Spring Cleaning Threat Hunt — What to Weed Out

By 04/03/2017Security, SIEM

spring-cleanNow that the weather is warmer, spring fever has many folks tidying up.

When it comes to cybersecurity, a bit of spring cleaning is always good practice. It’s the perfect time to hone your threat-hunting skills to weed the bad guys who’ve been lurking in the background.

Threat Hunting Tops Security Agendas

The rising number, velocity and evasiveness of threats have motivated security teams to move proactive threat hunting to the top of their agendas.

According to the 2016 Verizon Data Breach Investigations Report (DBIR), 80% of respondents say it takes weeks or longer to discover a breach, with 7% of breaches going undetected for over a year. With DBIR showing that most attacks exploit known vulnerabilities, the wisdom of hunting and eliminating threats becomes clear.

Threat Hunting Benefits

Threat hunting offers numerous benefits from improved threat detection to the rapid identification, containment and analysis of potential problems. Achieving these goals takes a combination of data and human ingenuity and patience. Where do you start?

In a constantly evolving threat landscape, it helps first to perform a cyber threat assessment. This gives you a baseline inventory of network assets, risks and vulnerabilities so teams can focus on the threats that matter.

You’ll also want actionable SIEM (Security Information & Event Management) data. We recommend a SIEM platform that can cross-correlate analytics from diverse information sources such as proxy and anti-virus logs, performance metrics, SNMP Traps, security alerts and configuration changes.

What to Look For On the Hunt

Start with identifying and investigating suspicious-type activities in logs. Pay specific attention to:

  • Low and slow connections: Are there exfiltration patterns in the data?
  • Bytes in and out: Are there network connections with the same number of bytes in and out on a daily basis?
  • Identify DNS outliers: Are just one or two machines out of a thousand visiting the same site?

While there might be other explanations for these occurrences, they provide a good threat-hunting starting point.

Windows Logs offer another great hunting ground. When investigating key Windows events, keep an eye out for failed logon attempts, explicit credentials, and privilege changes.

Note specific log clearing, application crashes and hangs, and Windows Defender errors as well. You’ll also want to mine your AV logs for dropper programs, common backdoors, and password dumping programs to round out the investigation.

Fortinet’s FortiSIEM is Key to a Successful Hunt

When it comes to keeping your network secure, there’s no better time than the present to start hunting down threats.

Organizations must continuously investigate and evaluate their threat environments, adjust inputs and update use cases to ensure they are using threat data effectively.

Our partner Fortinet, offers a free online cyber threat assessment to give you a snapshot of your threat landscape. Fortinet’s industry-leading FortiSIEM offers patented real-time collection and correlation of even the most complex threat data, so you can launch your threat hunt from a position of knowledge.

By bringing together analytics traditionally monitored in separate silos, FortiSIEM provides a more holistic view of the threat intelligence available to your organization.

A partner of Fortinet, Xiologix can help you plan and execute a successful, spring cleaning threat hunt. Contact us.

Leave a Reply