Tasks
- To identify nefarious activity that has not triggered a sensor grid alert as well as potential hopping points an attacker might leverage in the future.
- To prioritize threats for relevance to their environment.
- Quickly find indicators that might reveal adversaries that are staying below the radar – either bending Remote Function Call (RFC) protocols or organizational policy thresholds without raising alerts.
Results
- Finding out if APT’xyz target your systems. Open an investigation. Add TTP’s and cross-reference with internal intelligence
- Determine Risk. Automatically deploy indicators to security infrastructure.
- Assign tasks for response and mitigation.
Description
What is threat hunting?
Threat hunting is the practice of proactively and iteratively searching for abnormal activity within networks and systems for signs of compromise.
The challenge:
Analysts use threat hunting to identify nefarious activity that has not triggered a sensor grid alert as well as potential hopping points an attacker might leverage in the future. While great in theory, there are several challenges to threat hunting. Many security teams don’t know where to begin because they lack the ability to prioritize threats for relevance to their environment. Threat hunting also requires specific knowledge and expertise which limits the practice to a few highly skilled analysts. It is also difficult to see the big picture of what is happening across the environment when security teams and tools operate in silos.
When analysts do gain access to what they need, they must quickly find indicators that might reveal adversaries that are staying below the radar – either bending Remote Function Call (RFC) protocols or organizational policy thresholds without raising alerts. They also must be skilled at connecting historical attacks with other open source resources to understand an attacker’s tactics, techniques and procedures (TTPs) and how they might move laterally when inside the environment. It is extremely time consuming to sift through logs manually to determine which are relevant and to correlate logs with massive volumes of external threat intelligence and other internal data to identify malicious activity. Organizations can end up with a few high-value resources spending inordinate amounts of time potentially chasing ghosts.
How ThreatQ meets the threat hunting challenge?
- Is APT’xyz targeting my systems?
- Open an investigation
- Add TTP’s and cross-reference with internal intelligence
- Find related indicators and enrich data
- Add “Courses of Action” to investigation
- Determine Risk
- Automatically deploy indicators to security infrastructure
- Assign tasks for response and mitigation