Threat hunting activities can generate tremendous benefit for organizations, and not just in finding hidden active threats in the environment. When done regularly, threat hunting can feed SOC threat detection capabilities with additional detection content and improved telemetry about the tactics, techniques, and procedures (TTPs) of threat actors specifically targeting an organization’s assets.
Often times this long trail of threat hunting ROI can be achieved even with a small investment of time and resources put into an emerging threat hunting program. Contrary to the mystique and misconceptions that have been built up around threat hunting, organizations don’t necessarily need a super advanced program before they start reaping the benefits from running a hunt.
While higher levels of maturity, found in structured hunts, can certainly help threat hunters more regularly find the most advanced threats, every organization can benefit from simple hunts that are possible for a broad range of security teams. In order to battle these misconceptions about threat hunting and encourage more teams to dip their toes in the water, we want to bust three of the most common threat hunting myths prevalent within the security community.
Often times security teams are hesitant to begin threat hunting because they don’t have complete or indefinite visibility into their endpoint assets. While endpoint logs certainly can be very valuable for threat hunting, they are definitely not a prerequisite for a wide range of hunts.
There’s still a very large attack surface that can be detected from network logs, DNS logs, and information collected about network activity. If organizations are taking their first steps into threat hunting, network activity can provide a treasure trove of information to start digging in.
Another common misconception is that threat hunting success depends upon very complex techniques and methods. Many times—often, in fact—simple techniques can detect a wide range of hidden threat behavior that can completely bypass existing security controls. There are some very common malicious techniques that a large body of attacks must complete in order to carry out their entire attack chain.
By focusing on commands and methods that dig up evidence of those common techniques, simple threat hunting activity can reap a lot of beneficial results. An example would be seeking out evidence of suspicious child processes from Microsoft Office tools. Things such as PowerShell, cmd.exe, rundll32.exe, and many others are a great way to look for attackers targeting users with phishing.
One of the big constraints for starting up a threat hunting team is that there aren’t a whole lot of experienced threat hunters available for hire today. But a security team can bootstrap a basic threat hunting program using existing security analysts and a few simple tools.
These kinds of resources are great, and they can accelerate the yields of threat hunting activities, but at the base level, all that organizations really need is a knowledge of what activity looks normal and good on the network. With that solid baseline, it’s possible to get started looking for anomalies, and perfect threat hunting techniques along the way.
The lesson from all of these busted myths should be that threat hunting is not an all-or-nothing affair. Yes, advanced threat hunting does take a higher level of sophistication and investment to achieve. But it’s very worthwhile and beneficial to start getting out there and doing hunts any way that you can.
Don’t stop there, dig deeper in developing effective threat hunting in your organization by reading: Threat Content, Not Automation, Fuels Effective Threat Hunting.
Effective post-hunt activity stands as one of the hidden threat hunting steps that cybersecurity organizations can take to maximize the ROI from their threat hunting programs. The measures organizations take to follow-up on their cyber threat hunting findings can often reap big benefits to the security organization when it comes to long-term detection and defense.
While every one-time cyber threat hunt absolutely holds intrinsic value just for the ability to find stealthy adversaries active in an environment, the true value should go beyond that. The long-term gain from a threat hunt rests in the identification of the new tactics, techniques, and procedures (TTPs) that the adversary used to get around the organization’s detection mechanisms. Ideally, threat hunts should be fueling continual improvements to an organization’s defenses, primarily detection content.
After all, let’s face it, if your threat hunting team detects something malicious that snuck through defenses and the security organization doesn’t learn from that then CISOs are leaving money on the table.
This is why a cyber threat hunting plan should include next steps when a hunt hypothesis is proven. Those steps should not only include escalation steps, but also what will need to be done to develop threat detection content around that particular threat. The idea is that this detection content can fuel existing security controls for organizations and can be pushed to traditional security analysts to watch for similar TTPs and behaviors in the future. This way the threat hunting team is not wasting expensive resources doing the same thing over and over again.
The content that follows up on cyber threat hunt findings can take the form of a piece of SIEM content, a YARA rule within endpoint detection and response (EDR) platforms, SNORT or Suricata rules for IDS/IPS devices, or it could be in a number of different formats. Typically, these will not be low-level atomic indicators of compromise, but instead based on network or host artifacts, tools or behaviors that can be mapped to a framework like MITRE ATT&CK.
Meanwhile, what if a hunting hypothesis isn’t proven? That can be both great and not-so-great. Great, because it might indicate that no such activity is occurring within the network. However, it could possibly mean that the threat hunting team’s data or methods just aren’t finding that particular threat.
If a threat hunting team doesn’t post any findings for a single hunt, that may not offer cause for alarm. However, if the team is coming up short or empty-handed over numerous similar hunts, a security team may want to consider following up with some form of validation of hunt’s methodology and log sources.
This is where techniques like cyber threat emulation within an environment can help. Rather than just detonating malware within an environment, a team can use emulation to simulate a particular malware or threat behavior just to be sure that the team can see and pick up on the clues it drops along the way. This can help prove that the team didn’t find anything because there was nothing to find versus not finding anything because the of a flawed methodology.
As organizations work to mature their threat hunting into a repeatable, structured program, it is essential to cover all the steps from beginning to end to achieve long-term detection and defense. Cyborg writes more on this topic in our blog, What Is Structured Threat Hunting?
As organizations explore the use of threat hunting techniques, one important concept they can benefit from learning about is structured hunting (sometimes referred to as hypothesis-based threat hunting). This type of hunting is still very under utilized by most organizations today, but maturing programs can reap some of the biggest gains from their efforts when they incorporate structured threat hunting into their threat hunting programs.
Structured threat hunting stands in contrast to the more prevailing method of unstructured (referred to variously as adhoc or data-driven hunting) threat hunting.
Unstructured threat hunts tend to be free-flowing ad hoc affairs that are primarily data-driven from internal log sources. Hunters dig through logs opportunistically and leverage simple data manipulation techniques like searching with pivot tables or other methods by analysts, and it often relies primarily on investigative methodologies such as the principle of least seen in order to pick out anomalies in the data.
These hunts are perfectly valid, but because they are ad hoc in nature, they’re very one-dimensional and opportunistic, relying mostly on the luck of the hunter to identify malicious activities. Unstructured threat hunts by their very nature cannot be consistently fruitful and rarely find the most advanced threats lurking in an environment. While unstructured threat hunting is still more proactive than traditional protection mechanisms – like relying on reactive technologies such as antivirus – the category tends to foster some of the least proactive threat hunting techniques employed by organizations.
Meanwhile, on the other side of the coin, structured threat hunts are more formal searches for tactics used by attackers, specifically by looking at the specific techniques and behavioral patterns they employ. They’re called structured threat hunts because each one is built around a central hypothesis about specific attackers and their associated tactics, techniques, and procedures (TTPs). This theorem usually takes the form of a falsifiable, formalized statement that’s driven by an organization’s external threat intelligence sources.
When an organization creates a threat hunting hypothesis around which a hunt will be structured, they utilize threat intelligence capabilities to uncover actors or threats that are likely to target the organization, their industry, their geography, or even specific elements of their critical IT infrastructure. By prioritizing these potential threats and using threat intelligence to break down how the threats are known to operate and what TTPs they use, then a threat hunting team can create testable and scientific hypothesis.
One example could be if threat hunters see that threat intelligence shows that a specific threat actor is targeting organizations in the same vertical and geography as theirs. If that threat actor is known to be actively targeting specific vulnerable infrastructure (such as VPN entry points) in order to establish a beachhead, and the threat hunters’ organization is also known to use that particular vulnerable technology, the hypothesis could then be that this actor may well have targeted the threat hunters’ organization by exploiting a vulnerability in their VPN technologies to establish a beachhead, and stage their tools. This hypothesis would then form the basis for a structured hunt.
Establishing a hypothesis is just the first step in beginning a structured threat hunt. To get this type of hypothesis-based threat hunting right, a team will also need what’s called a hunt plan. The hunt plan sets a course for the threat hunting techniques and methodologies the team will use to prove, or disprove, the hypothesis. The plan should be a formal document that will often include:
The hunt plan is a living document, and at the end of the day it will also contain the threat hunt findings for future learning across the entire security organization.
As organizations continue to mature their threat hunting programs, it is vital that they move away from relying exclusively on ad hoc unstructured hunting, and instead incorporate structured threat hunting so as to improve their ability to detect threats, as well as more consistently identify advanced actors and techniques.
Read more on what it takes to mature threat hunting programs: You Can Only Hunt What You Can See: Best Network Log Sources for Threat Hunting.