Threat Hunting and Improving Visibility

Threat hunting is critical for any digitally connected organization to promote proper security hygiene, reduce compromise dwell time and exposure, discover gaps, and reduce the exposed attack surface. Today’s sophisticated and targeted threats require active hunting in addition to passive detection to keep an organization safe and secure via investigation and anomaly detection tailored toward organization-specific services and implementations. 

As Alvin Toffler once wrote, “you can use all the quantitative data you can get, but you still have to distrust it and use your own intelligence and judgment.” Effective threat hunting requires organized, comprehensive, correlated, and searchable data pulled from hosts, servers, and network components across the enterprise, among many other sources. Organizations deploy numerous mechanisms to log, track, and pull data and metrics from these sources, most often storing them in SIEMs and databases, which index, store, and correlate data to provide the haystack to search for the anomalous needles.

According to the 2021 Threat Hunting Report, the following are top data collection sources that organizations collect and analyze for threat hunting purposes: 

Top data sources that organizations collect and analyze for threat hunting purposes
Snapshot from Threat Hunting Survey shows the top data sources that organizations collect and analyze for threat hunting purposes

Other notable mentions were: Active directory (53%), DNS traffic (52%), Server traffic (47%), Web proxy logs (45%), User behavior (39%), File monitoring data (36%), and Packet sniff/tcpdump (33%). But is this enough? 

The most common attacks that organizations proactively discover
Snapshot from Threat Hunting Survey shows the most common attacks that organizations proactively discover

With only roughly half of the respondents stating usage of network traffic, threat intelligence, and DNS traffic, we can and should do better. The data and collection capabilities are often already present and readily utilized via supported and available mechanisms.   

Blind spots into visibility data produce blind spots in hunting efforts and across an organization’s ability to track and investigate anomalous activities. 

Based on those surveyed, almost half (46%) cited network intrusion as one of the most common attacks proactively discovered through hunting activities. While endpoint telemetry and metrics may provide some insight into network-based anomalies and communications, there will likely always be devices that cannot install or run endpoint agents, nor will they be able to discover maliciously added hosts to the network. Port scanning, which was the top used activity in threat hunting (73%), is also most effectively detected in the network for aggregation of statistics across targeted hosts and network pathways. 

Similarly, just over half of the respondents (52%) stated that the use of DNS traffic analysis in support of their threat hunting efforts. DNS is often seen as an early warning sign for infections and a common protocol utilized in command-and-control callback communications. Visibility into such data is critical to threat hunting activities, tracing infections to internal compromised hosts, and identifying when the infection likely took hold. 

Organizations need to add and incorporate network-based sources, such as DNS traffic and network traffic analysis, to support their threat hunting programs.  

Once data is collected from an organization’s enterprise, enrichment is paramount to provide the hunter with context and meaning behind suspected entities and attack vectors. This paints a much larger picture into the data collected interacting with external entities. Unfortunately, just over half (54%) selected threat intelligence sources contributing to hunting efforts.  

Network-based threat detection and enrichment solutions can provide this kind of data. These products can augment an organization’s network visibility in the darkest corners of their enterprise empowering threat hunting with trusted comprehensive data, along with the ability to isolate and reduce the spread of infection via stealth inline mitigations. 

Threat hunting is important to detect and respond to today’s threats. Hunting activities rely upon data and logs powering hunters to find the bad guys. With LookingGlass’s data, platforms, and enrichments, your organization will gain access to visibility, telemetry, and enrichment, and ensure that your hunters are more effective in their efforts and more accurate in their findings. Find out more by contacting us today.