Best Practices for Threat Hunting in Large Networks

When we think of modern threat hunting, we think about proactively looking for exceptional situations across the network. Rather than waiting for an incident to occur, threat hunters work proactively, assuming attackers are already inside the network and attempt to track them down. Threat hunters make educated assumptions, such as “PowerShell remoting is used to compromise machines,” then write scripts to detect it, analyze the results and leave sensors to alert them to future use of this technique.

Modern data centers are tangled webs, typically consisting of multiple generations of software architectures and leftovers from acquisitions. The lack of documentation combined with the sheer amount of data available makes effective threat-hunting challenging. This, along with a “the show must go on” mentality where security cannot impact operations, forces us to find scalable methodologies that work within real world networks.

We start from a baseline, a “known good state,” then detect anomalies and classify them as either part of the environment or security incidents. This process allows defenders to get work done. By starting from a baseline, we detect deviations that might be indicators of attacker activity, while at the same time, we harden existing systems and turn the baseline into a trusted base.

It’s hard to tell what’s really going on in any large network. Analyzing what assets exist and who communicates with whom is an open challenge. But threat hunters should build simple tools to give them partial answers. Free tools such as ss, sysmon and sysdig, combined with graphviz can help defenders build maps that track network activity.

The goal is to construct an accurate map of the network.
(Image taken from GuardiCore Centra) [click to enlarge]

Using maps, defenders can start analyzing what typical network traffic looks like and set up alerts with different tools (Read more...)