Threat hunting#
Plixer One Enterprise can enhance any team’s threat-hunting capabilities by providing them with centralized access to rich, contextualized data accounting for every host and conversation in a network.
Through Scrutinizer, Plixer One Enterprise is also able to provide real-time alerts for generic malware and other anomalous traffic/activity, drive efficient workflows with its purpose-built UI, and integrate multiple threat intelligence functions. This gives teams the ideal starting point for their threat-hunting operations.
Overview#
Scrutinizer plays two integral roles as part of a security team’s threat-hunting program:
Collects traffic and host data for the entire environment (including assets in the cloud), storing hundreds of thousands of data points for investigations
Provides centralized access to all available data through various contextual views and reporting functions
This allows SecOps teams to efficiently search through and analyze device-level behavior and host conversations to search for suspicious activity and potential threats. Historical data can also readily be accessed to hunt for indicators of attack (IoA).
Visibility and workflow enhancements#
Security teams using Plixer One Enterprise can leverage the following functions and features to hunt for threats:
- Alarm monitor
The alarm monitor provides real-time alerts for anomalous behavior and other network activity violating Scrutinizer alarm policies. It functions as both a monitoring view for suspicious traffic and an interface for drilling into activity timelines and individual event artifacts, and more.
- Customized reports
To further investigate alarms/events, users are able to run reports that can be tailored to their exact visibility requirements. These reports can also be used to drill deeper into specific data elements to identify infected hosts or malicious activity.
- Configurable detection mechanisms
Configuration options for Flow Analytics algorithms and the ML Engine allow users to tailor Scrutinizer’s monitoring and detection functions to their specific requirements. This ensures that detections are always relevant and can greatly reduce investigation/response times for security teams.
Note
Plixer One Enterprise includes additional detection techniques and mechanisms for security events.
- Host indexing
With the Host Indexing FA algorithm enabled, a user is able to look up any IP address, find out whether or not the host has been seen on their network, and explore all activity associated with it. From the search results, the user can pivot directly to any applicable report and further investigate anomalous traffic originating from or targeting the host.
See also
For additional details on incident response workflows with Scrutinizer, see this use case.
Workflows#
The following workflows are sample scenarios where the functions/features bundled with Scrutinizer are used in threat-hunting activities:
Using host index to identify malicious IPs
Host indexing allows users to quickly look up IP addresses seen on the network, making it ideal for monitoring hosts that have exhibited anomalous or suspicious behavior.
Workflow
To search the host index for malicious IP addresses:
Navigate to Explore > Search in the web interface.
In the Host Index subtab, use the dropdown to switch to Multiple search mode.
Paste in the comma-separated list of IoC (Indicators of Compromise) IP addresses into the field.
Review the traffic direction, byte counts, and first/last seen details for each host and, if necessary:
Click on the hostname/IP to view additional traffic and alarm information associated with the host.
Run a report filtered on the host by clicking the data source and selecting a report from the tray.
Hint
If further investigation is required, continue to refine the report configuration as needed.
See also
To learn more about configuring and refining reports, see this use case.
Reviewing Alarm Monitor for suspicious hosts
The Scrutinizer Alarm Monitor provides users with real-time alerts to both performance issues and security threats and allows them to drill into event details by policy violation or by host.
Workflow
To inspect activity for suspicious hosts using the Alarm Monitor:
Navigate to Monitor > Alarm Monitor in the web interface.
Switch to the Hosts subtab and add a filter to show only Critical severity violations.
Use the dropdown to switch to the Event Connections view to look for hosts involved in multiple events.
Drill into events or run reports filtered on potential threats as needed.
See also
To learn more about configuring and refining reports, see this use case.
Investigating off-hour network activity
Scrutinizer’s monitoring and reporting functions can isolate traffic outside business hours and alert teams to potentially malicious activity taking place during an organization’s off-hours.
Workflow
To proactively hunt for threats that remain dormant during business hours, security teams can leverage the following report filter options:
Add a filter that excludes business hours. A report threshold can also be configured, so that any activity exceeding the specified value(s) can be tracked via the Alarm Monitor.
Define the period of time outside business hours as the report’s time window/range.
Set the report’s time window to Last 24 hours and compare traffic data during and outside business hours.
Hint
After Scrutinizer has been deployed, default business hours can be set in the Admin > Settings > Reporting tray. These hours can be changed when configuring a business hours report filter.
Important
The Plixer ML Engine uses separate baseline models for network behavior during and outside of business hours. The default 8 am to 5 pm setting can be changed in the Admin > Settings > Reporting tray.
Identifying exfiltration outside business hours
Scrutinizer is able to isolate network activity outside of business hours, allowing teams to quickly identify data exfiltration attempts and other malicious activity taking place outside business hours.
Workflow
Data exfiltration can be identified proactively within Scrutinizer by identifying and reviewing traffic leaving your network. The Explore > Exporters > By Interface View is a great place to start, as traffic is displayed as inbound/outbound columns.
By default this is sorted so that your most congested interface is displayed at the top. This may be worth reviewing as large amounts of traffic leaving the network may be exfiltration.
Even more likely, exfiltration happens in a “low and slow” attack approach where only small amounts of traffic leave the network periodically – avoiding causing spikes in traffic that may cause alarms.
Because inspecting individual interfaces one at a time is inefficient, Scrutinizer reports can be used to narrow down the scope of information to be reviewed. This allows for a more streamlined approach to proactively searching for unwanted/suspicious traffic.
The following example uses the Destination Countries with AS report type:
Select Reports > Run Report > Select Report Type to start an adhoc report.
Choose Destination Reports > Countries with AS, add the appropriate device(s), and run the report.
The report is likely to show multiple rows of autonomous systems and the corresponding country they are associated with.
Note
Class A, B, and C addresses are always classified as Uncategorized and will often include internal network addresses. In this scenario, these are likely associated with responses to internal destinations through outbound interfaces.
Help narrow your search by excluding traffic that you expect to see. What remains may be of use in identifying traffic leaving the network to a destination that is unintended.
When you have a subset of data that is more manageable, e.g., countries your organization does not do business with, you can begin to pivot to other report types. Changing the time frame or “zooming out” can also reveal possible threats in the form of suspicious traffic patterns.
Within your report, with same filters, set the timeframe to Last Seven Days.
Is there a ping every hour beaconing out? Same packet size of data leaving the network following a pattern?
At this point, your report likely has one or more country, AS, or host filters. Switching to another report type or using extended report options like host reputation or geo IP lookups can lead to additional insights.
Tip
Run a report against a core router that is likely to see a majority of your traffic. Alternatively, select All Devices to identify top network conversations across the entire network.