Threat Hunting – a relatively new discipline in Cyber defense

IBM Resilient SOAR, QRadar, Carbon Black Response, QRadar, A10 Proxy

By Rukhsar Khan on Thursday, February 28, 2019

We have identified a shift in the way forensic investigations are conducted today in contrast to a few years ago. Currently, a full-blown deep dive forensic analysis is only done on specific confirmed compromised systems in order to gather additional intelligence. As this doesn’t scale across thousands or tens of thousands of endpoints, the new Endpoint Detection and Response (EDR) market has evolved over the last couple of years. Key players like Tanium, Crowdstrike and Carbon Black Response are providing real-time sensors on endpoints in order to quickly gather forensic artifacts and conduct live response. In our solution draft we will be leveraging Carbon Black Response for the endpoint sensing and for applying a lot of Threat Hunting techniques.

The idea behind Threat Hunting is to shift from a reactive IR model to a proactive approach. In Security Operations, a detection team hands off an alert to an Incident Response team which validates the incident and responds to it in case it’s a true incident. The goal with Threat Hunting is to proactively engage a team and hunt for known adversaries including their applied TTPs in an organization’s networked computing environment. There are multiple different approaches to Threat Hunting. This paper is not intended to introduce the various forms of Threat Hunting.

In our solution draft we will be starting the hunt engagement by consuming the high quality initial triage results generated by the IR team as part of the level-1 analysis. These results will already be augmented by a sophisticated CTI which will be further leveraged by the Threat Hunting team in order to remain focused. We will apply different Threat Hunting techniques and support the IR team in scoping the attack.

Figure 1.5 summarizes the general advantages of Threat Hunting.

  • A full-blown (deep dive) forensic analysis is very time consuming and doesn’t scale across thousands of endpoints. Should only be considered for confirmed compromised systems in order to gather additional intelligence!
  • Threat Hunting is a new discipline that has evolved in IR over the last couple of years
  • It concentrates on TTPs of potential Threat Actors and helps in developing security intelligence for the detection and response team
  • It’s highly recommended to consume CTI first before starting with Threat Hunting in order to stay focused during the hunting engagement
  • It’s based on live forensics with an EDR in order to provide quick results

Figure 1.5: Intelligence based IR – TTP based Threat Hunting

In order to converge Security Operations, Threat Hunting and DFIR in this single platform we have defined three stages, namely Stage 1 Analysis, Stage 2 Analysis and Stage 3 Analysis. Stage 1 Analysis corresponds to a Secops Level1 IR team, Stage 2 Analysis to a Threat Hunting team and Stage 3 Analysis applies to a DFIR team.

In contrast to blog Implementation – Overview – steps 0-6 we have extended the amount of phases from 2 to 3 in order to incorporate Threat Hunting. DFIR has been moved from Stage 2 to Stage 3 Analysis phase. We also added an A10 SSL interception proxy for supporting the Stage 1 Analysis. For supporting the Stage 2 Analysis – Threat Hunting phase we integrated with Carbon Black Response. See illustration below.

Stage 1 Analysis - L1 (Secops):
  • Recorded Future Threat Intelligence (steps 0.2, 5)
  • SIEM Qradar events - Wincollect - Sysmon (steps 2-6)
  • Qradar Network Insights (QNI) Flows (steps 7-10)
  • A10 SSL interception proxy
Stage 2 Analysis - L2 (Threat Hunting):
  • CB Response
Stage 3 Analysis - L3 (DFIR):
  • Volatility
  • Plaso, Log2timeline, etc
  • Qradar Incident Forensics, PCAP
  • Google Rekall Agent Server
  • Cuckoo Sandbox

Figure 1.15: Solution draft continued