Threat Hunting – Better, Faster, Proactively – With Threat Intelligence

Deploying a threat hunting team can be an effective way to reduce cyber risk to your organization. But, if you are starting or expanding your threat hunting operations, the options can be overwhelming. Deciding on the appropriate mix of people and technology (and which technologies) is challenging. Even the SANS Institute says that “implementing and managing threat hunting in an organization can be a daunting task.”

This challenge impacts organizations of all sizes. For example, even the U.S. federal government is working to implement a comprehensive threat hunting approach. It was only with the 2021 National Defense Authorization Act that the Cybersecurity and Infrastructure Security Agency (CISA) was given the authority to “deploy technology, including information collection tools, on federal agency networks and applications and to hunt for threats and vulnerabilities” to reduce risk in the federal sector.

Typically, threat hunting operations combine a set of technology platforms leveraged by human analysts to identify non-standard intrusion “markers” or indicators. These could be anything outside of signature-based detections. Much of the effectiveness of a threat hunt team hinges on a team’s ability to find, identify, and address any indicators. According to our 2021 Threat Hunting Report, survey respondents noted that the types of indicators most frequently investigated by threat hunt teams were:

  • Behavioral anomalies 
  • Denied/flagged connections 
  • Suspicious IP addresses 
  • Domain names 
  • File names 
Image
Snapshot from Threat Hunting Survey that shows the types of indicators most frequently investigated by threat hunt teams

To identify indicators, threat hunt teams need to access network traffic data from a wide variety of assets and, hopefully, can organize that data in a platform for consolidation and analysis. Having outputs (data) about the network traffic provides the analysts with hunting targets. The 2021 Threat Hunting Report provides more details on which sources most threat hunters use for their operations.

BEYOND INTERNAL NETWORK TRAFFIC  

Having access to the right data sets is important, but as the most used indicators noted above suggest, internal-only data can be limiting. SANS notes, “threat hunting is detecting attacks missed by other security controls,” and as a process, threat hunting uses “new information on previously collected data to find signs of compromised evading detection” (our emphasis).

The best source of additional information to help threat hunters meet their operational mission is threat intelligence and survey respondents to our 2021 Threat Hunting Report agreed. 

Cad2e6e6 E11c 4655 A166 3c0d1e0c4807
Snapshot from Threat Hunting Survey that shows the best sources of additional information to help threat hunters meet their operational missions

Based on the threat hunting missions we’ve supported, threat intelligence feeds are extremely helpful because of their versatility. Threat intel can act as a “tipper” to initiate a threat hunt, or it can optimize threat hunting operations by prioritizing efforts versus randomly hunting through the deluge of network data and user data to find something meaningful.

What’s more helpful to threat hunters is having consolidated indicators that are enriched with threat intelligence and overlaid on an external attack surface map of the organization’s networks. This helps threat hunters focus on targets and enables them to respond faster to threats that are more pressing to their organization. By bringing together internal and external data points, organizations can leverage external threat intelligence feeds to “point them” in the right direction of threat hunting operations.

ORGANIZING YOUR THREAT INTEL FOR THREAT HUNTING

A significant challenge most threat hunting teams have is combining and collating numerous data inputs and threat intel from multiple sources. Therefore, one of the biggest keys to success is organizing data and threat intel, mapped to your organization’s external attack surface, in a single tool.

LookingGlass provides highly effective tools, including external threat intel feeds that can augment your organization’s threat hunting operations and maximize the efficiency of your analysts as they hunt threats.

Below are some highlights from the LookingGlass Suite, where you can see how our scoutPRIME® solution provides contextualized threat intelligence overlaid on your organization’s external attack surface, while scoutTHREAT™ enables detailed profile development on threat actors relevant to your enterprise.

Image 1
Screenshot from scoutPRIME® of Indicator of Compromise (IOC) with multiple threat intelligence feeds and context 
Image 2
Screenshot from scoutTHREAT® of threat actor profile of the DarkSide ransomware group

With built-in external threat intel feeds, the LookingGlass Suite helps address many of the concerns around large-scale data organization and contextualization, tipping-and-cuing, risk scoring, and prioritization to help pinpoint threats that matter to your organization. This can optimize threat hunting efforts and reduce cyber risk faster, versus using precious resources to sift through mountains of data. If your organization is starting or expanding your threat hunting, feel free to contact LookingGlass for more information.