How threat hunting reduces business risks by uncovering hidden attacks

In a previous article, we covered threat intelligence: the collection and analysis of data to understand the threat actors that pose cybersecurity risks to your organization. On an operational level, this involves detecting threats by matching Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) with data sourced from SIEM (Security Information and Event Management) platforms and XDR products.

Configuring a fully automated system that strikes a fine balance between detection rate and false positives is a formidable challenge. For instance, it’s well known that certain malware is downloaded and installed on workstations using trusted, pre-installed system tools to spread malware (so-called LOLBins or Living Off The Land Binaries), like Curl or Certutil. However, given that these tools have many legitimate uses, such as in update mechanisms, detecting all downloads with these tools and flagging them for scrutiny by our SOC analysts would overload them with false positives. 

That’s why, on a tactical level, the Cegeka Modern SOC also performs recurring threat hunting. A senior CSIRT analysts then manually examines relevant, advanced and/or novel TTPs to uncover hidden attacks. So, how does this process work at Cegeka?

From threat intelligence to hands-on hunting 

Our CSIRT analysts closely follow cybersecurity trends and understand their clients’ risk profiles, including the relevant threat actors they may face. Threat modeling, the process of identifying potential attackers, their goals, and the techniques they might use to compromise systems, helps analysts prioritize which threats to focus on. For example, an analyst might notice a trend involving the use of LOLBins like Curl to download malware, or the rise of Eastern European ransomware groups. This modeling informs the hypotheses they explore during threat hunting. 

Drawing on this threat intelligence, the CSIRT analyst formulates several hypotheses, such as “Eastern European ransomware groups may be downloading attacker tools onto compromised machines using LOLBins.” This hypothesis is then translated into specific threat hunts, such as “The use of Curl for downloading from servers without a fully qualified domain name.” 

Each hunt is then converted into precise hunting queries for EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), and SIEM (Security Information and Event Management) products. These queries are executed across the systems of all our clients. We also run queries on network monitoring tools, for instance, in relation to data transfers to servers without a fully qualified domain name. 

What threat hunting reveals  

Every hunt leads to one of three scenarios: we uncover something suspicious, we lack sufficient data, or we find no noteworthy results. 

• Suspicious findings 
  We identify something suspicious that indicates a security incident. Of course, we address this issue with urgency.
  
• Missing data 
  We are unable to execute a hunting query due to the absence of a specific data source, such as network data, on the client’s end. We inform the client that we couldn’t perform our threat hunt and kindly ask them to implement the necessary data source if they want to benefit from these threat hunts in the future. 
• No findings 
  Upon completing our hunting query across all required data sources, nothing suspicious is found. This scenario (luckily) accounts for the majority of cases. 

Turning threat hunting results into actionable insights 

The results of our hunts provide insights that we compile into a report for our clients: 

• Context of the hunt 
  We explain what was hunted and the rationale behind it: the threat intelligence that informed our hypothesis and the precise threat hunts it was translated into. For example, we might explain that our client’s profile is frequently targeted by ransomware groups using LOLBins for malicious tool transfers, hence our focus on these specific TTPs. 
• Information about the hunt 
  We provide comprehensive details regarding the hunt, including the TTPs we queried for (referenced by their MITRE ATT&CK Technique ID). Any detected vulnerabilities are accompanied by their CVE (Common Vulnerabilities and Exposures) identifiers for additional reference. 
• Results of the hunt 
  We outline the hunt’s findings for each technology we used (EDR, XDR, SIEM). 

Our SOC clients can also access these insights via the Cegeka Security Observability dashboard. This allows them to assess their risks and make informed decisions to improve their security posture based on concrete data from our threat hunts. For example, if our reports indicate they lack certain data sources, they may choose to invest in deploying these data sources to get the full benefit of our threat hunts. 

Reducing business risks through threat hunting 

By actively performing threat hunting and combining it with threat intelligence, newsletters, and ongoing threat research, organizations gain the insights needed to uncover hidden attacks and respond effectively to the latest cyber threats. It is this proactive approach that helps stay one step ahead in an ever-evolving threat landscape. 

Threat Hunting is a part of our Cegeka Modern SOC services by default. On one hand, it allows us to detect advanced techniques for which continuous monitoring rules would overload SOC analysts with false-positives, and on the other hand it truly is a compensating control for attacks that might have slipped through the mazes of the net, because they are so novel or advanced.