Threat hunting is a proactive approach to identifying signs of an attack, giving organizations a better chance of catching an attack early. A threat hunting team covers the areas that a SOC is not watching and detection mechanisms haven’t detected.
Gartner describes Threat Hunting as follows:
“To hunt for security threats means to look for traces of attackers, past and present, in the IT environment. Organizations that employ threat hunting use an analyst-centric process to uncover hidden, advanced threats missed by automated, preventative [sic] and detective controls.”
According to the SANS 2019 Threat Hunting Survey, “Threat hunters leverage tools—and a whole lot of experience—to actively sift through network and endpoint data, always looking for suspicious outliers or traces of an ongoing attack.”
The challenges of effective threat hunting include the lack of well-established methodologies that would enable a team to ramp up quickly and increase confidence that they’re doing it “right.” There’s also a general lack of experienced security analysts who have the skills to successfully flush out attacks. While these pose a challenge, perhaps the hardest part is that many hunters rely on legacy tools and systems such as log files, SIEM analytics, and IDPS, which simply don’t provide the data and insights needed to detect malicious activity in your network.
Lastline Defender™ has embedded integration of industry standard Kibana data query and visualization tool. This integration gives threat hunters the ability to search their network data for a wide range of outlier activity related to advanced threats that are too low in volume or severity to generate an alert.
Lastline Defender gives your SOC the ability to conduct a range of searches, including:
Hunting for bad actors operating in your network before their activity generates alerts
Relying on hunches and suspicions to look for malicious activity
Starting with the assumption that an intrusion has occurred, look for subtle indicators in the network
Threat hunters can access the Kibana elastic search engine directly from Lastline Defender to use the query and reporting libraries or create custom searches and visualizations to understand network activity related to a host or protocol, such as:
Security Analyst can also use Lastline Defender’s Kibana integration to perform follow-up investigations on malicious activity within network and email traffic detected by Lastline’s NTA, IDPS, or file analysis capabilities. They can run reports using Kibana on Lastline Defender detection data to better visualize activity in their network associated with a specific host or range of hosts.
This is an necessary category.
This is an non-necessary category.