All ContentIntegrating SIEM into Your Threat Hunting Strategy
Integrating SIEM into Your Threat Hunting Strategy
WHITE PAPER
Integrating SIEM into Your
Threat Hunting Strategy
Cyberthreat hunting is the process of proactively and iteratively searching through networks
and data sets to detect threats that evade existing automated tools.1 While that sounds
straightforward, it is fraught with complexities that are neither obvious nor easy to remedy.
For example, what are the data sets? Where do they come from? How do you search
through them iteratively? How can you be proactive?
In this paper, we offer both an approach and a toolkit
for threat hunting. We show you how to aggregate
and correlate the data your tools provide into a single
analysis tool—an advanced security information and
event management (SIEM) platform—to detect and block
cyberthreats. We show you how a solid threat-hunting
infrastructure can help you achieve the proactive goal of
the definition and how to advance the proactive defense
infrastructure of your enterprise. While the centerpiece
for your threat-hunting toolkit is an SIEM, we will use
some open source tools to collect data and show how
commercial tools can fit in as well.
Remember, threat hunting is a team sport. Sharing
results of your hunts with other hunters—perhaps using
different tools—can only gather more information for
you both. Also, and equally important, there is a lot of
data, and that means that you could take a lot of time to
sift through it and get useful results. Anything that you
3
Integrating SIEM into Your Threat Hunting Strategy
can do to shorten the hunting cycle without sacrificing
accuracy or thoroughness is a good thing.
What Are Data Sets in the Context of Threat
Hunting?
Experienced threat hunters have their data set
preferences, but what is most important is defining the
types of data you are seeking. The overall objective of
your threat management strategy will dictate, to a large
degree, what types of data you need. The data dictate
the data sets, and the data sets dictate the tools.
There is a misconception that you should start with the
tools and work the other way. However, if you don’t know
what you’re looking for, how can you know what tool
to use to find it? Additionally, do you want to be able to
apply forensic analysis to your data? The answer to that
is usually “yes,” but that affirmative opens up a new level
of complexity.
There is a misconception that
you should start with the
tools and work the other way.
However, if you don’t know
what you’re looking for, how
can you know what tool to
use to find it?
WHITE PAPER
Generally, we think of the following types of data sets as
useful for threat hunters:
¦¦
¦¦
Resources on hosts and endpoints such as PowerShell
transcripts, logs, and more
Firewall and intrusion detection systems (IDS)/
intrusion prevention systems (IPS) logs
¦¦
Malware lists and captures
¦¦
Passive DNS
¦¦
Whois
¦¦
Web logs (access, proxy, referrer, and others)
¦¦
Process execution logs
¦¦
Authentication and Active Directory logs
¦¦
Registry modifications
¦¦
Syslog and Microsoft Windows event logs
¦¦
Netflow
¦¦
Network events
¦¦
Other security device logs
¦¦
Malicious domain lists
¦¦
Crowd-sourced malicious activity lists
There are many sources for these data, and you can
access the data in a variety of ways. For example,
there are simple ways to collect all malicious scans and
attempts against your perimeter and compare that with
the same type of data collected inside your enterprise.
Some of those ways are free, so there is no need to
extract that data from expensive tools such as IDS. That
is not to say that IDS is not useful. What we are saying is
this: select the right tool for the specific task.
4
Integrating SIEM into Your Threat Hunting Strategy
Another important point is that more data is always
better than less data. Never mind that huge data sets
are tedious to analyze. Our tools will do that analysis for
us. For example, a free tool called Maltrail will collect
every attack/probe attempt against us. We set it on the
outside perimeter of our test network. In a typical 24hour period on our test network, with just one sensor
exposed to the internet, it averages more than 6,000
events. Consider multiple sensors on a much larger
footprint, such as we would see in a typical enterprise,
and we likely would see well into the hundreds of
thousands and, perhaps, millions, of events daily. The
tool breaks that down for us and, feeding the output of
the tool to an SIEM breaks it down even more, enabling
us to do a cogent analysis. More important, Maltrail, on a
typical day, might find one high-risk event and, perhaps,
five or fewer medium risk events. The rest will be low.
Building a Threat Hunting Toolkit
To capture the data, you need a very comprehensive
toolkit. That toolkit consists of cyberthreat intelligence
feeds, in-house capture and logging systems, analysis
tools, and correlation tools. In this section, we’ll examine
some of the available tools to stock your threat lab. As
you become more integrated into threat hunting, you
will develop additional favorites that you can add to
the list, making it more personalized for you and your
organization. You may, also, determine that some of the
tools we discuss are not necessary for your environment.
Also, you should note that the tools that we are
examining in this paper represent a sampllng of what is
available. There are lots of different tools, and many of
Please complete the form to gain access to this content
