Skip to main content
Microsoft Security

Threat hunting: Part 1—Why your SOC needs a proactive hunting team

Cybersecurity can often feel like a game of whack-a-mole. As our tools get better at stopping one type of attack, our adversaries innovate new tactics. Sophisticated cybercriminals burrow their way into network caverns, avoiding detection for weeks or even months, as they gather information and escalate privileges. If you wait until these advanced persistent threats (APT) become visible, it can be costly and time-consuming to address. It’s crucial to augment reactive approaches to cybersecurity with proactive ones. Human-led threat hunting, supported by machine-learning-powered tools like Azure Sentinel, can help you root out infiltrators before they access sensitive data.

This threat hunting blog series will dig into all aspects of threat hunting, including how to apply these techniques to your security operations center (SOC). Today’s post delves into what threat hunting is, why it’s important, and how Azure Sentinel can support your defenders. Future posts will examine how you can use other Microsoft solutions for proactive hunting.

Assume breach and be proactive

Traditional cybersecurity is reactive. Endpoint detection tools identify potential incidents, blocking some and handing off others to people to investigate and mitigate. This works for many of the routine, automated, and well-known attacks—of which there are many. However, our most sophisticated adversaries understand how these security solutions work and continuously evolve their tactics to get around them. The goal of the attackers is to remain undetected so they can gain access to your most sensitive information. To stop them, first you must find them.

Threat hunting is a proactive approach to cybersecurity, predicated on an “assume breach” mindset. Just because a breach isn’t visible via traditional security tools and detection mechanisms doesn’t mean it hasn’t occurred. Your threat hunting team doesn’t react to a known attack, but rather tries to uncover indications of attack (IOA) that have yet to be detected. Their job is to outthink the attacker.

Invest in people

Because threat hunting is concerned with emerging threats rather than known attack methods, people take the lead. It’s therefore important that they have the time and authority to research and pursue hypotheses. This isn’t possible if they are bogged down with security alerts. Many SOCs, including those at Microsoft, establish a three-tier model to address known and unknown threats. Tier 1 and Tier 2 analysts respond to alerts. Tier 3 analysts conduct research focused on revealing undiscovered adversaries. You can learn more about how Microsoft organizes its SOC in Lessons learned from the Microsoft SOC—Part 2a: Organizing people.

 

Figure 1. SOC using a three-tier approach: Tier 1 addresses high speed remediation, Tier 2 performs deeper analysis and remediation, and Tier 3 conducts proactive hunts.

Develop an informed hypothesis

Threat hunting starts with a hypothesis. Threat hunters may generate a hypothesis based on external information, such as threat reports, blogs, and social media. For example, your team may learn about a new form of malware in an industry blog and hypothesize that an adversary has used that malware in an attack against your organization. Internal data and intelligence from past incidents also inform hypothesis development.

Once the team has a hypothesis, they examine various techniques and tactics to uncover artifacts that were left behind. A great tool for helping with hypothesis development and research is the MITRE ATT&CK™ (adversarial tactics, techniques, and common knowledge) framework. These adversary tactics and techniques are grouped within a matrix and include the following categories:

Conduct investigation with Azure Sentinel

Although threat hunting starts with a human generated hypothesis, threat protection tools, like Azure Sentinel, make investigation faster and easier. Azure Sentinel is a next-generation, cloud-based SIEM that uses machine learning and artificial intelligence (AI) to help security professionals detect previously unknown incidents, investigate suspicious activity and threats, and respond quickly to an incident. It’s an invaluable tool for threat hunting. Azure Sentinel’s built-in hunting queries help teams ask the right questions to find issues in the data already on your network. Within Azure Sentinel, an analyst can create a new query; modify existing queries; bookmark, annotate, and tag interesting findings; and launch a more detailed investigation.

Figure 2: Azure Sentinel Hunting Dashboard: The dashboard includes menus to create new queries, run all queries, and bookmark data. The dashboard also shows the number of hunting queries that exist and a pane that shows the actual Kusto Query Language for each query.

Azure Sentinel ships with built-in hunting queries that have been written and tested by Microsoft security researchers and engineers. The following 16 hunting queries were provided by Microsoft:

Threat hunters can also leverage a Github repository of hunting queries provided by Microsoft researchers, internal security teams, and partners. Azure Sentinel also makes it easy for your threat hunters to select a MITRE ATT&CK framework tactic that they want to query. Despite the mountains of data your team must parse in their investigation, Azure Sentinel improves the odds they will pursue the right leads.

Learn more

Effective cybersecurity requires several complementary approaches. You need to be alert to the incidents that your threat detection tools uncover. You also need to proactively hunt for threats that lurk in the shadows. Adding threat hunting capabilities to your SOC can reduce your risk from hidden adversaries. I hope this blog helps you see ways to apply these tactics in your organization. Stay tuned for future posts in this series, where I’ll walk you through practical examples of threat hunting using Azure Sentinel, as well as demonstrate how to use other Microsoft tools for such activities.

In the meantime, learn more about Azure Sentinel. For getting the best use out of Azure Sentinel, see Microsoft Azure Sentinel: Planning and implementing Microsofts cloud-native SIEM solution (IT Best Practices—Microsoft Press).

Bookmark the Security blog to keep up with our expert coverage on security matters and visit our website at https://www.microsoft.com/security/business. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.