The main goal of threat hunting is to find traces attackers have left behind in the organization’s IT environment. These traces can date back to already solved crises or can be the first indicator of an ongoing attack.
In general, threat hunting can be most efficiently implemented by organizations that already have a solid, mature information security operations center (SOC) and computing incident response team (CIRT). While the latter two are holding the fort (so to speak), threat hunters are free to cast a wider net.
Threat hunting starts with the assumption that an incident has happened, but it’s not based on already received alerts. It can be based on findings from previous hunts, or information from outside the organization (provided by other analysts, organizations, etc.).
Effective hunts depend more on the knowledge, skills and instincts of human analysts than on tools. It is generally acknowledged that, while senior SOC analysts and incident responders can have the right foundation for threat hunting, in order to be good threat hunters they also have to be able to think creatively and see the big picture.
Still, there can be no doubt that good tools can help threat hunters channel their capabilities more efficiently.
Threat hunting with Sqrrl
In a recent report on the topic, Gartner identified Sqrrl are the only pure threat hunting-specific platform on the market.
Sqrrl is a great addition to the SOC toolset, as it makes incident investigation a much less time- and effort-consuming affair, but the tool received Gartner’s recognition because it is built from the ground-up to support threat hunting flows, analytics and visualizations.
The platform unifies a wide variety of datasets derived from threat intelligence feeds, SIEM alerts, North-South and East-West IP flows (from proxy logs, firewall logs, netflow data, etc.), DNS query logs, authentication logs from Windows events, process-level telemetry, user records, and so on.
It extracts specific fields from those log files and reorganizes them in (behavior) graph form, and enables analysts to use link analysis to easily traverse the data without having to write a lot of search scripts and queries.
Searching for evidence
Sqrrl simplifies the hunt for signs of lateral movement, data staging, exfiltration, DNS tunneling, command and control activity, to uncover yet undetected evidence of APT and malicious insider activity, data breaches and malware.
Threat hunters will usually start by perusing Sqrrl’s hunting home page:
On it, they can find risk scores by different kill chain activities (top left), top Risk Trigger hits (top right), lists of high risk detections and entities (bottom left and center), and top triggers by entity count (bottom right).
The detections are powered by algorithms.
“For example, Sqrrl’s lateral movement detector first uses an unsupervised machine learning algorithm to look for suspicious login events and then uses a multi-hop graph algorithm to chain those login events into predicted lateral movement pathways. By looking for connected series of anomalies using graph algorithms, Sqrrl is more accurate in its detections because connected series of anomalies are rarer than a single anomaly,” says Sqrrl CEO Mark Terenzoni.
Threat hunter can choose one of the detections as a starting point for a hunt.
One of Sqrrl’s main advantages is the interactive graph representation of the relationship between entities within the organization’s network, clear and explorable, which allows the hunters to drill down into details or to step back and take a wider view of the situation. They can quickly pivot between data sets and build attack narratives more quickly.
There is no way to clearly but briefly describe how a Sqrrl-powered hunt progresses, so a visual demonstration is definitely in order here:
As you can see, the platform pre-defines actions and hunting pathways, and analysts just need to click through them in search for answers to prove or disprove their hypotheses.
Ultimately, a hunt can show evidence of malicious activity or not, but it gives a straight yes or no answer to the posed question / hypothesis. And if the analyst identifies patterns of suspicious behavior they want the solution to look for continuously, they can create Risk Triggers – custom user-built threat hunting analytics.
Risk Triggers can be created to detect threat intelligence matches, identify abnormal user or asset activity, and uncover suspicious connections between entities. Again, the process is easy: the analyst does not have to actually write any code, just fill in a couple of pop-up boxes.
By now, security professionals have internalized the unfortunate reality: it’s only a matter of time until their organization’s defenses are breached, as there are always going to be threats that can bypass them.
Those who have accepted this but are determined to spot threats as soon as possible and minimize their impact should champion threat hunting as a possible solution.
Identifying new security incidents before an alarm has sounded is definitely a plus, but threat hunting with Sqrrl also has the added benefit of improving automated detection, which ultimately allows analysts to focus more on further innovation and attack variations and on keeping pace with attackers.