In today's environment, security teams face a pervasive threat landscape, with the expectation that some threat actors will be successful in bypassing perimeter defenses. To deal with this, security teams must learn how to actively hunt down threats, both outside and inside the perimeter, using solutions, such as Sumo Logic’s Cloud SIEM Enterprise and Continuous Intelligence Platform.
At the Modern SOC Summit, Darren Spruell, Senior Threat Analyst on the SpecOps team at Sumo Logic, presented a set of best practices and insights that leverage the experience of the SpecOps team using Sumo Logic tools to explain how to successfully hunt for threats in hybrid environments, including on-premise and single or multiple clouds.
Successful threat hunting is a process
Security operations generally focus on infrastructure security and risk management teams, so when it comes to threat hunting, those teams need to build out a program that can efficiently and effectively perform threat hunting. This may sound like a large challenge, but the SpecOps team at Sumo Logic uses a scalable, logical process that is broken down into six parts:
Use case identification
Data collection (driven by use cases)
Data normalization and enrichment
Integrated threat intelligence data
Correlation and alerting use cases
Scalable searches and data review
The threat hunting process starts with use case identification, which focuses on identifying threat actors and how they operate and then using that information to describe use cases. For example, a threat actor may use phishing emails or a particular set of URLs that can then be targeted for monitoring. The information in those use cases then drives data collection from logs, events, and other sources within the organization.
The next step is to normalize and enrich that data. This is where Sumo Logic’s Cloud SIEM Enterprise plays a major role because it can ingest a wide variety of data sources from different events, vendors, and products. It can then normalize all that data into a consistent schema that can be used throughout the platform. Once the data has been normalized and enriched, it is integrated with threat intelligence data that provides information about active and ongoing attacks. For example, if there is a known threat attack infrastructure, that information is correlated with the data stream. You can then use the enriched and synthesized event streams to produce alerts from Sumo Logic’s solutions.
From here, the process moves to correlation and alerting use cases. Cloud SIEM Enterprise is a cloud-native way to do this work. The correlation rules provide various capabilities and we distill those down into insights that provide the alerting use cases and SOAR integrations for those alerts.
At this point, the enriched data streams, the Cloud SIEM Enterprise signals and insights, and the native record data are all available for scalable searches and data review. In the SpecOps process, this activity uses the Sumo Logic Continuous Intelligence Platform (CIP). This scalable search platform enables you to review gigabytes and terabytes of data within your environment. All the telemetry that is being generated by security devices and passing through the event workflow is available in CIP for searching and for data analytics use cases.
By default, Sumo Logic provides out-of-the-box rules so that you can begin threat hunting without having to create your own rules from scratch. The Content Team at Sumo Logic produces global rules that are geared towards the MITRE ATT&CK framework, which provides a taxonomy as well as an enumeration of attacker tactics and techniques of the general steps that an attacker takes as they carry out their intrusions on a network. All of these Sumo Logic rules are backed with classifications that identify the specific MITRE ATT&CK tactics and techniques, providing a turnkey application of Cloud SIEM Enterprise.
Identifying use cases
While turnkey rules are a good start, identifying use cases specific to your organization is a further step in the direction of effective threat hunting. “It requires more effort,” admits Darren, “but it increases the specificity and also the value of threat hunting.”
The next step after turnkey rules is to integrate your threat hunting mission with your incident response mission. “Taking the lessons learned from incident response engagements and turning those into new use cases is a really effective way to do this,” says Darren.
Listen to the rest of the presentation…
Follow along as Darren walks through more about threat hunting best practices, including:
Digging deeper into use case identification
How use cases leverage data to search for threats
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.