Threat hunting is an essential part of security operations center services and should be incorporated at an early stage. Threat hunting is the art of finding the unknowns in the environment, going beyond traditional detection technologies, such as security information and event management (SIEM), endpoint detection and response (EDR) and others. There are multiple methods to perform hunting, and your team can select the one that fits best based on what you want to accomplish.
What is Threat Hunting?
David Bianco’s Pyramid of Pain shows how threat hunting needs to be executed to ensure threat actors can be detected, identified and isolated before they can disrupt the environment.
David Bianco’s Pyramid of Pain
Where Do You Hunt?
A successful hunt is based on the fertility of the environment. Hunters usually leverage SIEM and EDR tools as the basis for the hunt. They can also use other tools, like packer analyzers, to execute network-based hunts.
However, using SIEM and EDR tools require that all the “crown jewels” in your environment are integrated. This ensures an indicator of attack (IoA) and an indicator of compromise (IoC) can be leveraged for the hunt.
Types of Threat Hunting
Structured hunting. A structured hunt is based on the IoA and tactics, techniques and procedures (TTPs) of an attacker. All hunts are aligned and based on the TTPs of the threat actors. Therefore, the hunter usually is able to identify a threat actor even before the attacker can cause damage to the environment. This type leverages the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK) framework using both PRE-ATT&CK and enterprise frameworks.
Unstructured hunting. An unstructured hunt is initiated based on a trigger. It is more aligned to intelligence-based hunting, where the trigger could be any of the IoCs. This often is the cue for a hunter to start looking for pre- and post-detection patterns. The hunter can research as far back as the data retention and previously associated offenses allow. The hunter’s approach is based on this research.
Intel-based hunting. This is a reactive hunting model. The inputs are the IoCs from threat intelligence sources. From there, the hunt follows predefined rules established by the SIEM and threat intelligence.
Intel-based hunts use IoCs, hash values, IP addresses, domain names and networks or host artifacts provided by intelligence sharing platforms such as computer emergency response teams (CERTs). An automated alert can be exported from these platforms and input into the SIEM as Structured Threat Information eXpression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII). Once the SIEM has the alert based on an IoC, the threat hunter can investigate the activity before and after the alert to identify any compromise in the environment.
Hypothesis hunting using a threat hunting library. This is a proactive hunting model. It is aligned with the MITRE ATT&CK framework, and it leverages global detection playbooks to identify advanced persistent threat groups and malware attacks.
Hypothesis-based hunts use the IoAs and TTPs of attackers. The hunter identifies the threat actors based on the environment, domain and attack behaviors employed to create a hypothesis in alignment with the MITRE framework. Once a behavior is identified, the threat hunter monitors activities for any patterns in order to detect, identify and isolate the threat. In this way, the hunter is able to proactively detect threat actors before they can actually do damage to the environment.
Custom hunting. This model is based on situational awareness and industry-based hunting methods. It identifies anomalies in the SIEM and EDR tools and is customizable based on customer requirements.
Custom or situational hunts are based on requirements received from customers or proactively executed based on situations, such as geopolitical issues and targeted attacks. These hunting activities can draw on both intel- and hypothesis-based hunting models using IoA and IoC information.
There are a number of threat hunting frameworks organizations can employ. Two of the most popular are:
The Targeted Hunting integrating Threat Intelligence framework. This framework is aligned to intel-based hunting. Triggers come from threat intelligence, historical incidents, red teaming activities and other sources.
The MITRE PRE-ATT&CK and ATT&CK frameworks. These frameworks have a knowledge base that can be leveraged for specific threat models and methodologies employed by adversaries.
Using combinations of these methods and resources as appropriate gives a threat hunting team a solid backbone with which to stand against threat actors.