Organizations often don’t realize they’ve been breached, giving malicious actors the freedom to dwell in their network undetected for weeks or months at a time, collecting data and other confidential information.
Threat hunting is a proactive incident response service that offers a way to seek out cyber threats that may be lurking in your organization’s network and reduce attacker dwell time.
Threat Hunting Speeds Up Cyber Incident Investigations
Threat hunting reduces investigation time as security teams dig deep to find malicious content or compromised hosts by actively collecting packet captures, logs, and more – all of which can speed up investigations after an incident is found.
Threat hunters seek out known attack vectors to see if they have been leveraged against an organization and provide insight as to whether the organization might fall victim to that particular method if they haven’t already.
We use machine learning and artificial intelligence (AI) technology to identify malicious code without relying on signature-based detection and provides memory protection. The endpoint detection and response (EDR) functionality isolates machines proactively by the SOC to prevent lateral movement of malicious activity without having to physically touch the machine.
How Does Threat Hunting Work?
Threat hunting works by:
- Monitoring the network for indicators of compromise and anomalous activity.
- Identifying malicious activity observed on the network
- Isolating endpoints to prevent lateral movement and malicious communications
- Advising on the removal of damaging materials left by attacks/attackers
We start with a multi-phased, detailed assessment to understand your risks and identify a clear path to proactively strengthening your security posture.
Design & Scoping
The first step of our threat hunting assessment process is to gather intelligence, starting with a scoping call. This allows us to identify users on the network, points of escalation, and the management of systems and defines the endpoint monitoring strategy and scope of services.
The implementation phase is comprised of several steps. Our cybersecurity experts first set up cloud-hosted servers for EDR and the next-generation EPP tool.
Then we create user accounts in a Single Sign-on (SSO) platform using two-factor authentication for an added layer of security. Next, we define users, notification schedules, and escalation paths.
During deployment, our team hosts a call with your SOC team to provide installation scripts and validate your access to our SSO solution. We educate and train your users on our MDR tools, tactics, and procedures.
And as various cybersecurity tools are deployed in your organization’s environment, you’ll receive events and alerts in ZTAP (our zero-trust analytics platform) as they go live.
Environment Baselining and Tuning
All security events are funneled through our ZTAP zero-trust engine. This step uses human-supervised machine learning and applies global filters based on events identified as “known good.”
During the second part of the tuning process, events that do not meet the known-good criteria will appear in the incident queue for the SOC to triage, investigate, and/or escalate.
We then identify internal applications that are triggering security alerts, apply advanced filtering, and remove the authorized activity from the incident queue. This enables internal applications to be used while still monitoring and investigating unauthorized and/or unknown activity from these applications.
Malware Detection and Threat Hunting
Leveraging next-gen EDR and EPP tools, we evaluate malicious executables to prevent sophisticated malware attacks. These include:
We also evaluate scripts and memory exploits identified as malicious by our EDR/EPP tools. This can include:
- Encrypted PowerShell
- Client-authorized scripts in the environment
- Attempted memory exploits on endpoints
- Other scripts in various languages being run on the customer environment
Our SOC analysts begin investigating once suspicious or malicious activity is identified by EDR. Investigation identifies malicious/suspicious files based on unique indicators of compromise and/or MD5 hash.
One thing our investigations look for is suspicious communications behavior with devices outside of the customer network, such as botnet activity, command and control, and remote access. This includes communication with known malicious IP addresses and domains.
We also investigate suspicious behavior by both known and unknown applications within the environment. This includes command execution, system calls, and the location of the application and any child processes involved.
Our security team looks for unique behaviors from known parent processes such as Acrobat, Java, Word, Chrome, and the command line. Additionally, we identify unique child processes and use of PowerShell along with unique file persistence in Windows Services and Tasks.
Proactive Prevention & Response
After investigation, our team isolates endpoint machines showing malicious behavior that could result in lateral movement, propagation of malware, and/or data exfiltration.
We then ban hashes associated with malicious executables and set policies to auto-quarantine threats identified by EPP technology.
At the conclusion of the threat hunting engagement, our team provides you with a report detailing events and incidents observed during the threat hunting period.
The report includes data such as event and incident counts, their types, sources of detection, and additional findings made during the threat hunting process.
We also provide an outline of significant threat findings, their levels of risk, actions taken by our SOC team, and actionable recommendations for each finding.
The goal of this report is to provide the customer with everything needed to make informed decisions moving forward. The information in the report may also be provided to other teams and company leadership to gain needed buy-in or investment for executing necessary changes.
Contact CRITICALSTART to Get Started
CRITICALSTART’s TEAMARES provides threat hunting services with the same effectiveness and transparency as an in-house SOC, making it the ideal option to replace or augment your SOC with an in-house, 24×7 SOC experience.
Contact us with questions or to get started.