Enable Your Threat Hunting With Flexible Search and Visualization

Threat hunting is a proactive approach to identifying signs of an attack, giving organizations a better chance of catching an attack early. A threat hunting team covers the areas that a SOC is not watching and detection mechanisms haven’t detected.

Gartner describes Threat Hunting as follows:

“To hunt for security threats means to look for traces of attackers, past and present, in the IT environment. Organizations that employ threat hunting use an analyst-centric process to uncover hidden, advanced threats missed by automated, preventative [sic] and detective controls.”

According to the SANS 2019 Threat Hunting Survey, “Threat hunters leverage tools—and a whole lot of experience—to actively sift through network and endpoint data, always looking for suspicious outliers or traces of an ongoing attack.”

The challenges of effective threat hunting include the lack of well-established methodologies that would enable a team to ramp up quickly and increase confidence that they’re doing it “right.” There’s also a general lack of experienced security analysts who have the skills to successfully flush out attacks. While these pose a challenge, perhaps the hardest part is that many hunters rely on legacy tools and systems such as log files, SIEM analytics, and IDPS, which simply don’t provide the data and insights needed to detect malicious activity in your network.

Using Network Detection and Response for Threat Hunting

Lastline Defender® has embedded integration of industry standard Kibana data query and visualization tool. This integration gives threat hunters the ability to search theirnetwork data for a wide range of outlier activity related to advanced threats that are too low in volume or severity to generate an alert.

Lastline Defender gives your SOC the ability to conduct a range of searches, including:

Proactive

Hunting for bad actors operating in your network before their activity generates alerts

Hypothetical

Relying on hunches and suspicions to look for malicious activity

Assumptive

Starting with the assumption that an intrusion has occurred, look for subtle indicators in the network

Threat hunters can access the Kibana elastic search engine directly from Lastline Defender to use the query and reporting libraries or create custom searches and visualizations to understand network activity related to a host or protocol, such as:

  • Any time dimension (from seconds to days, weeks, or months)
  • Any range of hosts
  • Protocols (including DNS, SMB, TLS, NetFlow, and Kerberos)
  • Activity (including data uploads or downloads, top hosts, and top destinations)

Security Analyst can also use Lastline Defender’s Kibana integration to perform follow-up investigations on malicious activity within network and email traffic detected by Lastline’s NTA, IDPS, or file analysis capabilities. They can run reports using Kibana on Lastline Defender detection data to  better visualize activity in their network associated with a specific host or range of hosts.