Behind the Curtain: Falcon OverWatch Hunting Leads Explained

Most hunting enthusiasts agree that the thrill of hunting lies in the chase. Equipped with experience and tools of their trade, hunters skillfully search for signs of prey — a broken twig, a track in the mud. CrowdStrike® Falcon OverWatch™ threat hunters are no different. They search for signs of their prey — of adversaries lurking in the dark — and these signs are called hunting leads.

The ability to discern these subtle markers of adversary activity is critical to staying ahead of the evolving threat landscape. Adversaries commonly attempt to blend in with routine operations, using the legitimate tools at their disposal to progress their objectives. In 2022, 71% of intrusions seen by CrowdStrike were malware-free. Unlike fully automated detections, hunting leads offer the nuance and finesse needed to uncover the stealthy operations that can bypass automation, algorithms and signatures.

What Is a Hunting Lead?

Falcon OverWatch customers may be familiar with the term “hunting lead” because hunting leads generated and investigated are quantified in their Falcon console dashboards. But what exactly is a hunting lead, and how concerning are they?

First and foremost, a hunting lead is not a detection and not an alert — it is merely a beacon or an indication of something that is possibly bad. Because hunting leads may have no malicious fidelity on their own, they must be correlated and contextualized to provide value.

Just like hunters in the physical realm, cyber threat hunters operate under the assumption that prey, or adversaries, exist in their habitat. Falcon OverWatch threat hunting is a proactive, ongoing search through data, environments and endpoints to discover adversary activities that evade detection from automated security tools. A hunting lead is any individual data point that provides threat hunters with context into behavior observed. Individually, these data points may not be suspicious or malicious, but combined with other indicators, hunting leads could become detections.

Using the analogy of an animal hunter, a low-fidelity hunting lead might be disturbed vegetation. This disturbance could indicate the presence of prey. A higher-fidelity clue might be a clump of deer hair. A hunter would require more context clues to determine the location of the hunted prey.

In the context of Falcon OverWatch, a hunting lead might start with the creation of a user account — an event that happens routinely. But perhaps a web server is running on that host, and a whoami command is run under the web server process. The occurrence of one or more potentially malicious hunting leads constitutes the likelihood that an adversary is operating around or outside of your security tools.

The fidelity of a hunting lead may be strengthened by further related events, such as the new user being added to the local Administrators group and then listing running processes. On their own, these events aren’t inherently malicious, but in combination, they constitute a pattern of behavior consistent with adversary activity.

'By pulling this thread further, a hunter may uncover a compromised web server on the host, providing the crucial clue to confirm an adversary’s presence.

Life Cycle of a Hunting Lead

A Lead Is Born

The starting point for developing a hunting lead varies — a lead could be born from a concrete observation or a simple hunch based on experience gleaned through previous hunting operations. Hunters may observe a new potentially malicious event type while searching for anomalous events, investigating tradecraft seen in an intrusion, or reviewing the latest threat intelligence on adversary activity. Or, a hunter may ask probing questions about how an adversary might devise a workaround for automated protections or apply known tradecraft in a new and unexpected context.

From these starting points, threat hunters build on their ideas and test them against available datasets and telemetry.

To assist threat hunters in their pursuits, Falcon OverWatch’s proprietary tooling assesses trillions of real-time events and surfaces millions of high-fidelity hunting leads. Then, to enable threat hunters to quickly and accurately zero in on potentially malicious activity, Falcon OverWatch’s patented and highly specialized tooling conducts several automated processes to help find and prioritize potentially malicious patterns that appear in the data.

What results are hunting leads — each one carefully curated and promptly delivered to a threat hunter’s view for further analysis.

Open Season

This is where the human element of hunting begins. Threat hunters triage the hunting leads based on the contextualized information presented to them. Anything identified as suspicious moves from triage to investigation — where a hunter will dig deep into the victim's environment to reconstruct any malicious activity surrounding the hunting lead.

For example, a hunting lead might surface interconnectivity among a number of workstations. This may be benign administrator activity, or it could indicate lateral movement by an adversary. The only way to know for sure is for a human to investigate.

Some Falcon OverWatch customers may be interested in seeing and investigating their own hunting leads. However, the sheer volume of data generated from each and every endpoint can make this an overwhelming task to adopt in-house. Customers may not have the sophisticated skills and adequate resources to reliably hunt on their own. To operate effectively at scale, Falcon OverWatch relies on specialized proprietary tooling, a globally distributed team of highly trained threat hunters and a continuous process of fine-tuning based on the latest observed threats. In some cases, a DIY approach to hunting across Falcon telemetry can significantly slow down the time to detect malicious activity and can likely result in alert fatigue.

Hunting leads are inherently noisy — if they were highly accurate and reliable, they would become automated detections. Management of the volume of hunting leads is an essential part of the threat hunting process. In fact, as threat hunting operations mature, they are likely to create more noise, which must be addressed to ensure that the signal ratio is always higher than the noise. As the library of patterns grows, hunters will develop more experimental patterns looking for the faintest signs of unusual and anomalous tradecraft.

The number of hunting leads that Falcon OverWatch generates is nothing short of astonishing. Threat hunters sift through roughly 100 million hunting leads a day looking for even the slightest indication of hands-on-keyboard activity. Threat hunters will investigate a lead, determine an event as malicious (now a detection), and notify the affected customer with relevant context in under an hour.

Leads Everlasting

Threat hunters continuously review and adjust hunting leads to improve their fidelity. Because of the ever-changing threat landscape, hunting leads categorized as high fidelity today may require revision over time based on observed events.

In some cases, hunters may identify high-fidelity hunting leads that are later turned into product detections. These detections improve the hunters’ visibility and efficiency in investigating other intrusions across our many customers.

Although hunting leads may mature, they rarely retire. This is because adversary tradecraft can go through cycles — particular techniques can go in and out of fashion and may be brought back in an entirely new context. Retaining hunting leads ensures that these cyclical trends aren’t missed.

Stopping Adversaries in Their Tracks

By constantly reviewing their hunting leads for efficacy and adding new leads as needed, Falcon OverWatch threat hunters have successfully identified breaches days, weeks and even months before they would have been uncovered by conventional automated methods. Their swift intervention limits the opportunity for adversaries to coordinate operations that lead to major breaches.

In June 2022, a Confluence vulnerability was disclosed that allowed unauthenticated remote command execution. Proof-of-concept code quickly emerged alongside public reporting that called out active attempts at exploitation by both targeted and eCrime adversaries.

Almost a week before this vulnerability was disclosed, Falcon OverWatch was already identifying and alerting victims of signs of post-exploitation activity that indicated the compromise of a web service. These prompt notifications to customers gave them the early warning they needed to contain, disrupt and mitigate the attack.

Conclusion

Successful hunting requires practice, precision and experience — acute attention to environmental details such as terrain, wind and weather. Using calculated tracking techniques, a hunter will spot a target, often from afar, and stalk its every movement — hunting it as it hides.

Likewise, human-led threat hunting combines the exploration of hypotheses with the proactive pursuit of adversaries. Employing carefully crafted hunting leads, experienced threat hunters anticipate, track and uncover adversary activity. Falcon OverWatch hunters leverage their vast professional experience, which arms them with expert knowledge, skill and intuition. Their gut instincts lead to remarkable discoveries, and their keen investigation skills uncover cutting-edge attack techniques. The powerful partnership between human threat hunters and Falcon technology creates a force to be reckoned with, and adversaries stand little chance of surviving in the wild.

Additional Resources