vulnerability assessment too. These attempt to simulate an attack, ask questions such
as what ‘could’ happen if someone compromised my security. Whereas threat hunters work
from the premise that an attacker is already in the network and then look for indicators of
compromise, lateral movement, and other tell-tale artifacts that may provide evidence of
the attacker.

SENTINELONE WHITEPAPER SIX STEPS TO SUCCESSFUL AND EFFICIENT THREAT HUNTING 4


03 Why do you need to incorporate
threat hunting?

191 days
On average, cybercriminals spend 191 days inside a
network before being discovered, and that’s more
than enough time to cause some damage.

Simply stated, if you aren’t looking for threat actors inside your
network, you may never know they are there. What if the attackers
lock you out of the systems before you notice that you are under
attack? With an efficient threat hunting program, you don’t have to
stress over such possibilities.

Threat hunting is human-driven, iterative, adaptive, and systematic. Hence, it effectively


reduces damage and overall risk to an organization, as its proactive nature enables secu-
rity professionals to respond to incidents more rapidly than would otherwise be possible.
It reduces the probability of an attacker being able to cause damage to an organization, its
systems, and its data. Threat hunting also reduces your reliance on external vendors that
may not know your network or normal employee behavior, as well as your threat hunting
team might. Finally, threat hunting will force you to learn your networks, systems, applica-
tions, and users. Understanding all of these components is a critical element of a robust
security framework.

SENTINELONE WHITEPAPER SIX STEPS TO SUCCESSFUL AND EFFICIENT THREAT HUNTING 5


04 Six steps to creating an efficient
hunting program
So how do you create a perfect and efficient hunting program?
Well! In reality, the perfect hunting program rarely exists! You need
your hunting program to be an iterative combination of processes,
tools, and techniques continually evolving and adaptive to suit your
organization. Here are six steps that will help you create an efficient
threat hunting program in your organization.

1. Ensure you have the right data.


No data, no hunt! Period! All successful threat hunting begins with having the right data to
answer the right questions. Without the right data, you will not be able to conduct a suc-
cessful and meaningful hunt. You need to ensure you have telemetry that captures a wide
range of activity and behaviors across multiple operating systems, that serves as a base
for all your threat hunting efforts. Device telemetry should include data like network traffic
patterns, file hashes, processes, user activity, network activity, file operations, persistence
activity, system and event logs, denied connections, and peripheral device activity.

Just having the raw data is not enough; you also need to ensure that you have context sur-
rounding the data. Knowing which data to combine, correlate, or extend is critical. Ideally, you
want tools that allow a clear overview of all the above data with powerful capabilities to auto-
matically contextualize and correlate different events into unified detections that minimize the
amount of manual sifting through raw logs.

SentinelOne patented StorylineTM technolo-


gy provides analysts with real-time action-
able correlation and context and lets securi-
ty analysts understand the full story of what
happened in your environment.
Each autonomous SentinelOne Agent builds
a model of its endpoint infrastructure and
real-time running behavior. Every element
of a story has the same Storyline. This gives
you the full picture of what happened on a device and what caused it to happen. Sen-
tinelOne automatically correlates related activity into unified alerts that provide Cam-
paign Level Insight. This reduces the amount of manual effort needed, helps with alert
fatigue, and significantly lowers the skillset barrier of responding to alerts.

SENTINELONE WHITEPAPER SIX STEPS TO SUCCESSFUL AND EFFICIENT THREAT HUNTING 6


2. Baseline to understand what’s normal in your
environment
Threat hunters need a solid understanding of the organization’s profile, business activities
that could attract threat actors, such as hiring new staff or acquiring new assets, and com-
panies. A critical component of threat hunting is having the data to baseline ‘normal’ and
find outliers (outlier analysis). Attackers will often want to blend in with ordinary users to
acquire user credentials from phishing campaigns, so understanding a users’ typical be-
havior is a useful baseline for investigating anomalous file access or login events. Com-
bining that with understanding what company data is of value to attackers and where it is
located can lead to creating hypotheses such as “Is an attacker trying to steal data located
at a specific location?” This, in turn, could prompt data collection that answers questions
like: “Which users have accessed that location for the first time in the last n days?”

3. Develop a hypothesis
Many hunts start from an intel source that uses Indicators of Compromise (IoCs), hash
values, IP addresses, domain names, network or host artifacts provided by third-party data
sources such as Information Sharing and Analysis Center (ISAC or the FBI. Hunts can also
be incident driven; given any incident, you need to answer how and when it happened.
However, not all threats are known. In fact, a large number of threats are unknown, so
hunting cannot solely rely on utilizing known methodologies.

In a hypothesis-driven workflow, a hunt starts with creating a hypothesis, or an educated


guess, about some type of activity that might be going on in your environment. Using Open-
source intelligence (OSINT) tools and frameworks like MITRE ATT&CK works effectively if
you know what you are looking for. That brings us to one of the essential components of
threat hunting: hypothesis formation and testing. Hypotheses are typically formulated by
hunters based on tools and frameworks, social intelligence, threat intelligence, and past
experiences. Generalized questions could include, “If I were to attack this environment,
how would I do it? What would I attempt to gain access to? What would be my targets?”.
Other examples could include questions like “Why do I see encrypted HTTPS, FTP traffic
to countries in the East, in my environment?” or “Why do I see an abnormal volume of DNS
queries from a single machine?” Ideas can be derived from the following sources:

• MITRE ATT&CK framework


a vast knowledge base of attack tactics, techniques, and procedures. Studying the MITRE
techniques and their simulation in test environments can serve as a foundation for develop-
ing hypotheses.

• Threat Intelligence reports


contain useful information about attack techniques and procedures based on real incidents.
Systematic analysis of such reports should spark some thought and give rise to many threat
hunting ideas.

SENTINELONE WHITEPAPER SIX STEPS TO SUCCESSFUL AND EFFICIENT THREAT HUNTING 7


• Blogs, Twitter, and conference talks
information about new atack techniques appears for the first time via research blogs, and
conferences, even before the attackers start actively using it. The timely study of such infor-
mation will allow threat hunters to be proactive and prepare before the new attack tech-
nique becomes widespread.

• Penetration testing
attackers tend to use tools similar to those applied by experienced pen testers. Therefore,
studying pen-testing practices creates a treasure trove of knowledge for generating threat
hunting hypotheses.

SentinelOne’s patented Deep VisibilityTM lets you quickly and iteratively query and
pivot across endpoint telemetry captured from endpoint devices to validate hy-
potheses. SentinelOne automatically correlates all related objects (processes, files,
threads, events, and more) of a threat. For example, a process modifies a different
process by injecting code. When you run a query, all interaction between the source
process, target process, and parent process shows clearly in the cross-process de-
tails. This lets you quickly understand the data relationships: the root cause behind a
threat with all of its context, relationships, and activities. Analysts can also leverage
historical data to map advanced threat campaigns across time to enable efficient
hypothesis generation.

You can create powerful hunting queries with easy-to-use shortcuts. As a threat
hunter, the MITRE ATT&CK framework has likely become one of your go-to tools.
SentinelOne makes hunting for MITRE ATT&CK Tactics, Techniques, and Procedures
(TTPs) fast and painless. It’s as easy as entering the MITRE technique ID and using
this to perform a hunt.

SENTINELONE WHITEPAPER SIX STEPS TO SUCCESSFUL AND EFFICIENT THREAT HUNTING 8


SentinelOne provides a query library of hunts using data from various open, com-
mercial, and bespoke sources curated by SentinelOne research. These hunts are
the output of hypotheses that are proven across research data and are generic. For
example, the use of unmanaged, unsigned Powershell is likely abnormal in most en-
vironments; and would commonly require additional investigation. Both of the above
examples are not malicious in and of themselves but fit in a hunting workflow, as
they are descriptive of anomalies.

4. Investigate & analyze potential threats


After generating the hypothesis, the next step is to follow up on it by investigating var-
ious tools and techniques to discover new malicious patterns in the data and uncover
the attacker’s TTPs. If the hypothesis is correct and evidence of malicious activity is
found, then the threat hunter should immediately validate the nature, extent, impact,
and scope of the finding.

Although threat hunting starts with a human-generated hypothesis, threat protec-


tion tools, like SentinelOne, make the investigation more efficient.
SentinelOne’s Deep Visibility empowers rapid threat hunting capabilities thanks to
Storyline. Each autonomous SentinelOne Agent monitors endpoint activity and re-
al-time running behavior. A Storyline ID is an ID given to a group of related events in
this model. When you find an abnormal event that seems relevant, use the Storyline
ID to quickly find all related processes, files, threads, events, and other data with a
single query. With Storyline, Deep Visibility returns full, contextualized data that lets
you swiftly understand the root cause behind a threat with all of its context, rela-
tionships, and activities revealed from one search. Storyline allow threat hunters to
understand the full story of what happened on an endpoint and enable them to see
the complete chain of events and save time for your security teams.

5. Rapidly respond to remediate threats


Once you uncover a new TTP, you need to make sure you can effectively respond and re-
mediate the threat. The response should distinctively define both short term and long term
response measures that will be used to neutralize the attack. The main goal of the response
is to immediately put an end to the ongoing attack to prevent the system from damage by a
perceived threat. But it is also essential to understand the cause of the threat to improve se-
curity and prevent attacks of a similar manner in the future. All necessary steps must be taken
to ensure that similar attacks are not likely to happen again.

SENTINELONE WHITEPAPER SIX STEPS TO SUCCESSFUL AND EFFICIENT THREAT HUNTING 9


SentinelOne enables analysts to take
all the required actions needed to re-
spond and remediate the threat with a
single click.
With one click, the analyst can roll-
back the threat or perform any other
available mitigation actions. Rollback
functionality automatically restores
deleted or corrupted files caused by
ransomware activity to their pre-in-
fected state without needing to reim-
age the machine.

The threat can be added to Exclusions, marked as resolved, and notes can be added
to explain the rationale behind the decisions taken. SentinelOne also offers full Re-
mote Shell capabilities to give your security team a quick way to investigate attacks,

collect forensic data, and remediate breaches no matter where the compromised
endpoints are located, eliminating uncertainty and significantly reducing any down-
time that results from an attack.

SentinelOne also can detect threats in advance through the aid of its machine learn-
ing and intelligent automation. It can anticipate threats and attacks by deeply in-
specting files, documents, emails, credentials, browsers, payloads, and memory
storage. It can automatically disconnect a device from a network when it identifies a
possible security threat or attack.

SENTINELONE WHITEPAPER SIX STEPS TO SUCCESSFUL AND EFFICIENT THREAT HUNTING 10


6. Enrich and automate for future events
Finally, successful hunts form the basis for informing and enriching automated analytics.
The final step in the threat hunting practice is to use the knowledge generated during the
threat hunting process to enrich and improve EDR systems. This way, the organization’s
global security is enhanced thanks to the discoveries made during the investigation.

SentinelOne is designed to lighten the load on your team in every way, and that in-
cludes giving you the tools to set up and run custom threat hunting searches.
With Storyline Auto-Response (STAR) custom detection rules, you can turn Deep Vis-
ibility queries into automated hunting rules that trigger alerts and responses when
rules detect matches. STAR gives you the flexibility to create custom alerts specific
to your environment that can enhance alerting and triaging of events.

SentinelOne can also automatically mitigate detections based on the policy for sus-
picious threats or the policy for malicious threats or can put endpoints in Network
Quarantine. Alerts are triggered in near-real-time and show in the Activity log in the
Management Console. You can enable alerts in Syslog that can be used for triage and
SIEM integration.

After running the query in Deep Visibility and investigating, you can select an Au-
to-Response for the rule to automatically mitigate the rule detections. With that,
you have set your SentinelOne solution to automatically protect your environment,
according to your needs, from every
threat, every second of every day.
Modern adversaries are automating
their techniques, tactics, and pro-
cedures to evade preventative de-
fenses, so it makes sense that enter-
prise security teams can better keep
up with attacks by automating their
manual workloads.

SENTINELONE WHITEPAPER SIX STEPS TO SUCCESSFUL AND EFFICIENT THREAT HUNTING 11


05 Closing thoughts
Implementing a threat hunting program can reap many benefits to the organization, in-
cluding proactively uncovering security incidents, faster Incident response times, and a
more robust security posture. Effective threat hunting needs to result in less work for your
busy analysts while at the same time future-proofing your SOC from a variety of known and
unknown adversaries. SentinelOne gives you visibility, ease of use, speed, and context to
make threat hunting more effective than ever before.

Please contact us or request a demo to see how SentinelOne can help you develop an
efficient hunting program.

Additional Resources
Deep Dive - Hunting with MITRE ATT&CK
Visit SentinelOne Platform page
Learn more about Rapid Threat Hunting with Storyline
Visit Sans Threat Hunting Report - Automating Hunt
Read Gartner Report - Threat Hunting for Proactive Threat Detection

SENTINELONE WHITEPAPER SIX STEPS TO SUCCESSFUL AND EFFICIENT THREAT HUNTING 12


2020 MITRE ATT&CK
2020 FORRESTER 2020 KUPPINGERCOLE
• Fewest Misses
WAVE™ EDR MARKET COMPASS
• Most Correlations
• Best Data Enrichment Coverage ”Strong Performer” Featured EPDR Innovator

SentinelOne is a Customer First Company


Continual measurement and improvement drives us to exceed customer expectations.

97 % 97 %
Of Gartner Peer Insights™ Customer
‘Voice of the Customer’ Reviewers Satisfaction (CSAT)
recommend SentinelOne
B R E ACH

E CT)

PCI DSS Attestation


OT

AUGUST 2020
R 4.9
R

ES
PONSE (
P
HIPAA Attestation

About SentinelOne
More Capability. Less Complexity. SentinelOne is pioneering the future of cybersecurity
with autonomous, distributed endpoint intelligence aimed at simplifying the security stack
without forgoing enterprise capabilities. Our technology is designed to scale people with
automation and frictionless threat resolution. Are you ready?

SENTINELONE WHITEPAPER SIX STEPS TO SUCCESSFUL AND EFFICIENT THREAT HUNTING 13


8
Contact us
[email protected]
+1-855-868-3733

sentinelone.com

Threat_Hunting_Guide_01072021

© SentinelOne 2021
SENTINELONE WHITEPAPER

You might also like