Cyber Threat Hunting

Oct 25, 2016


Cyber Threat Hunting (CTH) is not a new concept, yet many companies every day become victims of hacking or ransomware attacks, despite deployment of highly sophisticated security technologies.

In Cyber, it is important to realise that nothing is absolute and whilst the vast majority of threats will be identified and mitigated by the security products available today, it only takes one unknown variant or attack technique to successfully compromise any company network.

Organisations are now considering giving themselves a Cyber Threat Health Check either by use of internal services or external services by use of a reputable security company. 

A point to remember is this, in order to reap the rewards of Cyber Threat Hunting, you should be both patient and diligent. It takes time and energy which can be a difficult ‘ask’ in today’s competitive market, but it’s the only way to truly be sure of your network security.  Being over confident or indeed lax in your network security can be expensive and put your company reputation at risk.

SEIM has limitations: can you really afford to trust software? 

It may be that a company has Security Event and Incident Management (SEIM) technology available, it may be that it does not!  Larger networks typically have SEIM available, centralised logging for networking and in some cases, node activity logging also. Although SEIM appears to be a one stop shop for Cyber Threat Hunting, never rest on your laurels, as the hackers know the capabilities of these tools probably better than the operators do, and they are now developing their trojans and other malware to be invisible to the technology.. And for those that do not have SEIM technologies, it’s down to physically checking network nodes I’m afraid.      

So if you want to perform a Cyber Threat Health Check from a purely hardware and software point of view, you should be looking at three main areas, namely nodes i.e., the devices attached to your company network and its Operating System (OS), the software in use on that node and of course finally, the network traffic.  Below, we list the sort of data you’ll want to collect to perform your health check.

How to hunt for cyber threats 

Let’s first look at your node. Do you know what processes, services and associated files should be running or should be present? Access to a known-good-configuration when the network or node is commissioned will be of great assistance here, but this is seldom completed and dare I say it, maintained. You should ask?

Now let’s look at some of the areas to consider; some of the data we are interested in is only stored in a volatile state, that is to say it is only contained within the node memory, other data will be contained within the OS and file system itself. The computer memory contains myriad information including the logical and physical address of every node that has made a connection, irrespective of the connection type.  That’s interesting – get it!  

On the OS side, event logs are the way forward here as these logs record almost everything that occurs. Third party applications such as a Firewall for example will also create log files and these should be also considered for collection and analysis. Other areas to consider are the Windows Registry and the actual file system logs themselves. The Windows Registry literally contains a ‘hive’ of information but caution should be used as an accidental change in the wrong area may result in the OS not booting up anymore! And not to forget the NT file system that will record all file activity taking place although this data is subject to being overwritten from time to time depending on disk usage. 

Finally network traffic.  This can be observed not only from your computer, but also from L3 Switches and Routers or any other attached network node.

So what comes next?  Well once you have collected your data, it now has to be analysed. This is the interesting part; just how are you actually going to do this and what are you actually looking for?   

So we have given you some pointers to help you go in the right direction.That said, we at 7Safe are always here to assist you and we can either advise you in how conduct your own Cyber Threat Hunt or we can do it for you.  Happy Hunting!

"In Cyber, it is important to realise that nothing is absolute and whilst the vast majority of threats will be identified and mitigated by the security products available today, it only takes one unknown variant or attack technique to successfully compromise any company network. "
Cyber Threat Hunting
"Organisations are now considering giving themselves a Cyber Threat Health Check either by use of internal services or external services by use of a reputable security company. "