威胁搜寻是专门的安全分析人员主动搜寻的过程 threat actor behavior and attempt to defend their network before real damage can be done. “专业化”这个词对于理解一个成功的威胁搜索策略需要什么是至关重要的, as the skill takes time to learn and is in high demand.
According to a SANS Institute Survey, only 31% of organizations had dedicated threat-hunting staff in 2017. 四年后,同样的调查显示,这一比例跃升至93%. 在过去的五年里,对威胁搜寻专家的需求有所增加,这是有充分理由的. 针对企业组织的攻击正以惊人的速度增加, and it simply will no longer do to wait for an attack and respond.
事实上,威胁搜索的增加也增加了许多组织的整体安全 threat intelligence capabilities and security postures. SANS has seen that, because of the increase in threat hunting, security teams are getting better at continuously monitoring, and are experiencing fewer false positives.
威胁搜寻模型并不容易落实到位,有几种方法. Therefore, it’s important to define the goal of a specific threat hunt. 从那里开始,团队可以开始定义成功狩猎所需的技术.
So, what exactly are the specific functions in a threat hunt? As discussed above, the goals of individual hunts will vary. Accordingly, so will the detailed aspects of each hunt.
让我们来看看经验丰富的安全专业人员在进行新的搜索时可能会遇到的一些更常见的元素.
Data Collection and Processing: Depending on the hypothesis to be tested or the overall goal, data collection will come from different types of network logs (DNS, firewall, proxy), various sources of threat detection telemetry beyond the perimeter, and/or specific endpoint data.
Collaboration and Communication像Slack和Microsoft Teams这样的工具可以自动进入威胁搜索工作流程, triggering new service tickets, kicking off new hunts and investigations, and – when necessary – querying individual endpoint or network users.
Documentation and Reporting记录狩猎的结果是至关重要的,不管是否成功. No matter the end result, 此参考可以作为采取行动的基线,以便将来以类似的目标进行追捕,并帮助识别潜在的重复威胁参与者.
Humans and Technology: Even though a fair bit of automation is used in any given threat hunt, 在安全组织中工作的人员将对这些自动化进行校准. From endpoint telemetry, to alerts, to network traffic analysis, 技术提高了分析师更快地抓住洞察并更明确地关闭威胁的能力.
In order to conduct a successful threat hunt, it’s critical to know – as discussed above – what the goal of the hunt is. Based on the determined goal(s), 搜索类型通常会分解为下面讨论的下列格式之一.
这种威胁搜寻过程通常由观察到异常事件的安全组织成员启动, over time and with increasing frequency. From there, 团队可以开始对可能发生的事情形成一个假设,如果这个假设实际上是可测试的. This will help to confirm the validity of the presence of malicious activity – or not.
现在让我们来看看一些特定的工具和过程,猎人可以通过这些工具和过程来测试一个假设,并确定威胁是否确实存在.
A SIEM platform can detect security issues by centralizing, correlating, and analyzing data across a network. The core functionality of a SIEM includes log management and centralization, security event detection and reporting, and search capabilities.
分析将端点数据与复杂的用户分析和威胁情报相关联,以检测可疑的端点活动,以及特定用户是否意识到其系统上的活动.
This set of tools monitors network availability and activity to identify anomalies, including security and operational issues. 它们允许猎人收集网络上正在发生的实时和历史记录.
By maintaining visibility of real-time threat feeds, 猎人将熟悉与他们的环境最相关的潜在威胁,因此知道如何更好地防御这些威胁.
理想情况下,威胁猎人会使用云安全工具来监控特别容易受到风险影响的多云和混合云环境. By ingesting data such as user activity, logs, and endpoints, 分析师应该能够获得业务IT足迹和任何可疑活动的清晰快照.
分析用户行为的过程包括收集用户每天产生的网络事件的洞察力. Once collected and analyzed, those events can be used to detect the use of compromised credentials, lateral movement, and other malicious behavior.
当利用正确的工具来测试一个精心制定的特定假设时,需要采取哪些特定的威胁搜索步骤?
Collect the Right Data识别并最终自动化收集数据的过程是至关重要的,这些数据将使行动成为可能. If a security team suspects malicious activity, they’ll want to collect and examine forensic artifacts from across the network. 这个过程的一部分是有效地分类和分析法医证据,以快速确定事件的根本原因.
Customize Queries and Rules:一些威胁搜索管理服务合作伙伴或解决方案将内置查询和规则-根据定义的标准自动显示警报-以快速帮助威胁猎人搜索众所周知的漏洞和/或威胁参与者. However, 它有助于维护安全团队自定义这些查询的能力,以便他们提出最符合商定假设的问题.
Stay Informed about Tactics, Techniques, and Procedures威胁搜索技术应根据威胁行为者目前使用的ttp不断发展. While not always easy to uncover, continuous research into adversarial behaviors will keep security defenders proactive, sharp, and ready.
Of course, 不断掌握TTP研究和其他情报来源是一项艰巨的任务, 在哪些方面,管理威胁搜索合作伙伴可以帮助加快这一过程,并潜在地支持威胁情报计划的成功.