Threat Hunting

Table of Contents

What is Threat Hunting?
A Part of the Security Program
How to Hunt: Threat Hunting Cycle
Developing a Hunt Plan
Threat Hunting Techniques
Threat Hunting Tools
A Mandatory Task for Acceptable Security
Learn More About Cyber Threat Hunting

What is Threat Hunting?

Threat hunting is an analyst-driven process that is iterative and repeatable in order to identify the presence of adversaries and their tools before an attack is conducted or detected. It combines security tools, analytics, threat intelligence, as well as experience, analysis, and instinct.

A Part of the Security Program

As a practice, hunting will often identify new or previously undetected threats hidden within an environment. But, for the most part it has been left to only a small percentage of companies because of the limited amount of skilled threat hunters.

With the right tools, data, and time, skilled threat hunters are able to “find the bad” that traditional security controls have missed. This practice provides exceptional depth to organizations’ security programs, however it is also one of the most expensive and slow-to-develop functions for a security team to build. In order to realize the return on investment (ROI), it is imperative to realize that threat hunting isn’t just there to serve as a backstop against so-called advanced persistent threats (APTs) for organizations. The best security programs integrate hunt teams into the overall security operations cycle.

FREE DOWNLOAD: IS YOUR THREAT HUNTING EFFECTIVE?

How to Hunt: Threat Hunting Cycle

The Threat Hunting Cycle

The cycle consists of Hypothesis, requirements, plan, hunt, enrich, feedback

There is still a lack of definition and formal model for all hunt operations to follow. Despite this, there are two unique approaches:

 

  • Structured Hunts: More formal searches for tactics used by attackers, specifically by looking for the specific techniques and behavioral patterns they employ.
  • Unstructured Hunts: Free-flowing ad hoc affairs that are primarily data-driven from internal log sources. Threat hunters dig through logs to pick out anomalies in the data.

While unstructured threat hunts can be perfectly valid, they aren’t consistently successful and rarely find the most advanced threats hiding in environments. Instead, to accomplish this, threat hunters can us a structured

approach using the threat hunting cycle based on the US’ Department of Defense Joint Targeting Cycle model, which aims to capture intent, prioritization of targets, resource allocation, execution of operations, as well as feedback.

Developing a Hunt Plan

A threat hunt plan is a formal document around the hunt cycle that sets the course for threat hunting techniques and methodologies for teams to use to prove or disprove the hypothesis. The hunt plan is a formal document that should include:

  • Hypothesis
  • Log sources required
  • Approvals for all relevant stakeholders
  • Points of handoff in the event that threat hunters need to pass off discoveries to incident handlers, responders, or other relevant authorities in an organization
  • Findings from the hunt
  • Points for improvement from any feedback sessions or after-action reviews

Threat Hunting Techniques

Hypothesis-based threat hunts start with forming a hypothesis, or an educated guess about the types of activity that might be going on within an IT environment. After that, analysts or teams within the security operations center will drive forward a cycle of investigation using hunting techniques to discover malicious patterns within their data and reconstruct attack paths to reveal the attacker’s Tactics, Techniques, and Procedures (TTPs).

Common Threat Hunting Techniques

 

  1. Searching: Searching is the simplest method of hunting. It primarily refers to querying data (e.g. endpoint logs or network logs) for specific artifacts using defined criteria. However, the process requires balance since querying too broadly can return too many results to be useful, and querying too narrowly can produce too few results to draw a conclusion from.
  2. Datapoint Clustering: Often completed using machine learning, clustering is a statistical technique that separates similar data points into clusters based on predetermined criteria. By doing this, threat hunters can gain a broader view of pertinent data, and identify outliers and similarities among data points that provide a clearer view of network activity.
  3. Grouping: Grouping is when threat hunters take multiple unique artifacts and identify when multiple artifacts appear together based on certain criteria. Unlike Clustering, Grouping works when the input is an explicit set of items. When these groups seem out of place, that is when it potentially signals the presence of an attacker’s tool or TTP.
  4. Stack Counting: Also known as Stacking, Stack Counting involves counting the number of occurrences for values of a particular type, and analyzing the outliers or extremes of those results.

Threat Hunting Tools

To find anomalous activity, threat hunters use a variety of tools and solutions, including:

  • Security monitoring tools: Often used in unstructured hunts, security monitoring tools include firewalls, antivirus, and endpoint security solutions that collect security data and provide network monitoring. (Example: VMWARE Carbon Black and CrowdStrike Falcon)
  • Security Information and Event Management (SIEM): SIEMs transform raw data using rules and statistical correlations into actionable information that helps security teams detect threats in real time, manage incident response, perform forensic investigation on past incidents, and prepare for compliance audits. (Examples include, Splunk, Elastic, Micro Focus, and Sumo Logic)
  • Analytics Tools: Analytics tools use behavior analytics and machine learning to make it easier to correlate entities and detect patterns.

A Mandatory Task for Acceptable Security

Hunting has become a mandatory task for establishing an acceptable level of security. But current the demand for skilled hunters far exceed the number of available specialists. That’s why Cyborg Security has created the HUNTER Platform. With HUNTER, organizations can augment analysts and upgrade SOC processes.

Learn More About Cyber Threat Hunting

 

SUBSCRIBE TO OUR NEWSLETTER

Continue the Hunt
No thanks, maybe later.