Best Practices Guide

Threat Hunting Guide

Threat Hunting Guide
Threat Hunting Guide
Select language to download
Complementry Access

Threat hunting is an important part of any security program. Regardless of how well-designed a security tool is, we must assume these tools and defenses are imperfect.

Business environments are constantly changing, new tools are introduced, old tools are removed, and these configuration changes are made to support the changes, which can introduce new vulnerabilities to the environment.

Recent examples include the F5 vulnerability CVE-2020-5902 which impacted the Traffic Management User Interface (TMUI) of F5’s BIG-IP; this port should never be publicly accessible and should require users securely authenticating and connecting to the LAN first before being able to access.

At Vectra AI, we’ve seen instances where this was not the case and the TMUI has been accessed and exploited.

2020 brought a huge shift of remote work due to COVID-19 and had operations teams scrambling to:

  1. support this new work environment
  2. secure users as they made the shift from office to home.

Supporting this type of shift, especially for a business not ready to support it, introduces a multitude of security headaches. In a seismic shift like this, the primary focus for the business is ensuring operations are not interrupted, which leaves security teams with less influence over implementation and stuck supporting a solution not designed with security in mind. Without proper oversight, vulnerabilities can be exposed and attackers will take advantage.

There are many examples of why hunting is important, and the two we discuss below underline the need for hunting programs.

Let’s explore how security teams can leverage Vectra Detect and your Network Metadata to hunt for malicious behavior. In addition, while we reference Vectra Recall in this document, the techniques described for Vectra Recall can easily be implemented leveraging your data from Vectra Stream.

In this e-book, you'll learn:

How to hunt IOCs (Indicators of Compromise)

It’s important to keep an ear to the ground and make sure you are aware of any new compromises which are announced. But it’s just as important to be able to action new indicators of compromise when you hear of them. In this section, we will describe common IOCs, what they can indicate, why you should care, and how you can search for these IOCs in your network metadata

Categories of Attack Steps in the Killchain

We describe attack techniques you can search for in your Network Metadata. We have split these techniques down into what step described in the MITRE ATT&CK framework they relate to.

How to automate Threat Hunting

The techniques listed in this document are meant to be a representative sample of methods you can use to hunt for threats in your organization. These act as an extra layer of security beyond Vectra AI’s advanced behavior-based detections, which utilize your expertise of the network to gain insights from the hugely valuable network metadata which Vectra AI monitors in your organization.

Trusted by experts and enterprises worldwide

FAQs