In the final episode of Season One of “This is How We Do It,” Peter Havens from Cortex product marketing sits down with Leeroy Perera, staff security engineer. They discuss the practice of threat hunting and how we apply it in our SOC. In this interview, we gain valuable insights into why threat hunting is vital, its unique approach at Palo Alto Networks, and how it contributes to keeping the company and our customers safe from cyberattacks.
Palo Alto Networks, with its extensive reach to protect numerous organizations and individuals worldwide, is an attractive target for cyberattackers. To combat this threat, Leeroy emphasizes the significance of threat hunting. He defines it as a complementary task that goes beyond generic threat detection and response. While XSIAM or XDR handles generic threat detection for all customers, threat hunting at Palo Alto Networks focuses on crafting hunts that align with the company's distinct requirements. Leeroy’s team curates threat hunts that address business-specific criteria, ensuring that Palo Alto Networks remains safeguarded against threats uniquely relevant to its environment.
Peter kicks the interview off by asking point blank, “Can't we just rely on the threat detection and response products to identify all threats and prevent them?”
“Well not necessarily. Hunting is a complementary task that is coming in and trying to look at something that is business-specific and not to go and look at the detections that are already brought into all of the customers. We are trying to look at what is going on in Palo Alto Networks and being very specific to what Palo Alto Networks needs and what the SOC needs to alert on.”
Palo Alto Networks also offers a Managed Threat Hunting (MTH) service through Unit 42, which specializes in tracking the latest threat activity and adversarial tactics. Leeroy clarifies that this service is distinct from their in-house threat hunting efforts. While Unit 42 monitors evolving threat actors and tactics, Palo Alto Networks concentrates its internal threat hunting on the organization's specific needs and concerns. He states, “The MTH or Managed Threat Hunting services is providing that service, but they're doing it on a broader level. They're looking at the adversary in a different way. Looking at the tactics and techniques that they're utilizing.”
Threat hunting is essentially a hypothesis-driven approach. It begins with an idea or theory about potentially malicious activity within the company's environment. This theory is then transformed into a query using the XQL query language within Cortex XSIAM to consolidate various datasets, including endpoint, network and identity data logs. Joining data datasets refines the result into something that more richly contains threats, (i.e., “the good stuff”). Peter examines further:
“So your job is to create these theories, these hypotheses, and refine those into something that produces a rich dataset. And when you've got that, you hand that off to the security analysts to go and pursue those potential threats. They probably love you since you're feeding them with rich datasets to actually go and find real potential malicious activity within the company."
Creating an effective query requires significant refinement. Initially, the results may be too vast to handle effectively. Leeroy's team employs mechanisms like exclusion, deduplication and data joining to reduce the dataset's size while retaining valuable information. The goal is to generate a manageable dataset that is rich with potential threats.
Example: Our hypothesis — Office Files Communicating Externally
To achieve the refined dataset, we break down the process by taking the following questions into consideration:
Once a refined dataset is prepared, it's passed on to security analysts. These analysts take the data and investigate it further, ultimately leading to the identification of potential threats. Leeroy emphasizes that this collaboration between threat hunters and analysts is critical for effective threat hunting.
The outcome of a successful threat hunt isn't limited to threat identification. Leeroy mentions that their team can create custom detection and correlation rules:
“So we actually can create correlation rules ourselves. We create those, and then we test them for us. But then the product team can take our correlation rule and then use that in a broad way.”
These rules can then be used to enhance threat detection capabilities within the Cortex portfolio.
To illustrate the concept, Leeroy shares an example of a threat hunt involving unsigned dynamic-link libraries (DLLs) communicating with new domains since “the probability of a young domain communicating with an unsigned DLL is highly suspicious.”
The hypothesis was that these unsigned DLLs might be engaging in questionable activity. By focusing on this specific scenario and refining the query, they could effectively pinpoint potential threats, reinforcing the value of threat hunting.
The unique needs of Palo Alto Networks extend to code access and source code downloading, given the organization's involvement in software development. Leeroy explains that they consider behaviors surrounding code access as part of their threat hunting efforts. Behavior examples:
In conclusion, threat hunting is an indispensable practice at Palo Alto Networks. It goes beyond traditional threat detection, addressing business-specific concerns and providing a proactive stance against cyberthreats. Leeroy and his team play a crucial role in crafting hypotheses, refining queries and collaborating with security analysts to keep Palo Alto Networks secure. Their approach not only identifies potential threats but also contributes to the development of enhanced detection rules, ultimately bolstering the organization's cybersecurity defenses.
As cybersecurity practitioners, you can draw inspiration from our Palo Alto Networks threat hunting methodology to tailor your strategies to the unique needs of your organization. Ensure a proactive defense against evolving cyberthreats.