Threat Hunting with Blumira

It’s dark and you’re alone. Out of the corner of your eye you detect a furry shape looming over you. Is it a threat? It could very well be. If you’re hiking in tiger territory, you could soon end up as someone’s snack. On the other hand, if you’re in your own living room, you may just need to shoo Mister Fluffers off the bookshelf. The point is, not every detection is a threat. A lot depends on context. 

Effective cybersecurity protection begins with early and accurate detection. That’s where threat hunting comes in – sorting through the noise to identify the truly nefarious activity. It’s all about identifying anomalies and vulnerabilities before they escalate into a damaging attack. Threat hunting could keep a team of specialists occupied full time. If it’s done right, it’s never done, because your environment is dynamic and so are the threats. 

Blumira provides automated threat detection backed by a team of cybersecurity experts who are dedicated to staying on top of what criminals are up to. This involves tracking common and emerging cyberthreat tactics, techniques, and procedures (TTPs) in order to build new detections into the Blumira platform. However, there are tools and techniques you can implement to do some of your own threat hunting.

Threat hunting tools and techniques

Some Blumira customers implement additional threat by following these recommended strategies: 

• Use Sysmon for Windows. Sysmon helps you pull more complete logs compared to what out-of-the-box Windows provides. Blumira recommends Sysmon Modular configuration as part of Blumira onboarding.
• Implement adversary emulation. If you want to test your environment for existing coverage, you can use tools such as Atomic Red Team, MITRE CALDERA, or Red Team Automation (RTA).
• Create block lists. Understanding your environment makes you aware of applications that don’t belong and geographic regions where you shouldn’t be receiving traffic. Add these to your block lists.
• Check suspicious outbound traffic. Sophisticated attackers often don’t generate lots of data at one time, so looking at 48-hours or more of outbound data will help you find malicious actions like data exfiltration or command and control traffic.
• Monitor behavior. Attackers will often use the built-in facilities of Windows to do their dirty work, which means their activity won’t show up in malware scanners. That’s why monitoring what's going on from a behavioral standpoint is so critical to cybersecurity.

You’ve gotta have logs

A critical component of threat hunting is stored activity logs. By examining accumulated log data, an expert will identify anomalies outside the standard deviation in order to weed out baseline activity and focus on outliers that point to problems or vulnerabilities. Of course, that doesn’t mean every outlier is a problem. You’d need to understand anomalies in context and know how to react when a threat is identified. 

Most small- and mid-sized businesses don’t do much of their own threat hunting. To begin with, they lack the resources to manually collect, store, and analyze vast amounts of log data. However, lack of visibility into your environment isn’t a safe option.

Activity logs are also vital to remediating cybersecurity incidents. “I’ve heard people in the InfoSec community complain that they can’t figure out what happened because they don’t have logs,” explains Amanda Berlin, Director of Incident Detection Engineer at Blumira. “They know the results, but don't know the backstory – what led up to the disaster that they’re dealing with. That's why getting logs from the beginning is so important.” 

Blumira simplifies and automates the threat hunting process by collecting and securely storing your log data, then leveraging advanced technology to analyze that data to block threats. Blumira threat hunting is backed by a team of cybersecurity experts who know the difference between a hungry tiger and a mischievous cat.

How Blumira does it

One benefit of the Blumira SaaS platform is that it’s updated automatically with new and emerging threats. Here’s a glimpse at the methodology the Blumira team follows for threat hunting:

• Identify potential threats based on research, intel sources, and customer environments. Cyber threat hunting is a needle-in-a-haystack activity. The amount of threat intelligence available is overwhelming, so part of the process is selecting and prioritizing reliable sources.
• Collect logs from Blumira customer environments to evaluate the global threat landscape and it with actual activity. This monitoring has often allowed our incident detection team to alert customers so they can take defensive action before an intrusion. 
• Create detection logic. Detection engineering is the process by which Blumira uses threat intelligence to add visibility into emerging threats.
• Test detections with real and simulated threats. Before new detections are deployed, they’re tuned and validated so Blumira users aren’t inundated with distracting noise.
• Run detections continuously to uncover threats. Automated hunting is built into Blumira, so customer environments are always on alert.
• Orchestrate actions like automatically blocking IPs when threats are detected and providing playbooks that make response and mitigation easy. 

Ongoing threat hunting keeps the Blumira platform up to date with emerging threats. Our support teams will also tailor detections to the unique needs of your environment. 

Threat hunting with Blumira

Amanda Berlin illustrates the point of proactive threat detection this way: “If a ransom demand is the first indication of an intruder in your system, it's not good. You’ve definitely had them in there for a while at that point.” 

Cyberthreats continue to evolve, making continuous threat hunting crucial. Small and mid-sized organizations choose Blumira so they can focus on their core business objectives, not the complexities of cyber crime fighting. Blumira users spend about 15 minutes a day on the platform, and their Blumira team is always available to discuss particular findings or fine-tune the platform to their environment. Contact us to learn more about automated threat detection, or try Blumira today.

Try Blumira XDR free for 30 days or use our Free SIEM with three cloud integrations and 14 days of data retention forever. Sign up to start protecting your organization in minutes.

For more information on threat hunting, watch this video interview between Amanda and Tom Lawrence, tech entrepreneur, YouTuber, and open-source advocate with decades of experience.