Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Morey Haber
Morey Haber
Connect Directly
E-Mail vvv

Why Threat Hunting with XDR Matters

Extended detection response technology assumes a breach across all your endpoints, networks, SaaS applications, cloud infrastructure, and any network-addressable resource.

Albert Zhichun Li, Chief Security Scientist, Stellar Cyber, also contributed to this article.

Have you ever played hide and seek? If you have, you may already understand how it relates to cybersecurity threat hunting. For those who haven't heard of the game, the object requires at least two people, where one individual finds a hiding place and the other attempts to find him. The person tasked with seeking out the other individuals typically counts to 30, giving the individual(s) hiding a chance to run, hide, and attempt to remain undetected. It is a game of persistence, visual and audible acuity, and methodical review of previous known hiding places.

In the cybersecurity realm, hide and seek is an analogy for threat hunting, and using modern tools like XDR (extended detection response) makes the task much easier than combing through gigabytes, terabytes, or even petabytes of event data.

What is XDR? XDR is an enhanced approach to traditional endpoint detection and response (EDR). It provides a model that detects attacks across endpoints, networks, software-as-a-service applications, cloud infrastructure, and really any network-addressable resource. It provides visibility into all layers of the network and application stack and provides advanced detection and automatic correlation and machine learning to reveal events traditionally missed by SIEM solutions using correlation alone. In addition, it provides intelligent alert suppression to filter out the noise that plagues most organizations. If you consider our hide-and-seek model, XDR brings a proactive approach to:

  • Maximizing the efficiency of data collected from existing security and information technology investments by collecting the right data and transforming the data with contextual information.
  • Identifying hidden threats using sophisticated behavior models through machine learning.
  • Identifying and correlating threats across multiple layers of the network or application stack.
  • Minimizing information security professional fatigue by providing precise alerts for investigation.
  • Providing the necessary forensic capabilities to integrate multiple signals and to construct the big picture of attacks quickly, so security professionals can complete investigations promptly and with high confidence for indicators of compromise.

From an organization's security perspective, XDR enables teams to prevent known cyberattacks, identify new threats, and strengthen the overall security process by literally finding the attacker hiding in your network. It becomes a better way for a security professional to become the efficient "seeker" in this new hide-and-seek game. And finally, it enables users to capitalize on an automated response in XDR which represents a potential game changer for capturing and ejecting an attacker once they are identified within an organization.

For executives and new security professionals, let us apply hide and seek and XDR to threat hunting. Threat hunting is the cybersecurity act of processing information and process-oriented searching through networks, assets, and infrastructure for advanced threats that are evading existing security solutions and defenses. Firewalls, intrusion prevention solutions, and log management are all designed to detect and protect against threats — even if they are zero-day threats and have never been seen before. Threat hunting is the layer above this. What threats are actively running in my network and are missed by the aforementioned security tools, and how I can find them? XDR assumes the basic premise that the environment has already been compromised and a threat exists within it. In a typical environment, how can you determine if a threat exists and where it is hiding with just an event correlation and aggregation solution? Realistically, you can't, and that's where XDR comes into play for our hide and seek analogy.

Dive Deep into Log Files and Access Requests
Threat hunting and an XDR solution provide better inspection of the data already being collected. This includes diving deeper into log files and access requests, and processing application events correlated from application control solutions and networks. Then, taking XDR to the next level requires automating a response potentially at any layer to contain or mitigate the detected threat. To determine whether a threat is truly present, consider these familiar hypotheses:

  • Advanced analytics via machine learning: Behaviors (or outlier events) can be assigned risk ratings and used to determine if a high-risk pattern is occurring.
  • Situational: High-value targets are analyzed, including data, assets, and employees, for abnormalities and unusual requests.
  • Intelligence: Correlation of threat patterns, threat intelligence, malware, sessions, and asset vulnerability information to draw a conclusion.

Therefore, for threat hunting to succeed, we need to meet the following requirements:

  • Consolidation tools, like an XDR system, collecting all applicable data sources for pattern recognition. As a general rule of thumb, the more security data the better. Extra data can always be filtered out, purged, or suppressed.
  • Tools for risk assessments, intrusion detection, and attack prevention are up to date and operating correctly. If these systems are faulty, your first lines of defense are in jeopardy and so is the data they are collecting.
  • Sources of information can be correlated by user account and hostname reliably. IP address changes due to DHCP and even time synchronization (due to poor NTP implementation) can jade the results. We need to trust the data nearly implicitly and a well-working infrastructure is a prerequisite.
  • Crown jewels and sensitive accounts are properly identified for data modeling. This includes monitoring when they are used, who is using them, and what actions are being performed.
  • Threats to the business, like a game-over breach event, are established and used to build a hypothesis. If an attacker did "this," could my business ever recover, and what would be the cost?
  • Documentation, such as network maps, descriptions of business processes, asset management, etc., are of high importance. Threat hunting with XDR does rely on the human element to correlate information to the actual business. Without being able to map a transaction to its electronic workflow, a hypothesis is blind as to how the threat occurred and is remaining persistent.
  • The response to the threat needs to be a part of a standard workflow and be secured. If the desired result is to quarantine an asset or change a firewall configuration, the method for automated response needs to be secure so it cannot be leveraged against the business as a denial-of-service attack.

About Albert Zhichun Li, Chief Security Scientist, Stellar Cyber
Albert Zhichun Li has over 15 years of experience in cybersecurity research. He has filed 40+ US patents and published many seminal research papers in top security, AI and system academic conferences.

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Morey Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...