USE CASE:
Threat Hunting

What is threat hunting?

Threat hunting is the practice of proactively and iteratively searching for abnormal activity within networks and systems for signs of compromise.

The challenge:

Analysts use threat hunting to identify nefarious activity that has not triggered a sensor grid alert as well as  potential hopping points an attacker might leverage in the future. While great in theory, there are several challenges to threat hunting. Many security teams don’t know where to begin because they lack the ability to prioritize threats for relevance to their environment. Threat hunting also requires specific knowledge and expertise which limits the practice to a few highly skilled analysts. It is also difficult to see the big picture of what is happening across the environment when security teams and tools operate in silos.

When analysts do gain access to what they need, they must quickly find indicators that might reveal adversaries that are staying below the radar – either bending Remote Function Call (RFC) protocols or organizational policy thresholds without raising alerts. They also must be skilled at connecting historical attacks with other open source resources to understand an attacker’s tactics, techniques and procedures (TTPs) and how they might move laterally when inside the environment. It is extremely time consuming to sift through logs manually to determine which are relevant and to correlate logs with massive volumes of external threat intelligence and other internal data to identify malicious activity. Organizations can end up with a few high-value resources spending inordinate amounts of time potentially chasing ghosts.

Learn how to use ThreatQ

for threat hunting

Take a quick look at a threat hunting investigation of a file ingested into the ThreatQ DataLinq Engine. If you like what you see, schedule a demo for a deeper dive.

How ThreatQ meets the threat hunting challenge

1 Is APT’xyz targeting my systems?
2 Open an investigation
3 Add TTP’s and cross-reference with internal intelligence
4 Find related indicators and enrich data
5 Add “Courses of Action” to investigation
6 Determine Risk
7 Automatically deploy indicators to security infrastructure
8 Assign tasks for response and mitigation
Threat Hunting | Is APT’xyz targeting my systems? Threat Hunting | Open an investigation Threat Hunting | Add TTP’s and cross-reference with internal intelligence Threat Hunting | Find related indicators and enrich data Threat Hunting | Add “Courses of Action” to investigation Threat Hunting |Determine Risk Threat Hunting | Automatically deploy indicators to security infrastructure Threat Hunting | Assign tasks for response and mitigation
Threat Library Store global and local threat data in a central repository to provide relevant and contextual intelligence that is customized and prioritized for your unique environment.
Learn more >
Customer-defined Scoring Prioritize threat data automatically, understand why it is relevant and take action faster and with greater confidence.
Learn more >
Related Data Create relationships that can be used to build a holistic picture of an adversary, campaign, TTP, etc.
Operations Enrich threat intelligence data by adding attributes, as well as related indicators, from third party security services and security tools running in your environment, both commercial and open source.
Exports Output indicators and other intelligence objects from the Threat Library into security tools, allowing them to leverage curated threat intelligence for improved defenses.

The ThreatQuotient approach to threat hunting

The goal of threat hunting is to mitigate the risk once an adversary infiltrates the network. To be effective, threat hunting must start with the threat. The ThreatQ Threat Library includes the ability to centralize and prioritize vast amounts of threat data from external and internal sources so that analysts can automatically determine the highly important items to hunt for within the environment.

ThreatQ Investigations allows analysts to conduct investigations collaboratively to search for and compare indicators across infrastructure and find matches between high-risk IOCs and internal log data that indicate possible connections.

Once a match is discovered, analysts can slowly cast the net wider and identify second-tier indicators and attributes (i.e., malware associations, adversary relationships, similar event indicators, etc.).

These capabilities enable analysts to engage in threat hunting and follow the prescribed lifecycle, similar to that of any scientific experiment.

Outcomes:

  • Proactively block similar attacks in the future by developing a signature, or identifying new IOCs to detect and block depending on confidence rating.
  • Adjust corporate policy to align with new defense rules/signatures.
  • Achieve true fusion analysis, leveraging the intelligence and understanding of teams and tools across the organization.
  • Develop better intelligence collection methodologies.
  • Develop better intelligence practices.
  • Find and stop evil before the attack.
  • Mitigate risk when an adversary infiltrates infrastructure.
  • Orchestrated and synchronized threat intelligence management across all teams and tools so they can work in concert and increase effectiveness, efficiency and productivity.

LET’S GET STARTED!

Join the ThreatQ Community, a private community with hundreds of experienced cyber security pros sharing intel to level-up threat detection and response. Partner with ThreatQuotient to learn how we can help you focus on the threat.