Threat hunting is a practice that can generate significant benefits for organizations. Yet, many organizations still often ask the simple and pointed question: “How do I hunt?” The answer to that question is as varied as the number of people asking it. This often leaves organizations and teams unsure where to begin, and how to get started. As a result, we have put together a list of the most common threat hunting tactics and techniques. This list will enable organizations to begin their hunts.
Structured v. Unstructured Hunting
We have already covered the topic of structured versus unstructured hunting in depth. At its core though, structured hunting uses a central hypothesis to guide the hunt. Unstructured hunting employs more general statistics- and data-driven approaches to hunting.
Threat Hunting Tactics
Threat hunters use a variety of tactics when they are planning a hunt. The tactics describe what is the primary driver for the hunt.
Amongst threat hunting tactics, intelligence-driven hunting is heavily used in structured hunts. This type of hunting revolves around threat intelligence reporting often involving active exploitation. Hunters, when alerted to this activity will craft their hypothesis and plan their hunt. Intelligence-driven hunts are not built on indicators, instead, these hunts look for specific behaviours of actors and their tools.
Another of the most common threat hunting tactics is target-driven hunting. It is a tactic that acknowledges that hunt teams have limited time and resources. This type of prioritizes hunting based on likely targets by adversaries. This will often include authentication systems, data repositories, and cloud-based infrastructure. This type of hunting allows organizations to most effectively use limited resources.
Technique-driven hunts is another of the most common threat hunting tactics. It is one that focuses on a specific attack technique. These techniques are often — but not only — based on the MITRE ATT&CK framework. The choice of technique will depend on a variety of factors, including the applicability of the technique in the environment. This tactic is quite useful to hunting hidden threats in an environment. But, this tactic can also prove invaluable for organizations learn about their environment.
Threat Hunting Techniques
In conducting a hunt, threat hunters also use a variety of techniques to analyze the data they gather. This allows them to quickly identify anomalies which they can then begin to dig into. It is important to note that hunters don’t need any fancy toolsets to do this analysis. Often a command line, a spreadsheet, and free graphing tools are enough to get started.
Volumetric analysis looks at… well, volume. This type of hunting looks at the volume of a particular data set. This method is often applied to network analysis to identify outliers. These outliers can either be for most- or least-seen. For instance,
- How much data did endpoints send out of the network?
- Which endpoint sent the most data?
- What external IP had the most number of blocked connections?
- Which systems have had the longest sessions?
- What systems have had the most AV alerts?
Frequency analysis is like volumetric analysis. Instead of volume, it examines frequency of an occurrence. This technique is most often applied to network traffic at both the network and host levels. Hunters will use it to identify anomalous patterns often found in malware beacons.
Frequency analysis is often combined with volumetric analysis to perform more complex analysis.
Clustering analysis is a method of statistical analysis. This technique will often look at both network- and host-based characteristics. Clustering will group data around a particular set of characteristics in aggregate. This technique is often aided by statistical analysis tools. Clustering can help identify things such as outliers such as an uncommon numbers of occurrences of a common behaviour.
Grouping analysis is like clustering. The primary difference is that grouping focuses on a handful of specific characteristics. Using grouping as a technique can enable teams to identify adversaries’ tools or techniques.
Examples of characteristics that yield results when grouped include:
- Outbound network source – This shows hosts that may be bypassing web content filtering.
- Domain Name Servers – This will reveal hosts that may be using non-standard DNS servers.
Stack Counting (Stacking)
Stack counting is one of the most popular techniques for threat hunting. Stack counting is applied to data that shares one or more distinct commonalities. The technique relies on aggregating a piece of datum and compare it across the set. This technique allows organizations to identify statistic extremes.
Examples of data that can be effectively stacked include:
- User Agent Strings
- High (ephemeral) port numbers
- Specific file names and their locations
- Installed programs across an organization
- Process names and execution paths across a department
Sometimes organizations can struggle with the practical application of threat hunting. This is often because every hunt team will look at problems in a different light, and apply their own tools. However, understanding some of the common tactics and techniques can allow teams to get started faster.
If you enjoyed this topic, dig even deeper into the topic of threat hunting and how to follow up on threat hunting findings.