Focus on collecting all security data in one place.
A security information and event management (SIEM) solution can help you. SIEM solutions are built to automatically collect the log and flow data from all devices and applications across your network, including firewalls, routers, switches, web proxies to servers, workstations, applications, Active Directory (AD), databases, and more. These solutions collect the data as well as detect known malicious threats without performing any complex configuration.
The next step is to build an exclusive incident detection and response team. This team, or a single analyst, can work with the SIEM solution or a security tool to conduct incident investigation, resolve alerts, and look for potential security threats.
The focus should be to enrich data, develop options to fine-tune your security solution's configuration, and automate your basic incident detection and response activities.
Data sets are the key to a threat-hunting program. Therefore, you must automate security data collection from your devices, servers applications, and endpoints even if the data sets are in the cloud.
Take slow, but steady steps.
You've laid the foundation now it's time to step up (Basic)
You have a security tool that can automatically detect the security incidents in your network, and a team of analysts who can respond to the incidents instantly. At this stage, you are already doing some basic searching and hunting. This is a great start.
To move to the next stage of the hunting model, focus on the points below:
- Improve the scalability of security data log collection. If you include more security data as input, your hunting results will be better.
Form a team, or dedicate a single analyst, that is trained on the next level of hunting, such as searching for key indicators to find threats in specific data sets. For example, in the Windows environment, one of the best ways to detect threats is to look into the commands executed. Commands, such as those below, are used in the reconnaissance stage of the attack to search for confidential information, and remote machines within your network.
Some commands are executed only in the Windows server OSes. When you find these commands executed on a Windows client OS, it's a serious threat. In such cases, you can assume that attackers are carrying out reconnaissance to exploit or misuse the user accounts. Here are two common examples of these commands:
net view: Obtains a list of connectable domain resources
net user: Obtains the local and domain accounts
net localgroup: Obtains the list of users belonging to local groups
net group: Obtains the list of users belonging to specific domain groups
net use: Gains access to resources
dsquery: Search for accounts in AD
csvde: Obtain account information in AD
- Develop more hunting procedures, and document the implementation plan for the hunting processes.
- Try to automate the threat hunting procedures you developed by scheduling them to run on a regular basis.
- Think about integrating your security solution or SIEM tool with a threat intelligence platform.
You're an expert!
Stay updated and fight the battle
If you're at this stage, you have a cutting-edge threat hunting program. All you need is to focus on scaling your team and enhancing efficiency. Stay updated to exceed the evolving security concerns and needs of your organization.