SANS Threat Analysis Rundown in Review: Breaking Down December 2024’s Discussion

On this month’s SANS Threat Analysis Rundown, I was joined by three distinguished guests from Splunk: David Bianco, Dr. Ryan Fetterman, and Sydney Marrone. We explored their cutting-edge framework for threat hunting known as PEAK: Prepare, Execute, and Act with Knowledge. We discussed how they conceptualized and created PEAK and how it can be applied by security professionals. Here's a recap of the discussion.

Introducing PEAK

The PEAK framework represents a modern approach to threat hunting. It builds upon foundational principles to guide organizations in enhancing their cybersecurity capabilities. David, Ryan, and Sydney used their collective expertise to shape the creation of PEAK, with a goal to provide practical, adaptable guidance for teams at varying levels of maturity. PEAK emerged as a response to the evolution of threat hunting, incorporating insights from earlier frameworks while addressing gaps in metrics, automation, and operational integration.

A good place to start with understanding PEAK is with understanding threat hunting. At its core, threat hunting involves identifying security incidents missed by automated detections. While this practice has existed for years, PEAK introduces a structured process with three main types of hunts:

1. Hypothesis-Based Threat Hunting: Focuses on using educated assumptions to search for specific threats.
2. Baseline Threat Hunting: Establishes normal patterns in an environment to detect deviations.
3. Model-Assisted Threat Hunting: Employs machine learning and algorithms to analyze data for anomalies or patterns indicative of threats.

PEAK’s strength lies in its systematic design. The framework is divided into three phases:

1. Prepare: Focuses on gathering knowledge, understanding the environment, and formulating hypotheses.
2. Execute: Involves conducting the actual hunt, analyzing data, and iterating based on findings.
3. Act with Knowledge: Emphasizes applying insights to improve security, whether by enhancing automated detections or addressing identified gaps.

David emphasized that PEAK is not just a technical guide but a holistic approach that integrates metrics, reporting, and program management.

The power of metrics

While metrics may not be a popular topic, we all agreed that they can be powerful to demonstrate the value of threat hunting and drive continuous improvement. Several key metrics that can show impactful outcomes include:

• Number of detections created or improved.
• Volume of incidents detected post-hunt due to new detection mechanisms.
• Security misconfigurations identified and remediated.

Metrics allow teams to showcase their impact, justify resources, and track progress over time. The team highlighted that even hunts that don’t reveal active threats can yield valuable insights about the environment.

Hunting with MATH adds up

A unique aspect of PEAK that differentiates it from other frameworks is that it calls out Model-Assisted Threat Hunting (appropriately abbreviated MATH). MATH focuses on leveraging algorithms, data science, and machine learning to enhance the hunting process. Unlike traditional detection approaches, which aim to create long-term, always-on analytics, MATH is about using machine learning techniques to generate insights and leads for specific threat-hunting efforts. Ryan explained that the purpose of MATH is not to replace human analysts but to augment their capabilities by tackling challenges that are otherwise too complex or time-intensive. MATH can be a tool to take a tough problem and make it more approachable as well as explore creative paths that might yield novel results.

MATH encompasses a broad range of data science and machine learning methods that can be tailored to various problems. Ryan outlined key approaches, emphasizing their practical applications:

• Classification and Clustering: These methods help group or categorize data. For example, a classifier might be trained to identify malicious domain names based on previously observed patterns, while clustering can uncover new relationships or anomalies within datasets.
• Vectorization: Text data, common in cybersecurity (e.g., logs, domain names), is transformed into numerical representations, enabling mathematical analysis. For instance, by encoding browser extensions' metadata as numerical vectors, analysts can measure similarities or anomalies across extensions, uncovering suspicious behaviors like masquerading.
• Creative Combinations: Ryan highlighted the potential for blending multiple features to enhance threat detection. In a recent project, his team analyzed Chrome browser extensions by combining text data (name and description) with graphical data (icon images). They hashed the graphical elements, vectorized the data, and compared it to detect potentially malicious extensions masquerading as legitimate ones.

MATH is especially valuable for exploring environments where traditional baselines are unavailable, developing targeted algorithms to address specific detection challenges, and identifying subtle patterns that might be missed by rule-based approaches.

Challenges and best practices

Audience members asked about practical concerns, such as the scope and timeframes for hunts and dealing with benign anomalies. The team explained that PEAK encourages flexibility: Teams can adjust hunts based on resource availability and organizational needs. Handling benign anomalies is a common challenge for many threat hunters, and the team suggested allow-listing and documenting known benign behaviors to streamline future hunts. The baseline hunting phase was particularly useful for understanding normal operations in unfamiliar environments.

The team shared examples of using PEAK to uncover misconfigurations, missing data, and suspicious behaviors. Sydney emphasized the importance of documenting findings and sharing them across security teams to maximize impact. One audience member inquired about adopting PEAK with limited resources. David recommended starting small—focusing on one phase or specific metrics—and building incrementally. PEAK’s adaptability allows for gradual implementation, making it suitable even for single administrators or small teams.

Looking ahead to 2025

We closed on a positive note with what we’re optimistic about in cybersecurity for 2025:

• Sydney is optimistic about teams better utilizing existing tools as well as the team’s forthcoming "Hunter’s Cookbook."
• Ryan is optimistic about the promise of AI and machine learning to reduce cognitive load for analysts.
• David is optimistic about “attacker’s dilemma” and the growing realization that defenders have significant advantages.
• Katie is optimistic that the community will continue sharing knowledge and collaborating to share cybersecurity practices. (like the HEARTH repository to share threat hunting ideas, which Sydney shared!)

As cybersecurity challenges continue to evolve, frameworks like PEAK, coupled with community-driven initiatives, are vital for staying ahead of adversaries. By embracing the principles of PEAK, organizations can enhance their threat detection capabilities, drive continuous improvement, and ultimately make life harder for adversaries. For those looking to deepen their understanding, check out the PEAK framework here.