6 Questions on Digital Threat Hunting with Brandon Dixon of RiskIQ

Digital threat hunting is proving to be an increasingly vital component of security analytics platforms—necessary to process the sheer volume of corporate-generated data and find malicious activity. To learn more, we asked Brandon Dixon, VP of Product at RiskIQ, 6 questions on digital threat hunting. Here’s our conversation, edited slightly for readability:  

1. What is digital threat hunting?

Digital threat hunting is the process of proactively analyzing large quantities of data—those internal to a business and those derived from public internet data sets. By examining these relationships, analysts surface new connections, group similar attack activity, and substantiate assumptions during incident response. This allows them to see the entire scope of the attack targeting them to mitigate its effects and proactively block dangerous infrastructure.

2. What are the different kinds of digital threat hunting and how do they differ?

Simply put, you can take a platform or a non-platform approach to threat hunting.

There’s really one type of threat hunting, but a number of different data sources that can inform the results. In traditional defense, an analyst may begin exploring information based on suspicious activity or an alert. Hunting is an active process that places a defender in a position to go and look for a compromise within the organization without a specific starting point. This change in tactics forces the hunter to use as much data as possible in order to recognize what’s normal—your baseline—in order to then know what’s anomalous and could be a threat.

3. Can threat hunting distinguish between threat severity?

With a thorough investigation, analysts can uncover the scope of an attack and the elements used so the organization can understand its severity. By linking it to a common actor, they can even look up its past attacks to see what the damages and fallout were.

4. How do threat hunting initiatives with open source threat feed compare to other platforms and techniques? Are they as easy and cheap as the common perspective suggests?

Let’s say an analyst is doing an investigation of a suspicious IP address. He or she might use one tool for the IP’s WHOIS lookup, which may provide information such as the resolving host, WHOIS history, and contact email for the registrar. In a separate tab, he or she would open another tool for Passive DNS lookup, which pulls in domains resolving to the suspect IP. To see if there is any open source intelligence on the IP, they would open several other tabs. After finding several domains, he or she would open up yet another tab to check them against available hashes.

However, all this data—plus more—would be inside a platform, which may also add automated analysis to build more context around each IOC (indicators of compromise) surfaced in the investigation. Rather than go from tab to tab, analysts can just pivot on these data sets with a single click, which saves hours and serves as a force multiplier so a single analyst can act as several. Additionally, a platform retains the context from those using the system and serves as a body of knowledge. The more knowledge that’s retained, the higher likelihood someone will make a connection to a new threat later on.

5. How can enterprises reduce their digital attack surfaces?

Enterprises can reduce their attack surface by having a real-time inventory of all internet-facing assets, including the components running on assets that may expose the organization to vulnerability risk including: domains, subdomains and hosts, IPs and netblocks, mail and name servers, ownership and WHOIS registration information, server types, components, and frameworks. By knowing this, they can remove assets that are not in use or stood up by attackers and make sure that everything else is patched, up to date, and secure.

6. How does digital threat hunting relate to digital business transformation? Does digital business transformation invite digital threats, and how so?

Everyone uses the internet, both the good guys and bad guys. Businesses are building out their digital footprints, adding assets such as microsites and web components to become more visible online and better interact with customers. Meanwhile, successful threat actors are building internet-scale campaigns that can overwhelm defenses. State-sponsored attacks are rampant. Each minute, RiskIQ blacklists .3 mobile apps, 100 phishing pages are published, 14.5 malicious ads traverse the digital advertising ecosystem, and 4,300 people get exposed to malware from content theft sites.

In the ongoing chess match between businesses expanding their digital presence and the actors trying to exploit growing attack surfaces, those without access to automated internet reconnaissance, whether for bad or good, are at a tremendous disadvantage. Threat hunting using these data sets is the only way analysts can properly hunt this new generation of digital threats.

Thanks again to Brandon Dixon of RiskIQ for his time and expertise.

Brandon has spent his career in information security performing analysis, building tools, and refining processes. As VP of Product, he is responsible for managing the direction of all RiskIQ offerings. Prior to RiskIQ, Brandon was the co-founder of PassiveTotal (acquired by RiskIQ) where he led development and product direction. Throughout the years, Brandon has developed several public tools, most notably PDF X-RAY and NinjaJobs. His research and development on various security topics have gained him accolades from many major security vendors and peers in the industry.