Threat Hunting

Business environments are constantly changing, new tools are introduced, old tools are removed, and these configuration changes are made to support the changes, which can introduce new vulnerabilities to the environment. Recent examples include the F5 vulnerability CVE-2020-5902 which impacted the Traffic Management User Interface (TMUI) of F5’s BIG-IP; this port should never be publicly accessible and should require users securely authenticating and connecting to the LAN first before being able to access. At Vectra AI, we’ve seen instances where this was not the case and the TMUI has been accessed and exploited.

2020 brought a huge shift of remote work due to COVID-19 and had operations teams scrambling to:

1. Support this new work environment
2. Secure users as they made the shift from office to home.

Supporting this type of shift, especially for a business not ready to support it, introduces a multitude of security headaches.

In a seismic shift like this, the primary focus for the business is ensuring operations are not interrupted, which leaves security teams with less influence over implementation and stuck supporting a solution not designed with security in mind. Without proper oversight, vulnerabilities can be exposed and attackers will take advantage.

There are many examples of why hunting is important, and the two we discuss below underline the need for hunting programs.

Let’s explore how security teams can leverage Vectra Detect and your Network Metadata to hunt for malicious behavior. In addition, while we reference Vectra Recall in this document, the techniques described for Vectra Recall can easily be implemented leveraging your data from Vectra Stream.

Why Threat Hunting is important

Threat Hunting is about setting aside time to do in depth research on the idiosyncrasies of your own network.

The aim of a threat hunt is not just to find malicious actors within your network which Vectra’s Behavioral Driven Detections have not necessarily spotted or to find precursor activity. It’s also to find network activity that is not necessarily malicious, but might be in breach of your security posture, or needlessly insecure. Primarily, threat hunting is a learning experience that helps you understand what is happening on your network. This should simplify future investigations, as you already have an understanding of what is going on in the network.

As an organization, you might want to document your findings for knowledge sharing within the company. You might want to set aside a set amount of time each week or month for threat hunting as a team, with a discussion at the end when the team discusses what they spotted and what you now know about your organization that you didn’t know before. It might be that there’s a server which backs up a swathe of files over SMB at 1am every day, or it might be that some servers in a Data Center send a lot of data externally on port 46780 for a legitimate business use. These findings will save time in the future, as you can quickly discount and exclude known, legitimate use cases to focus in on anything novel and concerning.

Threat Hunting with Network Metadata

From an investigators point of view there are two main sources of evidence during an investigation: endpoint evidence and network evidence. The best way to describe the difference between these two sources is the analogy of grand theft auto. There are multiple stages from the carjacking, the joy ride and eventually the conclusion, which could be a car crash. Being at the scene of the crime is great, but it won’t build the full picture. How did the thief find the car? Where did they come from? What route did the car take? The only way to see the full picture is to combine all elements.

While endpoint evidence is best to see the initial site of the breach, network data is best for seeing the full picture and connecting the dots. Imagine being in a helicopter observing the carjacking and watching as the car weaves in and out of traffic, down streets and across town. We’ll see it all, and we’ll see exactly where it ends.

The following is a quick reference to the available metadata and the common attributes for each metadata stream.

The Value of Threat Hunting

Hunting is time consuming, there is a reason most organizations shy away from hunting; from a manager’s perspective it’s difficult to approve analyst time when you’re not guaranteed an output. In our view, there are two things that usually result from a successful hunt.

1. Knowledge

Any analyst spending time on a hunt will inevitably learn from the experience, and they’ll need to research and test their theory. This means a new topic is being explored as they become more comfortable with using the Vectra AI platform, which can be translated into time spent during investigations. They’ll know Lucene syntax, how to stack data with visualize and the available metadata fields.

2. Environment Understanding

Along with this research they’ll also understand their own environment better since every corporate network has a specific set of policies and tools they use. Getting to understand what’s normal will help to identify what’s abnormal. As an analyst spends time hunting, they’ll increase their comprehension which will translate to efficiency.

A tangible outcome will be a custom model, so the knowledge and environment understanding can be applied to create a tailored custom model that will work for your organization. Doing this will allow for custom model enablement in Vectra Detect and fall into daily analyst workflow – both increasing attack coverage and efficiency.

In today's dynamic threat environment, proactive threat hunting is not just beneficial; it's essential for maintaining robust cybersecurity defenses. Vectra AI's advanced solutions empower security teams to efficiently uncover and address hidden threats, enhancing your organization's resilience against cyber attacks. Contact us today to learn how we can support your threat hunting initiatives and strengthen your security posture.