Threat hunting is an essential part of security operations center services and should be incorporated at an early stage. Threat hunting is the art of finding the unknowns in the environment, going beyond traditional detection technologies, such as security information and event management (SIEM), endpoint detection and response (EDR) and others. There are multiple methods to perform hunting, and your team can select the one that fits best based on what you want to accomplish.

What is Threat Hunting?

David Bianco’s Pyramid of Pain shows how threat hunting needs to be executed to ensure threat actors can be detected, identified and isolated before they can disrupt the environment.

David Bianco’s Pyramid of Pain

Where Do You Hunt?

A successful hunt is based on the fertility of the environment. Hunters usually leverage SIEM and EDR tools as the basis for the hunt. They can also use other tools, like packer analyzers, to execute network-based hunts.

However, using SIEM and EDR tools require that all the “crown jewels” in your environment are integrated. This ensures an indicator of attack (IoA) and an indicator of compromise (IoC) can be leveraged for the hunt.

Types of Threat Hunting

Structured hunting. A structured hunt is based on the IoA and tactics, techniques and procedures (TTPs) of an attacker. All hunts are aligned and based on the TTPs of the threat actors. Therefore, the hunter usually is able to identify a threat actor even before the attacker can cause damage to the environment. This type leverages the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK) framework using both PRE-ATT&CK and enterprise frameworks.

Unstructured hunting. An unstructured hunt is initiated based on a trigger. It is more aligned to intelligence-based hunting, where the trigger could be any of the IoCs. This often is the cue for a hunter to start looking for pre- and post-detection patterns. The hunter can research as far back as the data retention and previously associated offenses allow. The hunter’s approach is based on this research.

Hunting Models

Intel-based hunting. This is a reactive hunting model. The inputs are the IoCs from threat intelligence sources. From there, the hunt follows predefined rules established by the SIEM and threat intelligence.

Intel-based hunts use IoCs, hash values, IP addresses, domain names and networks or host artifacts provided by intelligence sharing platforms such as computer emergency response teams (CERTs). An automated alert can be exported from these platforms and input into the SIEM as Structured Threat Information eXpression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII). Once the SIEM has the alert based on an IoC, the threat hunter can investigate the activity before and after the alert to identify any compromise in the environment.

Hypothesis hunting using a threat hunting library. This is a proactive hunting model. It is aligned with the MITRE ATT&CK framework, and it leverages global detection playbooks to identify advanced persistent threat groups and malware attacks.

Hypothesis-based hunts use the IoAs and TTPs of attackers. The hunter identifies the threat actors based on the environment, domain and attack behaviors employed to create a hypothesis in alignment with the MITRE framework. Once a behavior is identified, the threat hunter monitors activities for any patterns in order to detect, identify and isolate the threat. In this way, the hunter is able to proactively detect threat actors before they can actually do damage to the environment.

Custom hunting. This model is based on situational awareness and industry-based hunting methods. It identifies anomalies in the SIEM and EDR tools and is customizable based on customer requirements.

Custom or situational hunts are based on requirements received from customers or proactively executed based on situations, such as geopolitical issues and targeted attacks. These hunting activities can draw on both intel- and hypothesis-based hunting models using IoA and IoC information.

Hunting Frameworks

There are a number of threat hunting frameworks organizations can employ. Two of the most popular are:

The Targeted Hunting integrating Threat Intelligence framework. This framework is aligned to intel-based hunting. Triggers come from threat intelligence, historical incidents, red teaming activities and other sources.

The MITRE PRE-ATT&CK and ATT&CK frameworks. These frameworks have a knowledge base that can be leveraged for specific threat models and methodologies employed by adversaries.

Using combinations of these methods and resources as appropriate gives a threat hunting team a solid backbone with which to stand against threat actors.

More from Threat Hunting

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

Threat hunting 101: How to outthink attackers

6 min read - Threat hunting involves looking for threats and adversaries in an organization’s digital infrastructure that existing security tools don't detect. It is proactively looking for threats in the environment by assuming that the adversary is in the process of compromising the environment or has compromised the environment. Threat hunters can have different goals and mindsets while developing their hunt. For example, they can look for long-term threats in the environment that advanced threat actors can exploit. Or they can look for…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…