What is threat-hunting?

-
What is threat hunting?
  • Threat hunting is a process to capture the things which are dangerous for  organization
  • The process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions is called threat hunting.
  • With the help of threat hunting we can protect the organization from a cyber-attack in advanced to avoid damage.

How threat hunting can help to stop future cyber-attacks ?
  • It Is necessary to apply threat hunting for any organization
  • Let assumes that a hacker install a threat (Ransom ware) in a network but right now he does not want to encrypt the whole network. So he will wait for a perfect time and then he will encrypt the network and ask admin for ransom.
  • Now if that organization is using threat-hunting technology than the expert continuously search for the threat. Suppose an expert find the ransom ware, which are in dead state right now. So expert can easily remove that ransom ware and can save the organization from attack
  • This is only possible is an organization uses threat hunting

Types of threat hunting.

  •   There are 5 types of threat hunting
    • Data-Driven Hunting:
      •  A natural starting point to drive hunting activities is to generate hypotheses via data observations. In simpler terms, you figure out what you can hunt for by looking at the data you already have. For example
      • Have proxy logs? Start by looking at things such as uncommon User-Agent Fields.
      • Test for DNS record
      • Got netflow? Large volumes of transmitted data where there shouldn’t be is a good place to start
    • Intel-Driven Hunting:
      • Threat data and intelligence can provide organizations with rich opportunities for hunting.
      • Unfortunately, this can be a difficult model on which to build your hunting program.
      • Organizations need to be cognizant both of the varied level of fidelity in commercial intel feeds and the utility but often sparse nature of cultivating internal intel based off things such as incident response activities.
    • Entity-Driven Hunting:
      • Your network is a big, complex landscape. No matter the size of the team, you need to prioritize your hunting activities to maximize your success.
      • It’s entirely possible, and too often the norm, to burn valuable daylight being spread a mile wide and an inch deep.
      • Enter entity-driven hunting, constructing hunts around high risk / high value entities such as crucial intellectual property and network resources.  
    • TTP-Driven Hunting:
      • The fantastic thing about the security community is the abundance of attacker information at our disposal.
      • So much more important than just static indicators (domains/IPs/hashes), if we wish to truly make a dent in an attacker’s success rate we must begin to know and understand their Tactics Techniques and Procedures.
      • What tools do they use, when do they use them, how do they use them. Where does the attacker start? What are they after? How do they accomplish their mission?
      • These observations are excellent hunting material as they provide contextual starting points that lend themselves more to human analysis than automated resolution.
    •   Hybrid Hunting:
      • In reality, any successful hunt will be a blend of any number of the aforementioned battle plans.
      •  For example, a hunt could be shaped by threat intel around a certain adversary, which informs the analyst of the types of TTPs the adversary may use and the critical assets that the adversary may target (i.e., a hybrid threat intel/entity/TTP hunt).
      • The greater theme here is to start where you are. If you’re strong on intel, we have a plan for that. Lacking actionable intel but have your data feeds on point? We’ve got a plan for that too. Start where you are, the rest will come with time, planning and dedication


Tools used for threat research.

  •  There are some tools are available which can help you for advanced level threat hunting .Some of them are mentioned below
    1. Alexa site 
    2. Maltego CE
    3. Cuckoo sandbox
    4. Automater
    5. YARA
    6. CrowdFMs
    7. Botscout
    8. Machinae
    9. Yeti
    10. Sqrrl etc


What is SQRRL ? How to use it?
  • Sqrrl is an advanced threat hunting tool. It Is an automated tool with some inbuilt features

  • Some of the features are as below:
    1. Extensible risk framework:,
      •  Sqrrl provides a view of risky activity across the organization. Using Risk Triggers, Sqrrl can calculate risk scores on every user, IP address, host, and domain inside the organization by fusing together Sqrrl’s analytics with external sources of risk such as SIEM alerts, threat intelligence, and vulnerability scans.
    2. Risk Timeline:Risk
      • y activity is now displayed as a timeline on each user, asset, and entity to provide analysts with a view of how risk and security postures are evolving over time.
    3. Streamlined link analysis:
      • The enhanced interface makes it much easier for analysts to pivot through data, build attack narratives more quickly, and enables more junior analysts to take on advanced hunting.
    4. Simplified graph data extraction: 
      • Improvements to the backend of Sqrrl’s Security Behavior Graph, enable security architects to more easily extract the most important fields needed for hunting from incoming data feeds and automatically fuse those fields into hunting data models. This enables organizations to integrate new datasets more quickly and spend more time on hunting and less time on data modeling.
    5. Integration of Threat Intelligence feeds:
      •  Threat intelligence data across multiple sources can easily be populated into Sqrrl’s Security Behavior Graph, enabling analysts to track the most recent indicator hits and develop risk triggers that translate intel into tailored insights.
 

Comments

Post a Comment

Popular posts from this blog

"Coot" Ransomware

-
Image
What is Ransomware? Ransomware is a malicious program which will encrypt your data and make a barrier between you and your files After successful implementation of ransomware on your network or your machine it will stating encrypting the data with advance level of encryption which is really difficult to crack Now after encryption you have to purchase a tool called "Cypter" tool from attack and related decryption key too In some cases it is possible to retried the data without paying ransom to bad guy. What is Coot Ransomware attack? From ending of July 2020 the number of coot ransomware is increasing frequently. coot is from "DJVU" family of ransomware. In this type of attack the file will be encrypted with some high level encryption techniques and the file extension will be ".coot" at the end of the file. Suppose there is a file on your machine called "a.txt" than the encrypted file will be "a.txt.coot" Also you can see the other
Read more

Data Recovery Tools (Disk Drill)

-
Image
There are many tools available for data recovery in the market . Some of the tools are as follow Encase FTK manager Manager RAM capture  X-ways forensic Sleuth kit (+autopsy) Paladin Disk Drill Restoration (Window) Disk Drill . Disk Drill is an undeniable leader among data recovery software, it can recover deleted files from your device even if it is failing, unreadable, or has lost a partition. Features : You can recover up to 500MB of data free with Disk Drill for Windows. Unlike any other, the app has two important additional data loss prevention functionalities. The first, Recovery Vault, adds a layer to the Recycle Bin and keeps a backup reference to all deleted files. The second, Guaranteed Recovery, keeps a copy of each file moved to a previously selected folder, as for example the Recycle Bin. In addition, Disk Drill allows users to create image files in the form of ISO, IMG or DMG files. Therefore in practice, enables the user to conduct the data search in a clone, without ta
Read more

Ransomeware Malware

-
Image
What is ransomware? Ransomware is a part of a Malware It looks like a simple executable file, but whenever it executed on a machine . it will automatically encrypt all of your file with advanced encryption algorithm.  Ransomware is on trending on cyber-war. What is ransomware attack? First of all an attacker try to infect your machine with ransomware. Now the ransomware malware will encrypt your machine and you can not access your data, For decryption you required a software called "Crypter" as well as a key for decryption, which can only be with attacker only.  Now attacker ask for some money in form of Bit-coins to hide its identity, this money is called ransom.After you pay to attacker.he/she will give you software and a key.. This is called a ransomware attack. Why it is difficult to decrypt the files without payment? First of all we don't know from which encryption system did the attacker use it can be.... RSA DSA AES etc Now if we get the idea regarding the encrypti
Read more