The Recorded Future for Splunk app v2.3.1 release contains brand new functionality supporting threat hunting workflows using Recorded Future technical indicators to retroactively search for signs of malware from historical logs generated by the SIEM.
What is Threat Hunting?
Threat hunting is the proactive and iterative process of searching for and detecting cyber threats that have evaded traditional security measures, such as firewalls, antivirus software, and intrusion detection systems. It involves using a combination of manual and automated techniques to identify and investigate potential security breaches and intrusions within an organization's network.
Threat hunting involves a continuous cycle of activities, including hypothesis generation, data collection, analysis, and validation. It aims to identify the presence of threats that may have gone unnoticed, as well as to identify potential vulnerabilities and weaknesses in an organization's security posture.
Workflow
Threat hunting functionality inside of Splunk should be used as a follow on action when triaging events generated in Splunk to see if a malware family of interest is pervasive inside of clients logs. The Recorded Future for Splunk contextualizes security events, enriching them with information to help the SOC analyst speed up their investigation. After
Log into the Recorded Future for Splunk app and click 'Threat Hunts' in the top menu
This will open up the Threat Hunting interface. Here you will see a recreating of the Recorded Future Malware Threat Map displaying priority malware families based on their opportunity and prevalence scores (top right table). The bottom section shows all active and completed threat hunts.
The malware families listed in the Malware Threat Map can be used as a guide for what malware to set up a threat hunt for. Click on a malware family to open up the enrichment page for the malware.
To start a Threat Hunt you have to initiate it on the malware enrichment page. A button 'Threat Hunt' will exist to the right. Clicking on the button will take you to a modal where you can set the parameters of your Threat Hunt.
Clicking the 'Threat Hunt' button will open a configuration wizard to set up a threat hunt search for the malware family being viewed. You will need to decide a name for your hunt and then select what kind of indicators of compromise (IOC) you want to look for in your Threat Hunt.
Once you have selected index, source types and event fields you are now ready to start your hunt.
This creates a new job in splunk that may take some time to complete depending on the size of your index and how many source types and event fields your are looking at. The RecordedFuture application will keep track of the status of that job and change the status to "Completed" once the job is done.
Click the 'Threat Hunting' option in the top menu to view the list of threat hunts. From the Threat hunt page you can see the status of a hunt if has complete. You can also Edit, Duplicate and Delete Hunts.
- Edit: You can amend the threat hunt to use different parameters than used originally.
- Duplicate: This will open up the modal for you to change any parameters you might want to change in the original threat hunt and once you click "Start Hunt" it will create a completely new hunt separate from the original hunt.
- Delete Hunt: This will delete the entry of the Hunt on the Threat Hunt dashboard. It will not delete any previously initialized threat hunt runs.
Clicking into a 'completed' Threat hunt will show the results. Any matches between Recorded Future links related to the malware of interest and the clients historical logs will appear in a table format. Click on the 'Search Splunk' link next to any of the IOCs to run a Splunk search to pull back specific details about the log source / user information about where the IOC came from.