Modern environments use and create a lot of data. Small organizations and enterprise alike are constantly generating network traffic, activity logs, and events of all kinds. Monitoring all that data for security risks and attacks is a big task. Perch tackles the challenge using two methods of threat prevention: threat detection and threat hunting.
Threat detection is the passive monitoring of data for potential security issues. Intrusion prevention systems like firewalls and antivirus can help automatically stop most of the high fidelity, known threats targeted at your network. At Perch, we pick up where your preventative tools leave off. We detect threats utilizing an intrusion detection system (IDS) with a Perch sensor to inspect all network traffic against a set of intelligence provided by different communities, such as Proofpoint’s Emerging Threats, CrowdStrike or H-ISAC. We also utilize custom alerting through event notifications, which allows us to monitor logs from multiple sources, as well as creating customer alerts for each environment.
Once a threat detection system is placed in an environment it begins to passively inspect all traffic and logs for something it recognizes. This “matching” could be some unique string found in a malware sample, connections over unusual ports, anomalous flow volumes, creating an executable file in a temporary directory and countless more indications of compromise. When a threat detection tool determines a match, then an alert is created. In most cases, Perch utilizes bot automation to remove noise and find true positives without human intervention. At this point, a human steps in to review the activity and determine what is going on. Here is where the Perch Security Operations Center comes in to investigate and respond.
Threat hunting, while related to threat detection, is different. Hunting is actively seeking out and investigating threats rather than relying upon a threat detection system. As malicious actors find new ways to attack, and new vulnerabilities in technologies are discovered, there is an opportunity to “hunt” for that specific activity. Threat hunting looks at all present and historic collected data with the hypothesis that a “new” (or “unknown”) threat may have already occurred in your environment.
Armed with intel about an attack type or malicious actor, a threat hunter will combine technical expertise and investigative techniques to sniff out potential threats. A “hunt” will typically focus on one domain, such as the unique signatures of a newly identified malware strain or the TTPs associated with a specific actor. Utilizing a suite of advanced threat hunting tools, Perch’s analysts look back through ALL available data for previously undetected threats.
The key differences here are TIMING, INTELLIGENCE, and EXPERTISE.
Timing - Creating a detection signature is only possible after an attack or event. Threat detection signatures are then used to identify future attacks. A natural time differential exists between when a new attack is used and when a detection signature is created for that activity.
Intel - Quality threat intelligence is vitally important. The timely application of new Intel to your threat detection systems is critical for securing an environment. Perch pulls in new intel multiple times per day for this reason. However, there are some types of intel that are tricky to implement into an IDS, and so our threat hunting team spends their day scouring the Internet for new tactics and trends using the Perch platform, through standard research and from our partners in the threat intelligence community.
Expertise - This is where a strong threat hunting team is so valuable. The human element combines knowledge of TTPs and vulnerabilities with accumulated expertise and investigation techniques to continuously and actively search an environment. Even better, as a threat hunter gains experience within an environment, their knowledge of its uniqueness and baseline activity only grows with time, making it harder and harder for malicious activity to go undetected.
Security threats are constantly evolving, and serious work is required to keep up. Passive threat detection is mandatory for preventing the security issues we know about; while active threat hunting utilizes the power of human expertise to fill any gaps. Combining the strengths of both is essential to a comprehensive security platform.
- This blog post is brought to you by Patrick Snyder, in collaboration with the Perch SOC and Alex Norton.