The practice of threat hunting is sometimes misunderstood, and we often over of people confusing it with pen testing. So, what is the difference?
Security methods fall into one of two categories: prevention or detection-based. Prevention is keeping out the bad guys: firewalls, architecture, software solutions. Detection is catching the attacker who’s already managed to get in: data monitoring, automatic alerts, putting “eyes on glass."
Pen testing tells you how an opponent could get into your environment. It emphasizes the potential damage of not hardening the environment by showing how different vulnerabilities might be exploited or identifying insecure IT practices.
Threat hunting tells you who is already in your environment and what they're up to. It deals with the actual state of the environment and shows what threats are targeting the company.
They’re both methods used by defenders to bolster their security, but the former deals with possibly scenarios which may lead to a breach, while the latter works backwards- first looking for a breach, then working backwards to a vulnerability.
Popping boxes and cracking hashes
A pen test is a snapshot- how an attacker might find their way in using one (or more) technique. Before a traditional, network-based pen test is conducted, a Scope of Work must be written, detailing what will be done (to prevent scope creep) and defining needs/requirements and timeframe. Testing outside of the SoW is illegal thanks to the Computer Fraud and Abuse Act. Once the SoW is approved by the person in charge of the security budget, testing can begin.
The stages of a traditional network pen test are rather straightforward and testing uses a consistent methodology:
-
Planning and preparation
-
Reconnaissance
-
Vulnerability Identification
-
Exploitation
-
Post-Exploitation
-
And finally report on findings and clean up!
There are myriad ways for attackers to get inside an organization. Pen testing will show some of the routes attackers could take, but it definitely won’t show every potential possibility. Trying to fix all the identified vulnerabilities is a losing battle since attackers can always come up with new ways to infiltrate a target if they have enough time and motivation.
Gone hunting
Threat hunting accepts that getting hacked is almost inevitable and focuses on containing and minimizing the damage and findings ways to stop the recurrence of known malicious behavioral patterns, regardless of whether they were the result of a zero-day exploit or misconfigured server.
Effective hunting is a combination of deep knowledge of your environment and the ability to understand the details of changes that are taking place in your environment in real time.
Security teams need to study their network, understand their users and use tools that give them the insight to discern the good from the bad. The attacker must perform extensive reconnaissance to find weak spots to exploit. The defenders have an asymmetric advantage by knowing what normal looks like in their environment and having deep visibility to see what is going on.
Adversaries are not invisible. They leave behind patterns of behavior. Knowledge is the greatest advantage information security teams have when facing an adversary. Threat hunting is the process of sifting through these behaviors and identifying which ones are suspicious and which ones are malicious. Let’s be honest – lots of weird things happen on our networks. Some of them, like bad user decisions, are explainable, while others are not. Once you have a suspicion based on something you saw in your security tools, you need to run down whether it’s malicious or benign.
Take network scanning as an example. Your system administrators don’t need to scan their environment to figure out which machines do what. They already (hopefully) know that. This means any scanning activity you see in your internal network (aside from what’s done by your security team) is inherently suspicious. Remote administration tools are another great example. Companies select and standardize on a set of administration tools to deploy software consistently. This means that all software deployed in an enterprise environment will arrive in one of two ways; either pushed out by the IT support team, or installed by a user. Any remote administration tools that users have installed themselves should stand out, especially those installed by non-administrators. Any remote access tools that users don’t remember installing could be proof of an intrusion.
Tools of the trade
Both pen testing and threat hunting have their place in a mature security posture. Because malicious actors’ ability to evade traditional detection methods is increasing, security practitioners should emphasize threat hunting. Organizations always have something occurring on their network. But the question is - is it minor stuff, an attack unfolding or something catastrophic? Pen testing is checking a box and necessary for organizations that must adhere to PCI standards, but supplementing pen testing with active threat hunting is smarter and more proactive. Make sure your posture is balanced, and that you’re doing enough on both ends so you’re set up to react quickly.