Threat hunting: Part 1—Why your SOC needs a proactive hunting team

Cybersecurity can often feel like a game of whack-a-mole. As our tools get better at stopping one type of attack, our adversaries innovate new tactics. Sophisticated cybercriminals burrow their way into network caverns, avoiding detection for weeks or even months, as they gather information and escalate privileges. If you wait until these advanced persistent threats (APT) become visible, it can be costly and time-consuming to address. It’s crucial to augment reactive approaches to cybersecurity with proactive ones. Human-led threat hunting, supported by machine-learning-powered tools like Azure Sentinel, can help you root out infiltrators before they access sensitive data.

This threat hunting blog series will dig into all aspects of threat hunting, including how to apply these techniques to your security operations center (SOC). Today’s post delves into what threat hunting is, why it’s important, and how Azure Sentinel can support your defenders. Future posts will examine how you can use other Microsoft solutions for proactive hunting.

Assume breach and be proactive

Traditional cybersecurity is reactive. Endpoint detection tools identify potential incidents, blocking some and handing off others to people to investigate and mitigate. This works for many of the routine, automated, and well-known attacks—of which there are many. However, our most sophisticated adversaries understand how these security solutions work and continuously evolve their tactics to get around them. The goal of the attackers is to remain undetected so they can gain access to your most sensitive information. To stop them, first you must find them.

Threat hunting is a proactive approach to cybersecurity, predicated on an “assume breach” mindset. Just because a breach isn’t visible via traditional security tools and detection mechanisms doesn’t mean it hasn’t occurred. Your threat hunting team doesn’t react to a known attack, but rather tries to uncover indications of attack (IOA) that have yet to be detected. Their job is to outthink the attacker.

Invest in people

Because threat hunting is concerned with emerging threats rather than known attack methods, people take the lead. It’s therefore important that they have the time and authority to research and pursue hypotheses. This isn’t possible if they are bogged down with security alerts. Many SOCs, including those at Microsoft, establish a three-tier model to address known and unknown threats. Tier 1 and Tier 2 analysts respond to alerts. Tier 3 analysts conduct research focused on revealing undiscovered adversaries. You can learn more about how Microsoft organizes its SOC in Lessons learned from the Microsoft SOC—Part 2a: Organizing people.

Figure 1. SOC using a three-tier approach: Tier 1 addresses high speed remediation, Tier 2 performs deeper analysis and remediation, and Tier 3 conducts proactive hunts.

Develop an informed hypothesis

Threat hunting starts with a hypothesis. Threat hunters may generate a hypothesis based on external information, such as threat reports, blogs, and social media. For example, your team may learn about a new form of malware in an industry blog and hypothesize that an adversary has used that malware in an attack against your organization. Internal data and intelligence from past incidents also inform hypothesis development.

Once the team has a hypothesis, they examine various techniques and tactics to uncover artifacts that were left behind. A great tool for helping with hypothesis development and research is the MITRE ATT&CK™ (adversarial tactics, techniques, and common knowledge) framework. These adversary tactics and techniques are grouped within a matrix and include the following categories:

  • Initial access—Techniques used by the adversary to obtain a foothold within a network, such as targeted spear-phishing, exploiting vulnerabilities or configuration weaknesses in public-facing systems.
  • Execution—Techniques that result in an adversary running their code on a target system. For example, an attacker may run a PowerShell script to download additional attacker tools and/or scan other systems.
  • Persistence—Techniques that allow an adversary to maintain access to a target system, even following reboots and credential changes. An example of a persistence technique would be an attacker creating a scheduled task that runs their code at a specific time or on reboot.
  • Privilege escalation—Techniques leveraged by an adversary to gain higher-level privileges on a system, such as local administrator or root.
  • Defense evasion—Techniques used by attackers to avoid detection. Evasion techniques include hiding malicious code within trusted processes and folders, encrypting or obfuscating adversary code, or disabling security software.
  • Credential access—Techniques deployed on systems and networks to steal usernames and credentials for re-use.
  • Discovery—Techniques used by adversaries to obtain information about systems and networks that they are looking to exploit or use for their tactical advantage.
  • Lateral movement—Techniques that allow an attacker to move from one system to another within a network. Common techniques include “Pass-the-Hash” methods of authenticating users and the abuse of the remote desktop protocol.
  • Collection—Techniques used by an adversary to gather and consolidate the information they were targeting as part of their objectives.
  • Command and control—Techniques leveraged by an attacker to communicate with a system under their control. One example is that an attacker may communicate with a system over an uncommon or high-numbered port to evade detection by security appliances or proxies.
  • Exfiltration—Techniques used to move data from the compromised network to a system or network fully under control of the attacker.
  • Impact—Techniques used by an attacker to impact the availability of systems, networks, and data. Methods in this category would include denial of service attacks and disk- or data-wiping software.

Conduct investigation with Azure Sentinel

Although threat hunting starts with a human generated hypothesis, threat protection tools, like Azure Sentinel, make investigation faster and easier. Azure Sentinel is a next-generation, cloud-based SIEM that uses machine learning and artificial intelligence (AI) to help security professionals detect previously unknown incidents, investigate suspicious activity and threats, and respond quickly to an incident. It’s an invaluable tool for threat hunting. Azure Sentinel’s built-in hunting queries help teams ask the right questions to find issues in the data already on your network. Within Azure Sentinel, an analyst can create a new query; modify existing queries; bookmark, annotate, and tag interesting findings; and launch a more detailed investigation.

Figure 2: Azure Sentinel Hunting Dashboard: The dashboard includes menus to create new queries, run all queries, and bookmark data. The dashboard also shows the number of hunting queries that exist and a pane that shows the actual Kusto Query Language for each query.

Azure Sentinel ships with built-in hunting queries that have been written and tested by Microsoft security researchers and engineers. The following 16 hunting queries were provided by Microsoft:

  • Anomalous Azure Active Directory apps based on authentication location
  • Base64-encoded Windows executables in process command lines
  • Process executed from binary hidden in Base64-encoded file
  • Enumeration of users and groups
  • Summary of failed user log-ins by reason of failure
  • Host with new log-ins
  • Malware in recycle bin
  • Masquerading files
  • Azure Active Directory sign-ins from new locations
  • New processes observed in last 24 hours
  • Summary of users created using uncommon and undocumented command line switches
  • Powershell downloads
  • Cscript daily summary breakdown
  • New user agents associated with clientIP for SharePoint uploads and downloads
  • Uncommon processes—bottom 5 percent
  • Summary of user log-ins by log-in type

Threat hunters can also leverage a Github repository of hunting queries provided by Microsoft researchers, internal security teams, and partners. Azure Sentinel also makes it easy for your threat hunters to select a MITRE ATT&CK framework tactic that they want to query. Despite the mountains of data your team must parse in their investigation, Azure Sentinel improves the odds they will pursue the right leads.

Learn more

Effective cybersecurity requires several complementary approaches. You need to be alert to the incidents that your threat detection tools uncover. You also need to proactively hunt for threats that lurk in the shadows. Adding threat hunting capabilities to your SOC can reduce your risk from hidden adversaries. I hope this blog helps you see ways to apply these tactics in your organization. Stay tuned for future posts in this series, where I’ll walk you through practical examples of threat hunting using Azure Sentinel, as well as demonstrate how to use other Microsoft tools for such activities.

In the meantime, learn more about Azure Sentinel. For getting the best use out of Azure Sentinel, see Microsoft Azure Sentinel: Planning and implementing Microsofts cloud-native SIEM solution (IT Best Practices—Microsoft Press).

Bookmark the Security blog to keep up with our expert coverage on security matters and visit our website at https://www.microsoft.com/security/business. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.