Threat hunting is the process of searching for underlying and undetected threats in your network. Malicious actors often trespass the network perimeter defenses and stealthily lurk inside your environment before carrying out an attack. Once the attacker is into your network, it is difficult to identify and combat the Advanced Persistent Threats (APTs) they could pose.
But, with threat hunting you can search for underlying and undetected threats in your network and mitigate them at an early stage to harden the security of your network.
Threat hunters, a team of cybersecurity professionals, assume that an attacker is already present inside your network and look for the following information:
- Malicious IPs, domains, URLs, and hashes
- Indicators of Compromise (IoCs)
- Indicators of Attack (IoAs)
- Tactics, Techniques, and Procedure (TTPs) of attackers.
What are Indicators of Compromise (IoCs)?
Indicators of Compromise are forensic evidence that determines any form of intrusion in a network. Any malicious activity that is deviant from normal network behavior could be an IoC. You can monitor your network for known IoCs by sourcing them from threat intelligence feeds.
Why is monitoring your network for IoCs important?
IT admins lookout for multiple IoCs in your network, correlate and analyze them to identify threats and attack patterns. You can also equip your security solutions and IT teams to detect and mitigate threats posed by common IoCs. The IoCs documented in your network should also be shared in the IT community to educate and alert organizations about potential threats as mentioned in the STIX/TAXII protocols.
Are you monitoring your network for these important IoCs?
- Privileged user activity monitoring
Privileged user accounts are important targets for attackers. You should monitor these accounts and check for:
Unnecessary data accumulation
- Any sudden spike in activities
- Attempting logins at unusual hours
- Accessing critical files for more times than necessary
- Granting unnecessary permissions to other user accounts
- Enabling or disabling user accounts
- Reading and modifying databases
Attackers often accumulate data at certain points in your network and exfiltrate it at unusual hours. If you come across huge volumes of data being archived and stored at certain places in your network, this is an indication that your network has been penetrated by attackers and data exfiltration can be carried out at any moment.
Unusual network traffic pattern
It is important to check for inbound and outbound network traffic pattern changes in your network. You should also check if any network connection attempts have been made from a foreign country that your organization doesn't do business with. This means that an attacker is passively trying to gain access to your network.
Multiple requests for the same file
When you spot a user sending more than 500 requests to access a single file, which on any given day is accessed just 4 or 5 times by the same user, this is a potential IoC. In this case, it is highly likely that the attacker present in your network wants to access a file and is trying to do so in multiple ways.
Monitoring logs effectively.
All the above mentioned anomalies and other such malicious activities are recorded in your log files. You can mitigate threats by monitoring the logs collected in your network efficiently. Sourcing IoCs from threat analytic feeds, monitoring your network for the IoCs, and alerting the IT admins in case of an anomaly can all be done easily using an effective management solution.
EventLog Analyzer is a log management solution that can help you look for IoCs in your environment as it incorporates threat analytic feeds from STIX, TAXII, and AleinVault OTX platforms. It uses its powerful correlation engine to spot anomalies across your network and generates comprehensive reports on all network activities. Alerts can be configured for malicious activities to notify IT security admins in real-time via SMS and email to prevent threats and attacks. You can also configure incident workflows to respond to threats and mitigate them at an early stage.Learn more about EventLog Analyzer.