Threat hunting is the process by which specialized security analysts proactively hunt for threat actor behavior 和 attempt to defend their network before real damage can be done. The word “specialized” is critical to underst和ing what it takes to st和 up a successful threat-hunting strategy, 因为这项技能需要时间来学习,而且需求量很大.
根据SANS研究所的调查, 2017年,只有31%的组织拥有专门的威胁搜寻人员. 四年后,同样的调查显示,这一比例跃升至93%. The need for threat-hunting specialists over the past half decade has increased, 和 for good reason. The barrage of attacks against enterprise organizations is increasing at an alarming pace, 我们再也不能坐以待毙了.
Indeed, the increase in threat hunting has also been found to increase many organizations’ overall 威胁情报 能力和 安全的姿势. SANS已经看到了, 因为威胁狩猎的增加, 安全团队在持续监控方面做得越来越好, 误报也更少了.
Threat hunting models aren’t easy to put into place, 和 there are several methodologies. 因此,确定特定威胁搜索的目标非常重要. 从那里, a team can begin to define the techniques needed to action a successful hunt.
那么,威胁搜寻的具体功能是什么呢? 如上所述,个体狩猎的目标是不同的. 因此,每次狩猎的细节也会如此.
Let’s take a look at some of the more common elements a seasoned security pro can expect when engaging in a new hunt.
数据收集和处理取决于待检验的假设或总体目标, 数据收集将来自不同类型的网络日志(DNS), 防火墙, 代理), 各种来源的 威胁检测 外围遥测和/或特定端点数据.
协作与沟通: Several tools like Slack 和 Microsoft Teams can be automated into threat hunting workflows, 触发新的服务票证, 开始新的追捕和调查, 必要时,还可以查询单个端点或网络用户.
文件和报告记录狩猎的结果是至关重要的,不管是否成功. 不管结果如何, this reference can serve as a baseline for actions to take on future hunts with similar goals 和 help identify a potential repeat threat actor.
人类与科技尽管在任何给定的威胁搜索中都使用了相当多的自动化, it is the people working in a security organization that will calibrate those automations. 从端点遥测,到警报,到 网络流量分析, technology bolsters analysts’ abilities to seize on insights faster 和 shut down threats more definitively.
为了成功进行一次威胁搜捕, 正如上面所讨论的,知道狩猎的目标是什么是至关重要的. 基于确定的目标, the type of hunt will typically break out into one of the following formats discussed below.
This threat-hunting process is typically kicked off by members of a security organization observing an anomalous event, 随着时间的推移,频率越来越高. 从那里, the team can begin to form a hypothesis on what might be taking place 和 if that hypothesis is actually testable. 这将有助于确认是否存在恶意活动.
Let's now take a look at some of the specific tools 和 processes by which a hunter can test a hypothesis 和 determine if a threat is indeed real.
A SIEM 平台可以通过集中检测安全问题, 关联, 通过网络分析数据. SIEM的核心功能包括 日志管理 以及集中化、安全事件检测和报告以及搜索功能.
Analytics correlate endpoint data with sophisticated user analytics 和 威胁情报 to detect suspicious endpoint activities 和 whether or not a specific user is even aware of the activity on their system.
这组工具监视网络可用性和活动,以识别异常, 包括安全和操作问题. They allow hunters to collect both a real-time 和 historical record of what is occurring on the network.
通过保持实时威胁源的可见性, hunters will become familiar with potential threats that are most relevant to their environment 和 therefore know how to better defend against those threats.
Threat hunters would ideally use a cloud security tool to monitor multi- 和 hybrid-cloud environments that are particularly susceptible to risk. 通过摄取数据,如用户活动, 日志, 和端点, analysts should be able to gain a clear snapshot of the business’ IT footprint 和 any suspicious activity present.
The process of analyzing user behavior consists of gathering insight into network events that users generate daily. 一旦收集和分析,这些事件可以用来 检测受损凭证的使用情况、横向移动和其他恶意行为.
What are some specific threat-hunting steps to take when leveraging the right tools to test a well-formulated 和 specific hypothesis?
收集正确的数据: It's critical to identify – 和 ultimately automate the process of – collecting the data that will enable action. 如果安全团队怀疑恶意活动,他们会想要收集和检查 法医工件 从整个网络. Part of this process is efficiently triaging 和 analyzing forensic evidence to quickly determine a root cause of the incident.
自定义查询和规则: Several threat-hunting managed services partners or solutions will feature built-in queries 和 rules – to automatically surface alerts based on defined criteria – to quickly aid threat hunters in a search for widely known exploits 和/or threat actors. 然而, it helps to maintain the ability for a security team to customize those queries so they’re asking the questions that will best-fit the agreed-upon hypothesis.
随时了解战术、技术和程序: Threat hunting techniques should constantly evolve according to the TTPs currently being used by threat actors. 虽然不总是那么容易发现, 对对抗行为的持续研究将使安全防御者保持积极主动, 锋利的, 并准备好.
当然, it’s a tall order to constantly stay on top of TTP research 和 other intelligence sources, which is where a managed threat hunting partner can help accelerate the process 和 potentially bolster the success of a 威胁情报 program.