Increasingly, companies are becoming aware of the importance of building threat detection and hunting capabilities that avoid putting their businesses at risk. Now more than ever, when it comes to both protecting enterprise cybersecurity and delivering effective IT security solutions and services, organizations and MSPs can no longer simply act when cyberattacks occur, but long before they even pose a threat.
Undoubtedly, the global shift towards remote working and e-learning, concerns about choosing the right cybersecurity solution, and the overall increase in attacks have made cybersecurity an increasingly critical issue; and one with new demands. The desired approach is proactive, not limited to preventing known threats, but also studying the new tactics of cybercriminals who intend to put your security in check. This means that traditional threat detection is joined by proactive hunting or threat hunting as an (increasingly necessary) trend in enterprise cybersecurity.
The SANS 2020 Threat Hunting Survey found that 65% of organizations surveyed are already doing some form of threat hunting and another 29% are planning to implement it in the next 12 months. Many markets, such as financial services, high tech, military, government and telecommunications, have a critical need to remediate threats as quickly as possible. While prevention is the best response to cyberattacks, early detection of attacks and rapid response are critical to reducing the number of potential successful cyberattacks.
Threat hunting and cyber threats: the process
To detect suspicious activity and advanced cyberattacks at an early stage, our security analysts conduct active threat hunting services. Using the information we have gathered during our 30 years of industry experience, our hunters search for new threats and compare the hypotheses with the data collected with our EDR solution (WatchGuard EDR / WatchGuard EPDR and Panda Adaptive Defense / Panda Adaptive Defense 360) to prove their legitimacy. Once proven, if the new detection technique is fully determined it is added as a new detection technique. If the technique is not fully determined but allows us to detect with a high degree of confidence that there is a compromised device, an indicator of attack (IoA) is generated and should be dealt with quickly to confirm that it is an attack and act accordingly to contain and remediate it.
Indicators of attack (IoA) generated by our automated Threat Hunting Service include early detection of activities such as:
- Brute force attacks on the RDP
- Compromised credentials after brute force attack on RDP
- Execution of cmd.exe with obfuscated command line
- In-memory script execution via PowerShell
- File download via Svchost.exe process
- In-memory execution of remote script
- Exploitation of Office Equation Editor vulnerability
- Installation of remote files via renamed msiexec.exe
- Persistence and privilege elevation via accessibility features
- Dumping of lsass process credentials using PowerShell or Procdump
Our Threat Hunting Service, included in WatchGuard EDR and WatchGuard EPDR, displays these indicators of attack and additional ones that are added as our team of hunters identifies new potential attacks in the web console of our solutions. In addition, our solution allows you to set up email addresses where you will be notified in real time of these IoAs so that containment and remediation actions can be taken as urgently as possible.
Differences Between Threat Hunting and Threat Detection
Sometimes we confuse threat hunting and threat detection so below we have listed the main differences between them:
- Threat Hunting is done proactively. Threat hunters do not wait for an alert about a known pattern; rather, they try to find clues before a data breach occurs or before an unknown or malicious binary is detected on the endpoints.
- Threat Hunting is "inspired" by suspicions and formulation of new hypotheses. The hunt is to follow clues and ideas and not to verify known rules.
- Only analysts specialized in the search for attack patterns in this type of data, the threat hunters, can provide this service. Threat hunters rely on their knowledge, experience and mindset aligned with the hacker's way of acting, knowing at all times that the client is being compromised, focusing on locating any clue that allows identifying the attacker in the network without an alert of detection of a known rule or malicious binary.
- Threat detection is a process that in most cases is automated, and oriented to detect known threats, while threat hunting is a creative process with a flexible methodology focused on the hunter hunting the hacker.
With these capabilities, we are bringing more visibility and control to our security solutions for endpoints, laptops, workstations and servers, giving our partners the ability to provide additional protection and services to their customers. Read more about WatchGuard's Threat Hunting Service here.