Hear from one of Rapid7's MDR analysts on how he and the rest of the SOC team approach threat hunting, including how they pare down the data and detect anomalies in customer environments.
A threat hunt is usually when we pull back a full data set, a whole suite of host-based forensics and some network-based forensics on a customer. The point of it is to get a really good concrete picture of what’s happening in customer’s environment and a snapshot in time. We do this not because we love pulling back data but because we need to have everything in the context of each other in order to really be able to look into things that might be outliers.
When you’re looking at a bad guy, one or two little signs when out of context aren’t going to give you a great amount of value. But when you can get a piece of data and you can pivot through that to all the various points of data and create a line and be like this guy came in here through that and he went this way and that way, got his stuff, and he got out (or didn't get out).
Then we can really get a better picture because generally while detections are all well and good, they’re stuff rooted in what has happened in the past any new or emerging threats will not necessarily be caught in any of these detections. That’s why we believe that hunts are the better way for or really great way to at least cover any blind sides that you might have.
One of the intimidating things about starting a hunt is that it is a large data set, so one of the things you have to do is pare down the data, going back to user behavior analytics and attacker behavior analytics. That’s one of the techniques we use to really pare down the data. Once we have a very good established idea of what is definitely good, absolutely unequivocally good, we can pare it out, just pull it out, just pull it out and start looking at the things that are deviations, looking at things that could give us more value.
When we perform these hunts, sometimes we'll come back with some gems too. For example, one time, I was going through some hunt and I kept seeing account creations. Every day at X time, we would see a new account being spawned and these were not Billy or Jane Doe account names. These were random strings of alphanumeric characters. This is the kind of thing that you would see an attacker tool perform.
A bad guy would come in, he would go through a user who clicks on something and then he will create a new account so he can better pivot through a network. Obviously as soon as they saw that, I was in panic mode. I go in, I start looking for everything I can. Turns out that this was actually technique that one of the equipment manufacturers would use to bypass a control inaudible privilege where the general staff might not have local admin rights to download or update their firmware so this company would create a listener and then once it’s ready it would create a new account that has these privileges, go out, grab the update and bring it back and then everything looks great, and nobody knows.
Even though it turns out there wasn’t an attacker, we find more often than not that this is a good value add to the customer, letting them know what’s going on in their environment.
