7 Rules of Cybersecurity Threat Hunting

Screen Shot 2019-10-10 at 12.34.21 PM

Threat hunting can and should be a part of your cybersecurity efforts, but the idea of starting a threat hunting and monitoring program can be intimidating. Building a portfolio of threats to watch and determining how to manage the risks they pose to your organization is usually confusing, often misleading and just as often stressful.

With so many different attack methods and different cybercriminals with various motivations, how do you know who to pay attention to as you put together your risk management plan? Add to this, the constant drumbeat of frenzied media coverage, it can be hard to develop a realistic plan that is truly effective in helping you build an adequate defense. The good news is it doesn’t have to be overwhelming. Here are a few rules to keep in mind as your building your threat hunting and monitoring plan and thinking of the security measures you want to implement.

  1. Focus on the Basics Before the Complexities
    In short, think simple before going complex. Most breaches and attacks start with the fundamentals. Typically attackers will focus on easy opportunities and simple methods first. Evaluate routine activities and check for anamolies or issues in predictable places or tasks. . One hundred brute force attempts on an IP address in your network can just as simply be a scripted, misconfigured API call, as it can be an attack out of China. News stories and security updates often emphasize the scary activity before the basics. A complicated, hard-to-perform or very selective, targeted attack is thrilling to read about, but rarely relevant. Attacks start with the basics.
  2. Aim for Good Overall Security, Not Attack-Specific Security
    One group is as big a threat as another one. Any attack that impedes your security—impedes your security. To steal a common mantra from martial arts, “never fight your foe where they are strong.” The point is not to engage your opponent where they are strongest, but instead to play to your own strengths. It does not mean ignore them—after all a team of cyber-trained attackers with national level support is a more menacing picture than a lone attacker in their mother’s basement. What it does mean, is understanding that strong security hygiene thwarts both types of attackers, whether super-skilled and numerous or new to the job. A skilled adversary steps up in sophistication when your security presents hurdles. A numerous adversary overwhelms with quantity, an unskilled foe fades out, and they naturally separate into observable groups—no special sauce needed! YOU are the common denominator in every attack. When the security hurdles to the adversary are raised high enough to force adversary groups to separate; then—and only then—laying down specific responses to threats can become a functional part of the process.
  3. Defend Against the Actual Threats, Not the Conceivable Threats
    A conceivable threat isn’t the same as an actual threat. As humans, we love the drama. The news, especially the news about events that we identify with, turns up the spin. Roughly less than a year ago, a variety of news arrived about Intel chip vulnerabilities that allowed remote code execution and the appropriate response was to patch or replace these chips. The premise was an attacker could exploit this vulnerability to take over the machine. Replacing or patching the chips would resolve the issue.
  • Vulnerabilities should ALWAYS be evaluated. An attacker could by all means take over a computer with this gap in security if they had the skill and capability to do so, but there are issues that make this highly unlikely in reality. Among the problems is the attacker would need to locate a vulnerable machine, have full access to it—administrator access in almost every case—at which point, it doesn’t really matter what vulnerability they exploited if they have complete and full administrative rights.
  • Attacks can be unlikely for other reasons, too. Some widely reported security vulnerabilities are too complicated to be practical. This particular one had two routes for exploitation—attacker needed domain admin access to the network or local access to gain local system privileges. In the first situation, it doesn’t matter what they do after gaining total access and in the second, they need in-person access.
  • Be cognizant of relevant threats. If your resources are scarce, focus on threats that apply to you, but always be aware of what may become relevant.
  1. Get the Facts Before You React

The word “breach” has more than one meaning. A database put online without passwords where it was inadvertently leaked is hardly good, but this is not where most people go to first when they hear the word “breach”. A list leaked by a cybercriminal can be valid, and just as often invalid and fraudulent. No honor among thieves is a true saying;these lists are as often stuffed with fake information as they are with true-blue stolen data.

  • Get the information. Not necessarily the stolen data—that has its’ own tangled issues—but clarification on what happened.
  • Clarify the system involved. Companies often separate systems with different purposes into different networks. In power plants and factories, that means putting the business computers on a different network than the industrial ones. Don’t be surprised if an attack on a power plant turns out to be a breach of the business systems—not good, but not as bad as sabotage.
  1. Remember the End Isn’t Near; Don’t Overreact
    Declaring current events an apocalypse seems to be the universal human pastime, especially in the news. Evil attackers cannot execute a Hollywood plot and simultaneously take down phone, power, banks, traffic lights, and so on. That kind of blitz—coordinated across multiple industries and thousands of networks—is both technologically and strategically unlikely.

While fearmongering tries to convince us otherwise, technology isn’t quite there to perform this much-talked-about catastrophic, nationwide operation. It does not mean smaller-grade attacks are inconsequential. Issues on smaller-scale have real consequences, but it isn’t signaling Ragnarok.

  1. Don’t Tilt at Windmills When You Don’t Have a Lance or Horse. Take Care of the Fundamentals First
    Chasing after threats—APT, organized crime, nation-state, and whatever name-du-jour is in the news—when you don’t have basic security hygiene handled is pointless. Having a sophisticated security assessment done, when basic security isn’t addressed is equally pointless and expensive.
  2. Don’t Look for a Silver Bullet in Technology or Risk A lot of folks look for the “silver bullet” or gravitate toward emerging technologies. Realistically, once you get past the hype and examine the facts, the way to truly differentiate—the way to truly manage risk—is to really focus on those fundamentals. The processes and controls are things that aren’t particularly exciting, like having a stringent process for patch management or having a well-oiled machine, so-to-speak. However, these are the steps that can first identify vulnerabilities on a continuous basis and assist in figuring out what application it ties to and where it ties to your infrastructure.


For more on using AlienVault to assist in Threat Hunting click here.

You can also find our Incident Response Guide and Planning Template along with exercises and more on our website.

Or contact us via this page for more information on how we can help you: https://cyberdefenses.com/contact-us/

About the author

Monty St John

Monty is a security professional with more than two decades of experience in threat intelligence, digital forensics, malware analytics, quality services, software engineering, development, IT/informatics, project management and training. He is an ISO 17025 laboratory auditor and assessor, reviewing and auditing 40+ laboratories. Monty is also a game designer and publisher who has authored more than 24 products and 35 editorial works.