We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Threat Hunting With Velociraptor I - Introduction

Threat Hunting With Velociraptor I – Introduction

How do you think computers are secured nowadays?

You might think with firewalls or anti-virus solutions like Windows Defender. If you want to get fancy perhaps a VPN like [insert name of VPN which keeps coming up every time I want to watch a YouTube video] or something cool like a Yubikey / fingerprint scanner to unlock your computer.

If you work for an enterprise you might answer with “DDoS (Distributed Denial of Service) protection”, “a email gateway to filter malicious emails”, or “a really expensive Microsoft product”. Either way, all of these security solutions — and many others like IDS (Intrusion Detection Systems), EDR (Endpoint Detection Response), and WAF (Web Application Firewall) — are passive defences which a security team will put up to stop an attacker gaining access to their systems. You can think of them as walls designed to block entry and protect your precious treasure.

In cybersecurity they are means of ensuring the confidentiality, integrity, and availability of data (the fabled CIA triad).

Blue Team Castle

Walls are good. If I was a medieval king and my castle was being besieged then I would want to be behind a few walls. However, I would also want to fight back and defend my castle! This is where threat hunting comes into play.

What is Threat Hunting?

Threat hunting is “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions” (TechRepublic). It’s the blue team’s equivalent of actively defending their castle from an ongoing siege.

The “blue team” is the name given to the people trying to defend an organisation, while the “red team” is the name given to attackers.

A threat hunter will investigate a bad guy’s or girl’s (women can be criminals too) activity before there has been a warning of a potential threat from one of the many systems organisations use to protect themselves. They do this in numerous ways.:

  • They could think like an attacker and try to emulate what they would do to breach an organisation, and then search for this activity.
  • They could use analytics with machine learning or UEBA (User and Entity Behaviour Analytics) to calculate risky or uncommon behaviour patterns among users and then investigate these users.
  • They could use threat intelligence derived from OSINT (Open Source Intelligence) or private intelligence feeds to search for a particular threat actor or IOC (Indicator of Compromise) in their environment.

Threat hunters merge red and blue team tactics (attack and defence) to better product their organisation from threats that traditional security solutions miss. This is why they are so important to modern security teams in today’s cybersecurity landscape.

When to Use Threat Hunting

Not every organisation can afford or may benefit from a threat hunter or cyber threat intelligence (CTI) team. There are people/procedures/processes that an organisation must instantiate before they can even think about investing in a threat intelligence department.

  1. An organisation must have a basic IT setup in-place (network infrastructure, an Active Directory environment, etc.) with traditional cybersecurity protections implemented to reach a base level of security (anti-virus, hardened servers, etc.).
  2. They need to ensure that they have accurate and timely log sources which cover their entire estate so that they can effectively monitor what is actually happening in their environment. This needs to feed into a platform which can manage all of this data (e.g. a SIEM).
  3. Then they need to rollout EDR on all their endpoints to gain greater visibility and so that they have some built-in protection if an attacker decides to attack/disable the organisation’s log sources.
  4. Finally, once all that is setup, they need an efficient way of managing their security by either outsourcing it to a managed service provider or creating their own in-house SOC (Security Operations Centre) that uses technologies like SOAR or XDR to efficiently respond to threats.

Then, and only then, can the organisation consider bolstering their active defences with a CTI team. This is one of the reasons good cybersecurity is so expensive!

Expensive Threat Hunting Setup Meme

This list of pre-requisites is by no means complete, there’s also email security, physical security, and a whole bunch of other passive measures that need to be deployed as well.

Once an organisation reaches a decent level of cybersecurity maturity, they can then look at developing a CTI team to further enhance their resiliency to cyber attacks.

This is where I, and this series, comes in!

What This Series is About

In this series I will teach you how to the fundamentals of becoming an effective threat hunter and, hopefully, develop you cybersecurity knowledge enough so that you can perform threat hunts in your own environment (be it a home lab or enterprise).

This series will first demonstrate how to create your own environment for threat hunting and use the free Digital Forensics and Incident Response tool Velociraptor to hunt for threats. Strap in and enjoy the ride!

Let's Go Hunt Some Threat Meme

Discover more in the Threat Hunting with Velociraptor series!

Tags

Related Posts