Threat Hunting: What Is It and Why It’s Necessary?

essidsolutions

Security teams often wait until some indicator of compromise (IoC) pops up in a log management portal, or worse, they wait until customers or security researchers notify them of a possible breach. This approach is no longer appropriate. Advanced persistent threats (APTs) can persist for several months until discovered. The damage caused to the organization is potentially very high. Threat hunting is an addition to existing monitoring countermeasures that proactively searches for threats already working on the network… or trying to.

What is Threat Hunting?

Threat hunting includes processes proactively searching for cyber threats operating undetected on the network. It is not the same as looking for IoCs that appear during monitoring. In other words, threat hunting assumes the attackers have bypassed any detection methods.  

Robert M. Lee and Rob Lee writeOpens a new window that threat hunting is “a focused and iterative approach to searching out, identifying, and understanding adversaries internal to the defender’s networks.” Organizations usually use an unstructured approach that relies on monitoring and log management (SIEM). Threat hunting is a structured approach that uses tools and techniques that dig deep, not depending on receiving IoCs on a security portal.

Threat hunting begins when threat intelligence indicates when an organization is a probable target of one or more threats.

Learn More: Why Threat Hunting Is the Next Wave in Cybersecurity 

Threat Intelligence

Threat hunting begins with understanding what threats might be on the network. It also requires understanding how those threats invade and take up residence on one or more network devices.  

The Pyramid of Pain, developed by David J. BiancoOpens a new window , is a good model of the information needed to understand what to look for when hunting for a threat. See Figure 1. Some of these may arise in security monitoring portals. Others may not.  As we move up the pyramid, it becomes harder to detect IoCs and prevent the related attacker activities.

Figure 1: Pyramid of Pain

The following list contains summaries of Bianco’s explanations for the pyramid levels.

  • Hash values. Changes to hash values indicate a change to a file. A different hash value for a common file might also suggest that the original file was replaced with a malicious file.  
  • IP addresses. If we understand the IP address used by a threat, we can block it. However, attackers understand this.  Consequently, they can frequently change the IP addresses used in the attack.
  • Domain names. Like IP addresses, known malicious domain names are a good start in understanding a threat.  However, domain names are also an IoC that is easily changed multiple times during an attack.
  • Network artifacts. These are observable elements hunters can detect in data streams, including URI patternsOpens a new window , command and control (C2) information included in network protocols, distinctive HTTP User-AgentOpens a new window or SMTP Mailer values, and other protocols.
  • Host artifacts. Attackers often leave artifacts on compromised devices, including known malicious registry keys or values, files, or directories known to accompany specific attacks.
  • Tools.  Hunters can identify tools used by a threat across the network by understanding how they are used and the related IoCs. IoCs include backdoors used for C2, password crackers, or other utilities known to underlie one or more threat vectors.
  • Tactics, Techniques, and Procedures (TTP). This is at the top of the pyramid because it is difficult to detect and nearly impossible to prevent. TTP expands across each of the two attack paths: through the perimeter and via users. It includes reconnaissance, methods of compromise, and covering tracks.

The use of threat intelligence and hunting frameworks like MITRE ATT&CKOpens a new window provides a detailed analysis of how to identify and manage IoCs. ATT&CK also includes a detailed analysis of what to do to prevent known attack vectors. 

Learn More: Malicious Browser Extensions: Why They Could Be the Next Big Cybersecurity Headache 

How to Hunt Threats

As with any security activity, it helps to follow an established methodology. This article uses the TaHiTI (Targeted Hunting integrating Threat Intelligence) methodology. TaHiTI focuses on the top three layers of the Pyramid of Pain. These layers are the hardest to manage to control threats. TaHiTI consists of three phases.

    1. Initiate
    2. Hunt
    3. Finalize

Figure 1 shows the phases and the phases within each.

Figure 2: The TaHiTI Process (FI-ISACOpens a new window )

The following TaHiTI description is based on the definitive FI-ISAC NL TAHITI methodology documentOpens a new window . All graphics are also from that document.

Phase I: Initiate

Initiation includes threat intelligence processes. The hunting process starts when a trigger event occurs. As shown in Figure 2, a trigger can occur when discovering a new threat in one of the security team’s threat intelligence resources. Sometimes, hunting for other threats can reveal evidence of another active threat. Sometimes, the trigger is the appearance of IoCs in security monitoring processes. Finally, a troubling finding might arise when conducting Red Team/Blue Team exercises.

Figure 3: Hunting Triggers

Waiting for one of the previous triggers is unnecessary if an organization has a dedicated threat hunting team or has engaged a third-party to manage threats. Using MITRE ATT&CK, hunters can simply work through the various attack scenarios to see if they are compromised or on the cusp of compromise.

Once a trigger happens, the hunting team creates an abstract. The abstract is a short document that focuses on the hunting activity. It includes a description of the trigger; an initial hypothesis of what caused the trigger and where to look; and the hunting target priorities. The priorities are set based on the probability of compromise and the associated risk.

Phase II: Hunt

As the team discovers new evidence, they refine the abstract and turn it into an actual investigation document.  Additional targets and search criteria are created. The hypothesis is adjusted and finalized.  

The abstract is refined using several tools, including: 

    • MITRE ATT&CK
    • Additional threat intelligence
    • Hunt classifications using the cyber kill chain or other methods

Once the team refines hunt parameters, it begins gathering data from a data store created by collecting logs from devices across the network. Organizations should already have log aggregation processes in place. Network traffic gathering tools like Wireshark are also needed.

The team analyzes the data during which it may find additional information that requires adjusting the hypothesis, scope of the hunt, selected data sources, and analysis techniques.

Analysis of information gathered is not always a simple process. It requires the right tools and techniques. Several hunting TTPs are described in the FI-ISAC document.

Phase III: Finalize

As with all information security activities, the team must document the hunt from the trigger through analysis.  Stakeholders, risk managers, and other affected teams or individuals receive a copy of the report.  

The hunting team does not necessarily respond to a discovered threat. Discovering a resident threat on a network or host requires initiation of incident response, as shown in Figure 4.

Figure 4: Processes Triggered by Threat Hunting Investigations

Figure 4 shows activities governed by policy that organizations should already have in place, regardless of whether threat hunting is adopted.

Best Practices for Threat Hunting

TaHiTI is based on widely-accepted threat hunting best practices, including

    • Automating where possible
    • Building a threat hunting toolkit
    • Cherishing your stakeholders
    • Keeping track of failed hunts
    • Creating a large data store of information from the firewall, IPS, DNS queries, and logs from other network connected and mobile devices.

Conclusion

Security teams today must look for threats before IoCs appear on security portals. By the time IoCs appear, it might be too late to stop severe damage to the organization.

Threat hunting is a structured approach to proactive threat management. It does not wait for SIEM alerts. Instead, threat hunters continuously dig deep into the network, looking for IoCs as defined in tools like MITRE ATT&CK.

Organizations that cannot implement their own threat hunting teams should consider engaging third-party services that provide this capability.

What cybersecurity tools are you utilizing to uplevel the threat hunting strategy?  Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA