Threat hunting—the proactive detection, isolation, and investigation of threats that often evade automated security systems—has emerged as a key component of cyber security strategies.
Threat hunters use detection and response systems, monitoring tools, and logs to do their work. The more sophisticated the detection and response systems, the easier it is for threat hunters to do their jobs.
The two primary areas of focus for threat hunters are endpoints and networks. While network-based threat hunting might be less understood, it’s an important part of any threat-hunting strategy.
By monitoring network traffic, cyber security teams can see many things that may or may not be visible through an endpoint based system.
It’s important to understand, however, that each of these methods has strengths and weaknesses. Let’s take a look at the two approaches.
Endpoint-Based Threat Hunting
Endpoint threat hunting involves the use of detection and data collected by software (agents) installed on each of the endpoints.
Examples of this include antivirus and more sophisticated endpoint detection and response software. The advantage of this method is that it enables deep visibility into the endpoint behavior, such as unexpected processes running on the systems, newly installed applications, suspect activity, malware, memory allocations, etc.
Among the disadvantages are the need to install agents on every system (very challenging in a BYOD environment), a lack of visibility into the overall network activity, and the existence of blind spots for things such as lateral movement of malware or command-and-control communication. In addition, the endpoint agents are part of the attack surface for a given system and may end up being disabled as part of a targeted attack.
Network-Based Threat Hunting
Network threat hunting involves the use of detection and data collected by specialized network probes armed with signature and anomaly based detection and network traffic analysis.
An advantage of this method is the deep visibility into network activity it provides, both north-south communications as well as east-west lateral communications. If an organization experiences a security breach, it most likely takes place and is observable on the network. Also, no agent software is required to load on difficult systems such as employee-owned devices.
One of the challenges is there is no early visibility into actual internals of endpoint infections that have not yet generated any network traffic, such as a latent installation of malware.
Real-World Example of the Two Working Together
Here’s an example from a large international organization that helps illustrate the relationship between these two approaches.
An employee at the organization had visited a hacked blog while searching the Internet, potentially causing a problem for the company. A security analyst, using network threat hunting, found that the site included dangerous malware.
But the analyst lacked visibility into what exactly happened on the host/endpoint. After realizing this, the analyst triggered an internal incident response for the endpoint team to investigate.
The endpoint team then reviewed the endpoint security logs for the host and the user account / username (uncovered by the network-based tool), and with that information was able to do a concentrated search of the endpoint security logs and provide all the investigation materials to the incident response team. The team then took further action to resolve the issue.
The security team might not have had any idea that a user visited an infected website, but the network threat detection found this out and was able to relay it to the endpoint team before any damage was done.
The reverse can also happen. An endpoint threat detection tool can signal an alert and notify network threat hunters in order to trigger an investigation into network activity.
Bringing it all together
It’s important that cyber security leaders and teams understand that this is not about choosing one method of threat hunting over the other. Each can deliver important capabilities and benefits in the ongoing hunt for threats.
In order to achieve the optimal coverage, organizations typically deploy separate best-of-breed solutions for end point and network-based threat hunting. As such, it is critical that all systems are designed to easily integrate (via RESTful API and Webhook, for example) into the organization's centralized event and log databases to make collaboration across teams easy.
Additionally, with the right systems in place, much of the manual threat hunting can be automated over time. So that next time a similar incident occurs, it will be more quickly identified.
Finally, proactive threat hunting - both network and endpoint - along with preventative and reactive technologies, strong policies and procedures, is a key element of a defense in-depth strategy to help organizations reduce risk and secure their assets.