Unlike traditional, reactive approaches to detection, hunting is proactive. With hunting, security professionals don't wait to take action until they've received a security alert or, even worse, suffer a data breach. Instead, hunting entails looking for opponents who are already in your environment.

Hunting leads to discovering undesirable activity in your environment and using this information to improve your security posture. These discoveries happen on the security team's terms, not the attacker's. Rather than launching an investigation after receiving an alert, security teams can hunt for threats when their environment is calm instead of in the midst of the chaos that follows after a breach is detected.

To help security professionals better facilitate threat hunting, here are step-by-step instructions on how to conduct a hunt. 

1. Internal vs. outsourced 

If you decide to conduct a threat hunting exercise, you first need to decide whether to use your internal security team or outsource it to an external threat hunting service provider. Some organization have skilled security talent that can lead a threat hunt session. To enable a proper exercise, they should solely work on the hunting assignment for the span of the operation, equipping them to solely focus on this task.

When a security team lacks the time and resources hunting requires, they should consider hiring an external hunting team to handle this task.

2. Start with proper planning 

Whether using an internal or external vendor, the best hunting engagements start with proper planning. Putting together a process for how to conduct the hunt yields the most value. Treating hunting as an ad hoc activity won't produce effective results. Proper planning can assure that the hunt will not interfere with an organization's daily work routines.

3. Select a topic to examine 

Next, security teams need a security topic to examine. The aim should be to either confirm or deny that a certain activity is happening in their environment. For instance, security teams may want to see if they are targeted by advanced threats, using tools like fileless malware, to evade the organization's current security setup. 

4. Develop and test a hypothesis 

The analysts then establish a hypothesis by determining the outcomes they expect from the hunt. In the fileless malware example, the purpose of the hunt is to find hackers who are carrying out attacks by using tools like PowerShell and WMI.

Collecting every PowerShell processes in the environment would overwhelm the analysts with data and prevent them from finding any meaningful information. They need to develop a smart approach to testing the hypothesis without reviewing each and every event. 

Let's say the analysts know that only a few desktop and server administrators use PowerShell for their daily operations. Since the scripting language isn't widely used throughout the company, the analysts executing the hunt can assume to only see limited use of PowerShell. Extensive PowerShell use may indicate malicious activity. One possible approach to testing the hunt's hypothesis would be to measure the level of PowerShell use as an indicator of potentially malicious activity.

5. Collect information

To review PowerShell activity, analysts would need network information, which can be obtained by reviewing network logs, and endpoint data, which is found in database logs, server logs or Windows event logs.

To figure out what PowerShell use look like in a specific environment, the analyst will collect data including process names, command line files, DNS queries, destination IP addresses and digital signatures. This information will allow the hunting team to build a picture of relationships across different data types and look for connections.

6. Organize the data

Once that data has been compiled, analysts need to determine what tools they're going to use to organize and analyze this information. Options include the reporting tools in a SIEM, purchasing analytical tools or even using Excel to create pivot tables and sort data. With the data organized, analysts should be able to pick out trends in their environment. In the example reviewing a company's PowerShell use, they could convert event logs into CSV files and uploaded them to an endpoint analytics tool.

7. Automate routine tasks 

Discussions about automation may turn off some security analysts get turn off. However, automating some tasks is key for hunting team's' success. There are some repetitive tasks that analysts will want to automate, and some queries that are better searched and analyzed by automated tools.

Automation spares analysts from the tedious task of manually querying the reams of network and endpoint data they've amassed. For example, analysts may want to consider automating the search for tools that use DGAs (domain generation algorithms) to hide their command and control communication. While an analyst could manually dig through DNS logs and build data stacks, this process is time consuming and frequently leads to errors.

8. Get your question answered and plan a course of action

Analyst will should now have enough information to answer their hypothesis, know what's happening in their environment and take action. If a breach is detected, the incident response team should take over and remediate the issue. If any vulnerabilities are found, the security team should resolve them.

Continuing with the PowerShell example, let's assume that malicious PowerShell activity was detected. In addition to alerting the incident response team, security teams or IT administrators should the Group Policy Object settings in Windows to prevent PowerShell scripts from executing.

Thanks to Cybereason, and author Sarah Maloney for this article