Getting a start on cyber threat hunting

In this age of advanced persistent threats, waiting for traditional threat management solutions like IDS and SIEM to flag incidents and threats is simply not enough anymore.

cyber threat hunting

“We live in a world where the adversaries will persist in getting into an organizations environment, and they only have to be successful once. And, on average, companies are breached for more than 200 days before they realize they are compromised,” notes Mark Terenzoni, CEO at Sqrrl, a company dedicated to simplifying effective cyber threat hunting.

Its threat hunting platform, Sqrrl Enterprise, has made the company a prominent name in the cybersecurity field. Threat hunting is steadily receiving more and more attention now that everyone wants to move away from a reactive posture and towards a proactive hunting methodology.

“Most experienced teams we talk to have the same challenges. They lack the ability to bring the full spectrum of enterprise data to bear, and they lack context and unification of their environment. They spend most of their time wrangling data to gain a level of situational awareness,” Terenzoni explains.

This is where Sqrrl’s threat hunting platform comes in: it performs the heavy lifting by unifying network, endpoint, identity, web and threat intelligence into a single connected view via Sqrrl’s unique Security Behavior Graph.

cyber threat hunting

Get a clear view of all the events that transpired

“Our machine learning algorithms, combined with link analysis and advanced visualizations, help analysts detect anomalous behaviors and prioritize them before the incident becomes a significant breach,” he says. “In short, we target adversarial behavior and proactively hunt threats with advanced tools and disrupt their ability to do significant damage.”

The building blocks of threat hunting

Most cyber adversaries today are continually changing their techniques, and that’s why threat hunting is an important part of a modern security operation.

In order to hunt there are three important prerequisites that should be in place:

  • Log collection infrastructure to collect network and endpoint data
  • Analysts that have interest in hunting
  • Analytic, search, and visualization tools to assist the hunters.

“CISOs that are looking into setting up a new threat hunting team would do well to start immediately”, Terenzoni advises. The company has created a hunting maturity model that shows how organizations can gain value by hunting at any maturity level their SOC team is currently at.

cyber threat hunting

The Hunting Maturity Model (HMM)

And, of course, selecting the right tools that will grow with their organization’s maturity is crucial.

“Point products that just provide data are not the answer,” he notes. “Yes, threat hunting is all about drawing conclusions from evidence, and evidence means data. But having all the data in the world won’t help you if it’s buried across disconnected silos and doesn’t allow you to see the covert connections that indicate a hidden threat.”

Sqrrl Enterprise can change the way incident response teams work for the better.

“Incident response is an ongoing activity, and at every SOC there are many incident investigations going on at the same time. Some take a day and some several months to complete. The result in 90 percent of cases is an analyst bringing their findings to a CISO in the form of the root cause identified in a set of logs,” Terenzoni points out.

“Naturally, the CISO asks the analyst: ‘We had the information, so why didn’t we identify it before it was too late?’ This is where Sqrrl excels: we can identify those details in logs before they become incidents. But it also helps with incident response, shaving IR times by an order of magnitude.”

The right tools

Sqrrl Enterprise can be integrated with all the major SIEMs and can complement them.

Instead of a flat data model that allows only searches across a single dataset at a time, threat hunters and security analysts will then get a linked data model in the form of a Behavior Graph, showing a complete and explorable picture of the entities within the organization’s network and the relationships between them.

Sqrrl’s Hadoop and Spark-based architecture is designed to support heavy duty machine learning algorithms that can crunch through petabytes of data and detect subtle anomalies and kill chain behaviors that SIEMs miss. Not only that: its graph algorithms can look for connected series of anomalies.

“For example, Sqrrl’s lateral movement detector first uses an unsupervised machine learning algorithm to look for suspicious login events and then uses a multi-hop graph algorithm to chain those login events into predicted lateral movement pathways. By looking for connected series of anomalies using graph algorithms, Sqrrl is more accurate in its detections because connected series of anomalies are rarer than a single anomaly,” Terenzoni explains.

cyber threat hunting

Find answers faster with all of your data in one place

Sqrrl also supports user-generated analytics via its Risk Trigger framework. After a successful hunt, analysts identify patterns of behavior they want the solution to look for continuously. They can create Risk Triggers, which use Sqrrl’s graph query syntax to automatically find patterns, and then they can embed advanced anomaly detection capabilities into the triggers – without actually having to write any code.

Another plus is Sqrrl’s capability to automatically record every step that an analyst takes during a hunt or investigation, allowing other analysts to learn from it or to quickly get up to speed if they are tasked with continuing the hunt or investigation.

Finally, Sqrrl is designed to simplify various types of hunts even for the most inexperienced analysts. For analysts who not sure how to choose a hunting starting point or how to pivot through the various datasets, Sqrrl provides clear indication and guidance, and offers a comprehensive list of predefined search pathways and hunt playbooks.