Hunting the Hunters

Identifying Threats Early and Often

Colin Cowie and Michael Salihoglu
| 7/17/2019
Hunting the Hunters: Identifying Threats Early and Often

The recent alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and reports of elevated cyberattack activity have been grave reminders that capable threat actors are a real and present danger to many organizations. The frightening reality is that unknown threats might already be lurking somewhere within your organization’s network. Emerging technologies, interconnected devices, and supply chain risk have expanded digital attack surfaces. Prevention systems alone are no longer adequate to defend, and the mindset of network security is shifting from “if we get compromised” to “when we get compromised.”

It has become increasingly critical that organizations focus on detecting and responding to suspicious activity rather than simply aiming to prevent intrusions, and they should be prepared to investigate breaches and execute well-planned responses to limit damage. Threat hunting is an incident response strategy in which analysts proactively search for adversaries.

Threat hunting prerequisites

The goal of threat hunting is to investigate possible network anomalies and identify undiscovered malware and threats. Successful threat hunting can result in early detection and a significant decrease in breach detection time. However, threat hunting requires a mature security program with finely tuned security controls. The core requirements of building a strong threat hunting strategy include:

  • Network visibility and controls. A clear understanding of what systems are on an organization’s network is essential for threat hunting. Security detection controls should be reviewed to determine what, if any, systems they are failing to monitor. Establishing a baseline of normal network activity can help identify malicious activity and provide better context for identifying an attack. The key phrase here is “Know normal; find evil.”
  • Skilled and dedicated personnel. Threat hunters and security analysts should know how to use security detection tools and understand the mindset of their adversaries. In essence, to catch a hacker you have to think like a hacker. Threat hunters who perform scheduled and structured hunts with clearly defined goals can be more effective and provide more value.
  • Threat intelligence. An understanding of new and increasing threat vectors allows defenders to stay up to date with adversaries’ techniques. Using public indicators of compromise such as malware hashes and IP addresses as well as malware signatures might increase detection of new or polymorphic malware samples.

How and where to hunt

The most effective threat hunting is a continual process involving frequent review and adjustments. Talented threat hunters need to think like their adversaries and build knowledge about where to hunt within the network based on current attacker tactics, techniques, and procedures. They also must anticipate what high-risk targets adversaries intend to breach.

Understanding what adversaries’ activities look like and where threat actors are likely to strike provides the structure needed to threat hunt beyond relying on a hunch or waiting for something to go wrong. Exhibit 1 demonstrates the typical, continual life cycle of threat hunting:

Organizations face different threats, and they have different assets and security detection tools at their disposal. Fortunately, threat hunters have a number of ways to approach their task and a variety of areas to hunt. Some popular hunting areas and artifacts include:

  • Web proxy logs
  • Abnormal network traffic
  • Uncommon dynamic DNS resolution
  • Unique user agent strings
  • Base64 encoded strings
  • PowerShell logs

In addition, Microsoft Windows™ event logs are often overlooked as a useful location for threat hunting. At the most basic level, these event logs record user activities. However, in a comparison of baseline user activity to the activity on a suspected compromised machine, event logs can paint the story of an attack. Some common events to investigate are included in Exhibit 2. For more information, refer to guidance provided by SANS, the Infosec Institute, ICIMP/IARIA, and Microsoft.

After the hunt

The unfortunate reality is that if an organization’s threat hunting is successful, that means it has discovered a potential breach. Any organization that suspects it has been compromised should follow an incident response plan. In addition, in terms of its recent alert, CISA is asking that attacks and breach activity be reported using this email: [email protected].

Please contact Troy La Huis, digital security services leader at Crowe, at +1 616 233 5571 or [email protected] if you have any questions about how your organization can best respond to the CISA statement.

Happy hunting!


Microsoft and Microsoft Windows are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.