Threat Hunting on the Network: An Introductory Guide

Threat hunting has long been conducted on the endpoint or using logs. Security and incident response (IR) teams favor endpoint- and log-based approaches to threat hunting because they are established, accessible, and generally intuitive methods for discovering known threats. However, these legacy approaches to threat hunting fail to account for organizations’ unknown attack vectors and any threat actors that may have previously exploited them.

Endpoint forensics and event logs rely on known indicators of compromise (IOCs) and other forms of threat intelligence, so to use them effectively, you need to know what you’re looking for. If you don’t know what you’re looking for, then adversaries can continue operating undetected as they further embed themselves in your network or actively exploit it.

Additionally, threat actors routinely innovate new ways to bypass endpoint forensic tools. Furthermore, the 2017 Shadow Brokers leak of reported National Security Agency offensive hacking tools has empowered threat actors with the tooling to effectively modify Windows Event Log files and remove all traces of their activity. This is why network-based threat hunting has become so vital to security teams today.

In situations where you're not searching for a specific IOC, where you’re looking for behavioral indicators of suspicious activity or tactics, techniques, and procedures (TTPs) associated with a specific threat actor, network-based approaches to threat hunting are more effective than increasingly exploitable legacy methods.

While more esoteric and complex, network-based approaches are superior for threat hunting because network-based techniques rely on packet capture (PCAP) analysis. PCAP analysis provides investigators with an unalterable, comprehensive, and granular view of all network traffic originating from, entering into, and traveling within an organization’s IT environment.

The comprehensiveness of these records, combined with the inability of threat actors to alter network data captured by PCAP sensors empowers security teams to establish ground truth in cyber investigations. The heightened certainty offered by packet analysis illustrates why Mandiant and other hardcore IR experts dedicate significant resources to the forensic investigation of packet data in their client engagements.

Before delving deeper into network-based threat hunting, let’s cover some of the nuts and bolts of legacy threat hunting methodologies and their inherent limitations.

The Limitations of Endpoint- and Log-Based Threat Hunting Methods

Endpoint-based threat hunting is based on endpoint forensics technology and related open-source tools. Specifically, endpoint-based threat hunting entails techniques like volatility for memory dumps analysis, the Sleuth Kit for system analysis, malware analysis tools like Joe Sandbox, and the manual examination of Windows Registry databases. The drawback to endpoint based threat hunting: it can only identify threats that have previously been indexed in malware databases.

Meanwhile, log analysis has traditionally been an easier way to hunt for threats on the network than packet inspection. Typically, log investigations involve searching and analyzing firewall and proxy logs for known IOCs. In most log investigations, threat hunters comb through records like DNS requests, HTTP requests, and Server Name Indication (SNI) activity related to TLS traffic.

Ultimately, however, log analysis is just signature matching on known threats, as opposed to true threat hunting. Furthermore, log analysis has a reliability problem, as more sophisticated threat actors often seek to wipe or otherwise alter log files to conceal their malicious activity. In contrast, packet analysis captures the essence of threat hunting in the modern attack landscape because it orients defenders to identify their unknown-unknowns.

The Power of Packet-Based Investigations

Threat hunting on the network is like trying to find a needle in the haystack when you don’t even know for certain that a needle is there. Through packet analysis, incident responders have to discover threats themselves.

For the uninitiated, packets are foundational components of modern digital networks. A packet is a basic block of data that's bundled together and transferred over a computer network. Packets are the building blocks of packet-switched networks like the Internet. Each packet of data is a component of a complete message. These data units carry essential address information that helps identify the sending computer and intended recipient of the message via a wide array of unique digital fingerprints.

Network packets consist of three parts: the packet header, payload, and trailer. The size and structure of a packet are predicated on the underlying network structure or protocol used. When it comes to packet-based investigations, incident responders approach these engagements via the hypothetical analysis of data. In these cases, investigators enter IT environments that they assume to be compromised, yet they don’t have any preexisting threat intelligence or IOCs to guide their excavation of the network.

This type of hunting is done inside the network perimeter, where incident responders target adversarial indicators like reconnaissance activity, lateral movement, and service exploitation. Common protocols to focus threat hunting activities that are outside the network perimeter include DNS, HTTP, SSL/TLS, and FTP channels. More specialized, internal network threat hunting involves the analysis of protocols like Server Message Block (SMB), for example. SMB traffic analysis can be particularly helpful for identifying signs of ransomware file-sharing encryption.

How RevealX Powers Advanced Threat Hunting

In a threat landscape marked by increasingly sophisticated and determined adversaries, network-based approaches to threat hunting are vital for defenders. However, it is impractical for organizations to build next-generation, network monitoring applications in-house. This undertaking requires specialized expertise, significant data center capacity and investment, and an encyclopedic level of network-protocol fluency.

The key value proposition offered by a specialized NDR solution is that it captures all of the granular network communications data and metadata across different protocols autonomously, in real-time, and at cloud scale. When deployed effectively, NDR enables comprehensive visibility into an organization’s IT environment and all the data that flows in and out of it.

Effective network-based investigations are predicated on hypothesis-driven investigations, advanced behavioral analytics, and machine-learning powered data crunching. The application of machine-learning technology is especially vital for the detection of network anomalies. While not always indicative of malicious activity, irregularities in network data flow and user behavior can also reveal the needles in the haystack camouflaging threat actor attack chains.

Organizations should look to automate these network threat-hunting functions by deploying an established and specialized NDR solution like RevealX from ExtraHop. A good NDR solution will pick up the threat and display automated attack-chain discovery and correlation that will show end users the full attack and the various parts of it that were involved. This capability can help defenders better understand how attackers breached their networks, all the systems they touched, and any files or accounts they compromised.

RevealX excels at picking up on lateral movement and providing defenders with an intuitively trackable chain of evidence that traces all of the attacker’s footprints from East to West and beyond. The lateral movement discovery capabilities in RevealX are powered by the platform’s ability to decrypt SSL and TLS 1.3 traffic and decode more than 90 network protocols, including numerous Microsoft protocols. Armed with patent-protected, cipher-cracking capabilities, RevealX is the only provider in the NDR space that can decrypt Microsoft protocols within the network.

To learn more about the power of packet-data analysis and threat hunting in the network, watch the video.