Threat Hunting Techniques and Solutions with Unified SASE

Unified SASE role Cyber Threat Hunting

What is threat hunting?

Threat hunting is a proactive defense approach to detect threats that evade existing security solutions.

Why threat hunting?

Firewall, IDS/IPS, SWG, ZTNA, CASB functions help in protecting enterprise assets from known threats. Security vendors develop protection for known threats and deploy those protections by regularly updating the security services with various protection feeds.  Protections include stopping users from visiting bad sites, stopping exploits via signatures, and stopping connections to/from IP addresses, domains which are known to host C&C or with bad reputation.  Almost all security functions also protect assets by stopping unwanted flows via ACLs (Access Control Lists).

Sophistication of threat actors is significantly increasing year by year due to state sponsorships and financial gains.  Enterprises that are hit by unknown threats should have a way to detect any compromises to contain the damages.  According to 2022 M-trends report, average Dwell Time (Dwell time is the number of days an attacker is present in a victim environment without detection) is 21 days in 2021.  In some geographic regions, the average is up to 40 days.  Most concerning things is that 47% of the time, victims come to know about the threats via external notifications.  Victims come to know the compromises via extortions from attackers, from public disclosure of confidential information, and a few times from their customers.  It is important for enterprises to detect the presence of threats proactively and internally in order to reduce the damage and take remediation steps sooner. This process of detecting threats present in the environment is ‘Threat Hunting’.

What are threat hunter methods?

Threat hunting is done by security analysts. While the practice of threat hunting has been around for a while, in theory it is not new. Hunters tend to look for anomalies, create hypotheses, and perform deeper analysis to identify any signs of compromise. What has really changed in recent years is the increased collaboration among hunters from different enterprises, such as sharing tactics, techniques, and procedures (TTPs) and access to open-source and commercial threat intelligence feeds. This wealth of information is helping hunters to hunt more efficiently.

Threat intelligence is valuable, but the vast amount of data can be overwhelming for hunters to sift through. It is important for hunters to filter out to get the most relevant reports based on the assets, software, hardware systems, and cloud services that the enterprise uses. Once filtered, threat hunters can use TTPs to identify patterns in their environment.

Threat hunters gather information using a combination of methods, including:

  • Analytics-driven: Anomalies observed in network traffic, protocol traffic, user-initiated traffic, application traffic, user login behavior, user access behavior, endpoint, and application behavior can be good indicators to start the hunt.
  • Intelligence-driven: Threat intelligence feeds such as IP/domain/file/URL reputation from open-source and commercial entities can help hunters search for these indicators in their environment and start the hunt if observed.
  • Situational awareness-driven: Outputs from regular enterprise risk assessments and crown-jewel analysis on the assets can help hunters create hypotheses and start the hunt.

Threat hunters use a combination of the above methods to narrow down the hunts to start. As part of the hunting process, analysts rely on observability systems to conduct deeper analysis to identify any compromise. If any threats are found, successful hunters can publish TTPs to assist other hunters.

What is the role of SASE in threat hunting?

Indicators of Compromise (IoCs) are clues that can be used to identify and detect malicious activity on a network or endpoint. They are often used by threat hunters to create hypotheses about potential security incidents and to focus their investigations. IoCs  include things like IP addresses, domain names, URLs, files, and email addresses that are associated with known malicious actors or known malware. Various anomalies such as traffic, user behavior, service behavior, and others coupled are also good indicators of concern for hunters to create hypotheses about potential security incidents.

Deep analysis is the next step in threat hunting and is used to gather more information about a potential incident, such as the scope, impact, and origins of the attack. This type of analysis often involves leveraging various tools and techniques to extract and analyze data from various sources, such as network traffic, system logs, and endpoint data.

SASE solutions are expected to help threat hunters in both the identification and investigation stages of threat hunting. And it’s expected to have more comprehensive observability part of future SASE solutions with features such as behavioral analytics, real-time monitoring, and alerting.

Identification via Indicators of Compromise and Indicators of Concern

Below are some of the anomalies and threat IoCs that SASE solutions can help threat hunters to start hunts.

Few examples of how SASE/SDWAN can help in finding the traffic anomalies are given below.

  • Unusual traffic patterns compared to traffic patterns observed before. They can include anomalies in the traffic volume and number of connections for the following.
    • Enterprise site-to-site traffic
    • Traffic to/from sites to Internet
    • Traffic to/from applications
    • Traffic on various protocols
    • Traffic to/from users
    • Traffic to/from segments
    • And with combination of above – Site + Application + User + Protocol + Segment.

SASE solutions, with network security, can help in finding various types of anomalies and exploits:

  • Anomalies of enterprise applications accesses from previous patterns or baseline patterns such as
    • Accesses to internal applications from previously unknown geographic locations
    • Access to internal applications from users who rarely access them
    • Access to internal applications from users at odd times
    • Access to various critical application resources (such as admin resources) from privileged users from previously unknown geographic locations, from users who rarely administer them, at odd times
    • Denied accesses to applications and resources from users.
  • Anomalies of Internet and SaaS accesses from previous patterns or baseline patterns like access anomalies described above.
    • Access to various URL categories by individual users
    • Access to Internet sites that were not previously visited by users
    • Bandwidth usage and number of HTTP transaction anomalies on a per-user basis
    • Access to sites in non-office hours by users.
    • Denied accesses to Internet sites/categories
    • Access to various functions of various SaaS services on a per user basis.
  • Various kinds of Exploits: According to the M-Trends report, “Initial Infection Vector” used by attackers is exploiting the vulnerabilities in software and configuration.  Many threat actors first install different types of malwares by exploiting the software vulnerabilities.  Popular exploit frameworks such as Metasploit, BEACON bundle multiple known exploit scripts.  These frameworks seem to be popular among the threat actors.  Any exploit observed in the traffic can be good indicator that something bad is going to happen.
  • Protocol Anomalies: Any abnormal protocol data, even if it is legitimate from a protocol specification perspective, can be a good indication of concern.  DNS and HTTP protocol anomaly examples are given below.
    • In case of DNS
      • It is not normal to see many subdomains in the queried domain
      • It is not normal to see a very long domain
      • It is not normal to see a mix of upper-case and lower-case letters in the domain name.
      • It is not normal to see non alphanumeric characters.
      • It is not normal to see any queries other than A, AAAA, PTR.
    • In case of HTTP:
      • It is not normal to see very long URI and a large number of query parameters.
      • URI encodings that are not commonly used.
      • It is not normal to see many request headers and response headers.
      • It is not normal to see SQL statements, shell commands and scripts in URI query parameters, request headers, and request bodies
      • It is not normal to see HTTP transactions without a host request header.
      • It is not normal to see CRLF characters in URIs and headers.
      • It is not normal to see multiple parameters with the same name
      • And many more…
    • Access to bad reputation sites : A single incident of access or multiple accesses to sites with bad IP addresses,  domains and URLs are also good indicators of concerns to start the hunt.

Investigation

As part of hunting, hunters expect SASE systems to help them dig deeper for further investigation, at least from a network perspective. Hunters, for comprehensive end-to-end visibility and investigation, might also need to work with endpoint, application, virtualization, and containerization platform observability systems.

Expectations on SASE observability from hunters for investigations are mostly on deeper search capabilities. For example, upon detecting exploit traffic, hunters might like to investigate whether the machine/software that got exploited is making any connections to other internal systems that are not normally made by this system or whether it downloaded any files from other systems that are not normally expected and whether this system is uploading any malware to other systems, etc.

Summary

Threat hunting is becoming a normal practice in many enterprises. It typically involves the detection of Indicators of Compromise (IoCs) and investigation using observability platforms for endpoints, applications, virtualization, and Secure Access Service Edge (SASE). A unified SASE that combines Software-Defined Wide Area Network (SDWAN), various network and threat security functions, and comprehensive observability is needed to enable comprehensive threat hunting life cycle management.

  • CTO Insights blog

    The Aryaka CTO Insights blog series provides thought leadership for network, security, and SASE topics. For Aryaka product specifications refer to Aryaka Datasheets.

About the author

Srini Addepalli
Srini Addepalli is a security and Edge computing expert with 25+ years of experience. Srini has multiple patents in networking and security technologies. He holds a BE (Hons) degree in Electrical and Electronics Engineering from BITS, Pilani in India.