Threat Hunting

Root Out Threat Actors and Malware That Have Evaded Detection


There is no silver bullet. Sophisticated threats can still evade the very best cybersecurity defenses. Automated security tools can enable most SOC analysts to address the vast majority of threats. But many remain difficult to find and trace, let alone eradicate. This is where threat hunting is necessary.

 

Challenge


The challenge with threat hunting is it requires time, skill, and experience - all of which are in short supply. Most organizations will not be able to attract - let alone afford or retain - the top tier security talent required to effectively hunt for the most difficult threat analyses.

Solution


FDR is a game-changer for SOC threat hunting. DFI converts streams of raw file data into scored actionable intel - focusing hunt activity exactly where it is most needed. Advanced search allows threat hunters to build complex boolean queries across a variety of fields. RetroHunting brings session and file level search, automated retrospective analysis, retrospective data leak discovery and more to the game - enabling threat hunters to rapidly scour history for the presence of malware, ransomware, exploits and other end user-induced security issues. Historically, this has been difficult, laborious, and time-intensive - only achievable by the most skilled and experienced threat hunters. FDR Retrohunting provides a set of automated features that precipitously speeds up and simplifies this effort - not only further empowering the best and brightest, but also opening the door for newer, less-experienced SOC personnel to hunt effectively.

Whether a structured hunt (initiated by an Indicator of Attack (IoA) or attacker TTP), an unstructured hunt (initiated by an Indicator of Compromise (IoC)), or a situational hypothesis (initiated by internal risk assessment or vulnerability analysis), FDR will enable faster more effective results - saving SOC time and minimizing critical asset loss or damage.

The Advantages of FDR Threat Hunting


Advanced Search

Advanced searches make session header and file metadata instantly searchable from the FDR GUI, enabling threat hunters to build complex boolean searches across a variety of fields.

Automated Retrospective Analysis

A variety of general patterns for sensitive and personally identifiable information (PII) are bundled within FDR. These include SSN, classified document watermarks, financial information, and more. Forethought, however, will never cover all data leakage. In cases where sensitive information was leaked and defenders want to tie that data back to a related network stream, RetroHunting can help. A user-defined signature with the relevant leaked keywords can be added to FDR. If these keywords are found anywhere in semantic or meta layers, an alert is produced. WIth FDR, keyword searches include images. If keywords are found within an image, e.g. a handwritten SSN, FDR uses Optical Character Recognition (OCR) to detect and alert on lexicon matches.

Validate Detection Logic

Analysts and threat hunters can further leverage FDR to test the efficacy of a signature on production grade data without overwhelming security staff with false positives. This significantly speeds up and simplifies the analyst work of writing YARA-compatible rules which combine strings, bytes patterns, and regular expressions via flexible conditional logic.

Implement Detection Logic

New signatures and rules developed as a result of a successful hunt effort can be automatically propagated via the FDR GUI for immediate production use.