Security Operations

Secrets of a security analyst: Starting a threat hunt

Learn the basics of starting a threat hunt with tips and tricks from experienced security analysts.

When it comes to threat detection and response, an increasing number of organizations are looking to managed detection and response (MDR) providers. In fact, “51% utilize a managed detection and response (MDR) service provider to help integrate telemetry data for threat detection and response” according to ESG Research.

MDR providers, like Sophos Managed Threat Response (MTR), have a variety of advantages over an in-house only security operations program. The biggest advantage of them all is often experience. This article series aims to tap into that experience so you can learn some of the secrets of our security operators, starting with threat hunting.

Security analysts are constantly hunting for threats, looking for anything suspicious which might require further action. However, not all threat hunts are the same. At Sophos we break down threat hunts into two main categories:

  • Lead-driven threat hunts
  • Leadless threat hunts

Regardless of whether the hunt is lead-driven or leadless any detected threats should be triaged, responded to and neutralised by the security team.

Lead-Driven Threat Hunts  

Security analysts should monitor their estates 24/7/365 for malicious and suspicious behavior. In our organization any detection that needs further investigation is reviewed by a human threat analyst who can apply business context as well as human reasoning to any situation.  They will observe the behavior, consider the previously established business context, build a hypothesis and then act on that hypothesis. The hypothesis may be to actively engage with the potential incident or do some further investigatory work to further cement their knowledge on the issue at hand.

To complete the loop the analyst will wait and review to see what the results of that hypothesis and testing are. If further investigation is required, then they can repeat this cycle until they have a decision. If the event has evolved into an active incident, the analyst will pivot into full response mode to actively combat the threat.

Experienced security analysts often utilize a framework to guide their investigations. For example, the Sophos MTR team utilises an investigative methodology known as the OODA loop.  This allows them to engage in the cycle mentioned above to ensure that all findings are tested and proven:

The OODA loop is a military concept that enables our team to go through a cycle of reasoning to fully understand the event and surrounding behaviour.  They can then build off this knowledge as well as employ human decision making and intuition to conclude whether malicious activity is present within a customer environment.  The analyst can then act on the back of this investigation.

Now, let’s distil this down to an example scenario.  For reference the below customer had approximately 800 devices and was being monitored by Sophos MTR.

The Trigger

The only indication that something was going awry on the impacted system was a seemingly benign execution of ProcDump (a completely legitimate tool used by administrators to capture the memory space of an application – usually for troubleshooting); however, in this instance the signal that the Sophos Endpoint had reported indicated that ProcDump was attempting to dump out the memory of lsass.exe.

LSASS is the Local Security Authority Subsystem Service in Microsoft Windows and it is responsible for enforcing security policy and handling logins to Windows systems. If one were to write its memory to disk, the usernames and passwords of users could be retrieved from it.

Sophos Intercept X endpoint protection blocked this attempt as a “credential theft” event – however this alert was a loud enough signal to warrant a full lead-driven threat hunt.  Off the back of this a case was created automatically by the MTR system and assigned to the MTR threat analysts to action.

The Hunt 

After the initial credential theft event the MTR analyst tracked up the process tree from ProcDump to try and identify any additional indicators.  From this they could identify that the attacker was also attempting to use Meterpreter to elevate their user privileges.  The attacker had also left a trail Command and Control (C2) traffic which was communicating out to an unknown external IP address in a fashion similar to one seen by the analyst before pertaining to reconnaissance and persistence tools such as Cobalt Strike.

At this point it was clear that there was an active adversary on the network and the MTR analyst escalated this event to the customer – in line with their chosen MTR response mode – to continue the hunt alongside the MTR team.

More information on this case study can be found here: MTR Casebook: An active adversary caught in the act

Leadless Threat Hunts 

While lead-driven hunts require one of our sensors to detect or generate a “signal” of interest; a leadless hunt is much more organic.  Although we may still be using our artificial intelligence algorithms to process the large amount of data that we ingest, leadless threat hunts are nearly always helmed by a human threat analyst from the start.

Rather than relying on that initial systematic signal to give us a heads-up that something needs to be investigated we proactively run queries on a customer’s or multiple customers’ estates.  This may occur for several reasons, not limited to:

  • A Sophos customer in the same industry vertical has been targeted in a particular way, and we want to perform due diligence to ensure that the same threat actors are not attempting to attack any of our other MTR Advanced customers.
  • SophosLabs have informed the MTR team of a significant attack targeting customers, either in the same vertical or with similar properties, to one or many MTR Advanced customers.
  • A significant event has occurred within the security landscape, and we want to ascertain if any of our customers are affected.  In the current landscape where zero-day threats are becoming more advanced and prevalent this is unfortunately all too common.

To learn more about the Sophos MTR service visit our website or read our case studies and research.