On June 26, Kyle Link, Architect of Cyber Research & Response at Difenda, gave a demonstration and presentation of Difenda’s live cybersecurity threat-hunting approach. In this webinar, Kyle started at the surface before delving into the deep layers of how Difenda combines intelligence, automation, and incident response to mitigate cyber threats every day.
Kyle breaks everything down in an easily understandable way, but here are some of the key takeaway highlights that underline the critical parts of the process.
Threat Hunting Introduction
Difenda uses a proactive process called threat hunting to search for active signs of suspicious or malicious activity in a protected system or network.
Unlike real-time response, the goal of a threat hunt is to actively search, detect, and mitigate cyber threats before they become something bigger. Like any good hunt, it requires information about the target, the terrain, and the right tools for the job. This means that every tool and technology brought on the hunt only functions as well as the data that can be gathered.
Threat hunters utilize a variety of techniques, including:
- Searching: This technique is one of the simplest and most straightforward. As the name implies, it prioritizes searching through the data with clearly defined criteria. It is most useful when a threat hunter already has an idea in mind since searching too broadly will produce unhelpful results that make it harder to gain clues for the investigation.
- Least Frequent of Occurrence: Threat hunters look for suspicious occurrences in network or system data that don’t happen very often. This method easily spots suspicious outliers, so bringing these least frequent occurrences to the forefront of focus can be an efficient way to hunt.
- Stacking: By utilizing a technique known as stack counting, a numerical value is assigned based on the count of occurrences of a given type. This technique has limited use on large data sets but is most effective for hunts with limited results where suspicious artifacts can be more easily counted.
- Grouping: When hunting with the help of a grouping technique, multiple artifacts are combined with an emphasis on identifying them based on their shared characteristics. By comparing the status of an identifiable group with a baseline, it is possible to hunt for multiple threat signs at once.
- Clustering: A threat hunter employing a clustering technique deals with statistics, percentages, and likelihoods to separate suspicious activity from groups in the data. Machine learning and automation play a key role in clustering, as it is critical to nail down data tendencies of large groups of data points to spot when uncommon behavior could be a result of a suspicious occurrence.
Importance of Threat Hunting
If someone already has 24/7 threat protection and response services, they might wonder just how important a proactive process like threat hunting is.
The answer to this question lies in the limitations of defensive security solutions, which threat actors are becoming increasingly proficient at defeating.
“As threat actors discover limitations of security solutions, they become adept at evading and leveraging techniques that historically would be classified as benign,” said Kyle. “Establishing a scheduled cadence of threat hunts or implementing procedural hunts… will reduce the impact of [poor practices or weaknesses in protections.]”
Having a results-driven hunting methodology is important, and Difenda uses tools that strengthen the ability of humans and automation to work together through analytic rules and alerting that can cover the mistakes for all groups.
Difenda’s Threat Hunting Methodology
Difenda utilizes a three-phased approach of planning, hunting, and then reporting with its threat intelligence analysts, where hypotheses are researched and understood as more hunts are executed within the same system.
Phase One: Planning – The first phase is known as the planning phase. During this early stage, teams meet internally to figure out which intelligence to prioritize. Using the North American Industry Classification System (NAICS), customers are split into different pools based on industry. This allows sorting customer intelligence based on relevance ahead of the hunt. It is during this phase that the hunt type is determined, which decides the sophistication of the hunt related to where a customer is located in a threat hunting maturity model.
Phase Two: Hunting – After the groundwork is laid, the next step is to execute the hunt by crafting a hunting query based on the number of available data sets. Threat-hunting teams use various tools, including Microsoft Defender for Endpoint, to set up advanced hunts where the goal is to narrow down false positives through a six-cycle process of execution, review, baseline, and repeat. Hunts come in different forms whose complexity will vary based on the output type.
Phase Three: Reporting – In the final reporting phase, hunt teams will compile an overview report of the intelligence information. The data will contain information that is easily filtered and flagged for notable hits by the threat hunter.
Types of Hunts
There are three types of hunts typically executed, which get more sophisticated as they go.
- Lightning Hunts: With a lightning hunt, the goal is to search for key compromise indicators on a weekly frequency in a short amount of time, usually in less than a day. The impetus for a lightning hunt can vary, but they are typically started by security alerts to hunters that prompt a deeper investigation.
- Customer-Requested: As its name suggests, these hunts are requested by a customer or representative analyst, typically requiring a medium effort of more than three days of investigation. These are more normal hunts that use multiple industry-standard hunting techniques and can be opened by customers and their internal team members.
- Structured: A structured hunt is a fully planned, researched, and targeted procedural hunt that involves a high level of data collection before the hunt can be executed. These hunts typically take over 30 days of investigation before producing a Threat Hunt Assessment Report.
Threat Hunting Maturity Model
One critical step in the hunt planning process is determining a customer’s hunting maturity level through a model to decide which hunt outputs are appropriate. Organizations need to be systematically built up to increase the sophistication of threat detection that is possible so hunters can increase their capabilities.
“Each maturity level is a guide to sort of confirm the level of sophisticated threats you can identify,” said Kyle. “Each environment has its own quirks and personalities. Customers have different reporting needs, different tech stacks, different tools, and tons of similarities and differences.”
Difenda does this through a progressive model, with each level enabling deeper capabilities for the effectiveness of threat hunts.
Difenda’s Approach to Copilot for Security
A new, important piece of Difenda’s cyber threat-hunting approach is the integration of Microsoft’s Copilot for Security.
In October last year, Difenda joined the partner preview program for Microsoft Copilot for Security, giving a headstart to integrating the technology into the services.
The demonstration showed how prompting with just a single input into a provided prompt book hooked into Microsoft Defender Threat Intelligence can quickly generate an executive profile summary, description, and threat analytics for devices associated with the profile.
Using Microsoft Copilot for Security, Difenda can largely automate the starting steps in preparation for a threat hunt. The process also provides a list of recommendations and mitigations that organizations can use to protect against threats.
With Copilot for Security, threat hunts can now be automated for a majority of successful data analysis procedures. The automation for threat hunting requires a high or very high level of routine data collection.
On the topic of Copilot, Kyle relayed to the webinar audience the potential for time being saved, a critical element in dealing with cybersecurity threats.
“So as you can see, something that normally might have taken a few days from intelligence collection to aggregation, making it actionable, can be automated to a certain extent by Copilot for Security. We’re looking at 2 days producing it down to about 15 minutes.”
Goals for Copilot for Security
Kyle dreams of a “universe that includes hunters identifying malicious activity with each hunt that is run.” However, according to Kyle, this universe is not yet a reality.
“More often than not, as threats are executed, findings that are uncovered are less than glorious, which is good for our customers but maybe disappointing for the hunter,” said Kyle.
In the future, Kyle hopes that Copilot can stand next to his cybersecurity coworkers in terms of the quality of content they can produce but emphasizes that humans must always be kept in the loop.
“Of course, the content that’s being created is not nearly as sophisticated as what my coworkers would present, but it’s getting there. So as time progresses, we’ll get better here,” said Kyle. “Anything that’s generated by Copilot for Security will require review. You have to confirm accuracy. Don’t ask questions and then blindly trust it.”