<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

Introduction to Guided Threat Hunting

Stamus Security Platform is loaded with features that help security teams leverage network traffic to automatically detect threats against their organizations. In addition to deploying automated threat detection, many large organizations proactively hunt for threats on the data generated by their monitoring systems. When this is the case, defenders need a starting point to look for specific types of threats and other suspicious network activity. 

This weekly series will explore the various guided threat hunting filters included in the Stamus Enriched Hunting interface, as well as different steps security practitioners can take upon successful completion of a hunt to stop threats on their network before it's too late.

Introduction to Stamus Security Platform

Stamus Security Platform is a broad-spectrum and open network detection and response (NDR) system that delivers:

  • Automated response-ready and high-fidelity threat detection from machine learning, stateful logic, and signatures
  • Open interfaces for integration with SOAR, SIEM, XDR, IR, or EDR
  • Support for third-party and custom threat intelligence
  • Explainable and transparent results – with evidence
  • Integrated guided threat hunting

Our threat hunting expertise has been tested and refined by our participation in some of the world’s biggest live fire cyber exercises such as Cross Swords and Locked Shields.

Guided Threat Hunting Overview

One of the most useful features built into the Stamus Security Platform is the integrated guided threat hunting. The user interface, called “Enriched Hunting” empowers users to investigate, classify, escalate, and automate vast amounts of event data, alerts, and contextual metadata using beyond the typical automated threat detection functionality of the system. This gives users the ability to proactively search for threats or investigate areas of special interest in a structured way. 

Enriched threat hunting also lets users create their own hunting filters and turn their ideas into automated processes. The enriched hunting interface's main purpose is for proactive defense, however it also provides resources for knowledge transfer from experienced analysts to less-experienced personnel. This series will cover a new hunting filter each week where we will detail the path Stamus Security Platform guides you on, information on the threat type, as well as the steps you can take after the hunt to automate and further streamline your threat hunting experience.

Before beginning the weekly series, we want to provide an overview of the Stamus Security Platform integrated threat hunting interface, and highlight several unique features available to users.

Dashboard

The Enriched Hunting dashboard serves as the main overview to the threat hunting tool. It includes over 50 elements of event metadata that can be viewed at a quick glance. It also includes pivoting capabilities for connection and correlation to other hunting tools.

Enriched Hunting Dashboard

Security analysts can use any piece of metadata to create simple or complex filters for things like wildcarding, negation, or inclusion. You can even include multiple fields for fast drill down capabilities. All domains, TLS SNI, IP addresses, HTTP hosts, and more can easily be checked with an external threat intelligence provider such as Virus Total.

Hunting Tools

The Stamus Enriched hunting module (as part of Stamus Security Platform) has a few major components that help the hunters in various daily tasks: 

  • Guided hunting filtersets
  • Context and classification
  • Previously unseen communications
  • Metadata search tools
  • Host Insights
  • Automation

Intro Image 2

Intro Image 3

 

Intro Image 4

Automation

Any existing or created filter-set (whether local or global) can be used to:

    • Create thresholding or suppression (to tackle the noise)
    • Auto classify any occurrences that match the filter-set
    • Escalate:
      - To Stamus Security Platform/STR
      - Create a mail or SoC chat notification
      - (via a webhook) Auto open Incident Response ticket or trigger a                 SOAR/EDR action - such as network quarantining an endpoint.
 

Guided Hunting Filter-Sets

Stamus Enriched hunting comes with over 111 ready to use guided hunting filtersets. Apart from that, any other custom filterset can be created and is limited only by the hunter’s imagination and ideas.

The filter-sets hold a very powerful hunting advantage because they can display anything from an alert event to a new proxy, printer, domain controller, or network service in the enterprise. For example, a new python based web server in the marketing department can be displayed with just a quick click.

Intro Image 5

Contextual Data

Any events that get displayed include contextual data like raw logs, related network transaction protocol data (file transactions/htp/tls/dns/flow etc), other alerts, payloads, and even extracted files.

Intro Image 6 Obfuscated

For example, in addition to the alert itself, we can see here that there are 11 other related events.

Intro Image 7 Obfuscated

Classification

Viewing both classified and unclassified data is performed with a simple switch. By toggling the needed switches, you can quickly view informational, relevant, and/or unclassified events.

Intro Image 8

Previously Unseen Communications

In the Stamus Security Platform previously-unseen communications are labeled as “Sightings”.

Knowing when certain communication metadata pieces are being seen on the network for the first time provides a big advantage to any hunter. Here, the analyst may view first time sightings of domain queries, HTTP hosts, JA3, JA3S, SMB file transfers, TLS certificates, TLS SNI, and more.

Intro Image 9

Metadata Search Tools

A drop down tool box is available to allow for easy selection of data aspects. You can even use organizational-specific network definitions to filter the search using context specific to your organization.

Intro Image 10

Host Insights

The “Host Insights” feature tracks over 60 security-related network transactions and communication attributes of a host. This provides a single place to view many aspects of the network activity relative to a given host, such as network services, users, or TLS fingerprinting forensic evidence.

Intro Image 11 Obfuscated

REST API

Intro Image 12 Obfuscated

 

Intro Image 13 Obfuscated

 

Conclusion

Enriched Threat Hunting on the Stamus Security Platform (SSP) goes beyond just locating potential threats. It can be used to identify policy violations such as the presence of shadow IT. Additional features allow for automation and escalation, which enable the user to take action after a threat has been found.

For more information on what actions you can take after a threat has been found, read our “After the Hunt” feature article. In it we detail the ways security teams can use those automation and escalation tools to know more, respond sooner, and mitigate risk for their organizations. 

To learn more about Network Detection and Response (NDR) from Stamus Networks or the included Stamus Enriched Hunting interface, click on the link below to schedule a demo.
Peter Manev

Peter Manev

Peter Manev is the co-founder and chief strategy officer (CSO) at Stamus Networks. He is a member of the executive team at Open Network Security Foundation (OISF). Peter has over 15 years of experience in the IT industry, including enterprise-level IT security practice. He is a passionate user, developer, and explorer of innovative open-source security software, and he is responsible for training as well as quality assurance and testing on the development team of Suricata – the open-source threat detection engine. Peter is a regular speaker and educator on open-source security, threat hunting, and network security at conferences and live-fire cyber exercises, such as Crossed Swords, DeepSec, Troopers, DefCon, RSA, Suricon, SharkFest, and others. Peter resides in Gothenburg, Sweden.

Schedule a Demo of Stamus Security Platform

REQUEST A DEMO

Related posts

In the Trenches with NDR: NDR Discovers Crypto Wallet Stealer on U.S. University's Network by Dallon Robinette

In the Trenches with NDR: NDR Discovers Crypto Wallet Stealer on U.S. University's Network

Tl:DR: A Large U.S. university lacked sufficient visibility into a large segment of its environment...

In the Trenches with NDR: K-12 School District Maximizes Visibility While Avoiding Alert Fatigue by Dallon Robinette

In the Trenches with NDR: K-12 School District Maximizes Visibility While Avoiding Alert Fatigue

TL;DR: An American school district needed to monitor over 5000 school-owned student devices, making...

In the Trenches with NDR: European MDR Designs Advanced NDR into Their Product Offering

In the Trenches with NDR: European MDR Designs Advanced NDR into Their Product Offering

TL;DR: A European managed security service provider seeking to launch an MDR service chose Stamus...

ABOUT STAMUS NETWORKS

Stamus Networks believes in a world where defenders are heroes, and a future where those they protect remain safe. As organizations face threats from well-funded adversaries, we relentlessly pursue solutions that make the defender’s job easier and more impactful. The global leader in Suricata-based network security solutions, Stamus Networks helps enterprise security teams know more, respond sooner and mitigate their risk with insights gathered from cloud and on-premise network activity. Our Stamus Security Platform combines the best of intrusion detection (IDS), network security monitoring (NSM), and network detection and response (NDR) systems into a single solution that exposes serious and imminent threats to critical assets and empowers rapid response. 

Indianapolis, USA Paris, France

Privacy

© 2014-2024 Stamus Networks, Inc. All rights Reserved.