Just like your sock drawer or attic, your network can hide some pretty nasty surprises over time, especially as attackers become more sophisticated and stealthy advanced persistent threats (APTs) proliferate. What better time than spring to start a threat-hunting expedition?

New data from Crowd Research Partners suggests now is a good time to start. More than 80% of cybersecurity professionals said the number of threats against their networks doubled in the past 12 months, with the majority (94%) feeling less than confident in their ability to discover advanced threats. With threat hunting cutting time-to-discovery in half and accelerating investigation times by 42%, it’s no wonder that four-fifths of respondents say threat hunting will be a top security initiative in 2017.

Telltale Indicators of Compromise

With threat hunting, security teams take as a given that a successful attacker is already hiding in the network, and proactively search for telltale indicators of compromise (IoCs) to help them pinpoint and eradicate the threat. Examples of such IoCs include:

• Failed logon attempts: This is a telltale sign of a brute-force password attack, where attackers using common network logins (first initial and last name) and automated password-cracking tools to brute-force guess their way to a working combination.
• Explicit credentials: Kicking off an alert when a user tries to connect to a system or run a program locally with alternate credentials is a good way to uncover attacks that have compromised one system and are attempting to move laterally for more lucrative spoils.
• Privilege changes: While this can happen in the normal course of work for an IT admin, regular users don’t and shouldn’t need to escalate privileges (only attackers do).
• Suspicious site visits: If a handful of endpoints suddenly start visiting a previously unknown-yet-specific web site, it could be a sign that they are communicating with an attacker’s command-and-control infrastructure.
• Low and slow connections: Attackers know that siphoning off huge volumes of data at once attracts attention, so many adopt a low and slow strategy to fly under the security radar. Hunting for these connections often uncovers beaconing and other malicious traffic.

Threat Hunting Tools

Collecting logs from across the environment, correlating them and alerting on such anomalies is easier said than done. Smart security teams invest in:

• SIEM: You can’t hunt without the right data. SIEMs are designed to collect disparate logs and data from various network and security tools and correlate the alerts to help surface anomalies and potential threats.
• Threat assessments: It’s tough to pinpoint threats if you don’t first have a good handle on your critical data, vulnerabilities and potential adversaries. A good threat assessment, combined with database-driven actionable intelligence, ensures you focus on what’s important and stay one step ahead of the threats.

Our partner Fortinet can help. Its Cyber Threat Assessment Program can evaluate a distributed
network end-to-end, uncover IoCs and provide a blueprint for reducing risks. In addition, Fortinet’s Security Fabric architecture integrates Fortinet’s FortiSIEM and other security tools onto a platform that proactively shares threat intelligence and automatically and collaboratively responds. Together, they ensure you uncover even the stealthiest threats before they wreak havoc on your network. 

As a partner of Fortinet, Resilient has the expertise you need to operationalize your threat assessment, create a strong threat-hunting program and effectively sweep away threats from your environment. Learn more.