Threat Hunting Tips #1 – Know what is normal for your environment, then you will be able to spot the unnatural easily.
Many organizations have attempted to jump off the deep end of a threat hunting group without first knowing their environment – a recipe for chasing squirrels and rabbits and getting very little done. Searching for threats is ultimately the practice of searching for the unknown in an environment, so understanding what counts as “business as usual” compared to “suspicious” or even “malicious” is critical.
In order to get familiar with the environment, make sure you have access to as much information as possible, including network graphs, past incident reporting, and any other documentation you can get hold of and make sure you have network and endpoint level logs that you will support your catch.
Threat Hunting Tips #2 – When building a hunt, start in general and work your way up to a specific based on your hypothesis. By doing so, it creates context and an understanding of what you are looking for in your environment
When threat hunters start to wet their feet in an organized search for threats, many struggle with building their first hypotheses. Often the reason many find this process difficult is because they have tried to be a bit more specific. Instead of jumping straight to the details, first try to be more general in your hypothesis. By doing this, you will better shape your chase, adding additional context along the way.
Threat Lookup Tips #3 – Sometimes it’s best to look for things you understand and know and then focus on things outside of your expertise and try to turn into something you know
One of the most common challenges new anglers face is that it is very easy to get out of your depth very quickly. Not every information security professional is an expert in all areas. The same is true of the threat hunt.
Whether you’re just starting out or have some time beyond keyboard searching, the same advice holds true: search for things you understand, then research that data by pivoting. This ensures that you understand what you are looking for and allows you to understand the data and understand how you got there.
If you instead try to search for data you don’t know, you are more likely to prefer and focus on data that you understand and focus on, which may or may not actually lead to a meaningful and worthwhile search.
Threat Hunting Tips #4 Not every premise will work and may fail sometimes. But don’t get discouraged, go back and test again!
Unlike things like threat protection and threat detection, searching for threats is far from a sure thing. In fact, the nature of threat hunting means that you are looking for the unknown. For this reason, not every hypothesis you seek will work. In fact, most hunters know that although they may spend hours digging into a rabbit hole they’ve discovered, that hole is more likely to result in a power user using PowerShell to save some time, rather than an advanced adversary looking to crypto your domain monitor.
Don’t let these moments discourage you! Trust your results, don’t get discouraged, and keep looking. It will pay off in the long run!
And finally… #5 – Knowing your toolkit and its capabilities in the data is just as important as doing your research. There are false negatives around every corner if you are not validating the predicted data even in your tools.
While nearly everyone in the IT field understands that every tool and piece of technology is different and has certain limitations, sometimes security personnel—especially threat hunters—can take this for granted.
One of the most important concepts about “knowing your technology” is to understand what it is capable of, what it is not capable of and what its limitations are. If you step forward without realizing you are likely to generate false negatives, giving security teams a false sense of security.
Before you start searching too much, it is critical that you test and validate your search queries to ensure that they return what you expect of them. This can be done using a lab environment or using tools like the validation packages found in our HUNTER platform.
Researching threats is still a hot topic in the information society, but the search for the real threat remains elusive especially for those who are just starting out. The important thing to remember is that searching for a threat is an iterative process, both in doing so and in learning. So, practice, practice, practice…. And if you are trying to get into the Threat Scanning process, why not try our free Threat Scanning Workshop!
The first 5 threat hunting tips from an experienced hunt team appeared on Cyborg Security.
*** This is a blog compilation of the Cyborg Security Blogger Network written by Josh Campbell. Read the original post at: https://www.cyborgsecurity.com/blog/5-threat-hunting-tips-from-a-seasoned-hunt-team/