We all have access to a plethora of network and endpoint security tools.

Many of these tools are designed to automate the security and defenses of our networks and devices by identifying signatures, processes, and methods of compromise that have been witnessed and discovered over time. We have our history documented, and these tools are effective at applying that knowledge towards protecting against similar events; but what about our future as attackers continue to innovate?

The question should be asked: “How did we discover these things that security software is designed to detect?”

I believe there are two answers to this question: 1) purely by accident, which in most cases is much too late… or 2) by actively threat hunting the network, leading to the discovery of the unknown. Barring the ability to mind read or otherwise predict the actions of those who would violate our spaces for profit, going forward, our mission should be to equally defend, actively seek, and eliminate as many network threats as we can.

This requires taking charge and implementing active human threat hunting. The most effective and holistic threat hunting starts with having a complete picture of the network and all the data. This entails collecting all network communication data arriving to and departing from the external perimeter of the network. Collecting all communications at the perimeter eliminates any potential blind spots created by internal network configurations, software, devices, switches, and/or routers. This provides you with records of all communications entering and leaving your network, without exception from all devices that can communicate between your network and the internet.

At a basic level, any compromised device (regardless of how it was initially compromised) needs to communicate to the outside world, either to receive instructions from the attacker or to exfiltrate data. It is through these communications and patterns we are attempting to identify threats that may have evaded security software detection by manual or automated means.

So, what are you looking for? As an analyst, there are many indicators of compromise to be mindful of and search for, but if it had to be boiled down to one thing, you are looking for anything out of the ordinary. An efficient threat hunter is one who is familiar with normal network activities that transpire on a daily basis, knowing what is ordinary and how to recognize anomalies. Examples of this could be, “Should the workstation used by Frank in HR be querying 2000+ unique subdomains of a root domain each day?” or “Should the postage meter used by the accounting department be establishing repeated short connections to an unknown host located in a hostile foreign country every 30-50 seconds?” Probably not. If you cannot justify a legitimate business need for these connections, why is it happening?

But… wow, a complete rolling network traffic capture generates mountains of data. How are you supposed to sift through all of this data to find potential threats? Surely none of us have the time to analyze network logs line-by-line. Fortunately, we all also have access to software tools such as RITA and AC-Hunter. Tools that analyze, correlate, and categorize raw network communications to continuously identify potentially malicious and anomalous network communication behaviors, can bring these communication pairs to the top for a human analyst to investigate and verify, or escalate as a further threat.

There are many valuable network security tools available to us. Wouldn’t it be wonderful to implement these tools on our networks and then just sit back, waiting for a red light to start spinning if there’s an issue, calling us to action? As much as we all want that, we are not there yet. We may never be.

A strong security posture requires engagement and is accomplished through a combination of effective security tools, automation, and active threat hunting by trained human eyes. This is the methodology we follow at Black Hills Information Security in our Active SOC and Hunt Team Operations Center.

Technology and tools are valuable assets, but the human analyst is invaluable.

HAPPY HUNTING!