Threat Hunting: Don’t Go Hunting Without a Guide
2021-05-25 | 5 min read
The concept of Threat Hunting is relatively new; historically, we’ve focused a lot on prevention and even Incident Response (cleaning up the mess that hackers leave behind), but actively searching your network looking for clues of an ongoing breach is relatively new. And it’s hard. Not just because bad actors are getting increasingly good at covering their tracks – which they are – but because so few of us know what to look for.
So let’s think about this hunting analogy. The first time you go hunting, you don’t just grab a rifle and head off blindly in the woods hoping you’re stumble across a trophy kill without first getting lost, snakebit, sunburned, or entangled in a career-limiting patch of poison ivy. You go with someone experienced, someone who knows what to do and what to look for. You go with a guide. Why? Because what looks to you like a clump of leaves may be the hoofprint that an experienced guide will recognize as the tracks of your quarry. And what you think looks like Sasquatch prints are the trail of the friendly golden lab who wandered by 10 minutes before. Knowing what to look for, which clues are important and which to ignore, makes all the difference between spending a day lost in the woods and actually bringing home dinner.
And this is true whether you’re hunting big game or hunting cyber threats.
The reality is, most SecOps teams have never seen many attacks on their networks. They get a flood of logs, alerts, and notifications in their SIEM all day, but they don’t get to correlate those messages to an actual attack until it’s already happened. “Oh, so THAT’S what that was” is an uncomfortably common refrain among security teams, where only after an attack is the team able to pull out the relevant Indicators of Compromise (IOCs) from the inscrutable mass of SIEM logs and correlate them with a breach, learning to identify the real clues while discarding the irrelevant chaff.
If you find yourself falling victim to enough attacks, sure, you’ll get enough experience to recognize these attacks – but who has the time, patience, and sheer masochism to go through that? Fortunately, there is a better way, and your friends at Keysight are here to help you out. We’re here to be your guide to threat hunting.
We’ve got a massive library covering thousands of techniques and sub-techniques mapping to the MITRE ATT&CK framework (which categorizes the tactics, techniques, and procedures used by real-world attackers). We let you run all of those – safely – on your network, through your production security tools which will generate the real messages which get sent to your SIEM. Would you like to know what it looks like if you’re hit by SUNBURST, from the SolarWinds breach? What about HAFNIUM, Maze, REvil, or even your old favorite WannaCry? Do you want to learn not only what events those attacks would generate, but even have a chance to tune up your SIEM ahead of time so that you can build the right alerting for the attacks that matter to you? Wouldn’t you like to give your security team the knowledge to hunt and recognize threats before they hit your network, rather than forcing them to learn the hard way?
Let’s see what it looks like in action – view this quick video below to see how Threat Simulator safely emulates (pick an attack) on your network so that you can learn what to look for and configure your SIEM so that when it happens IRL, you’re ready. And if you want to try it for yourself, just check out our no-obligation Free Trial.