August 5, 2020 By Asheesh Kumar
Aby Chacko
3 min read

Threat hunting is an essential part of security operations center services and should be incorporated at an early stage. Threat hunting is the art of finding the unknowns in the environment, going beyond traditional detection technologies, such as security information and event management (SIEM), endpoint detection and response (EDR) and others. There are multiple methods to perform hunting, and your team can select the one that fits best based on what you want to accomplish.

What is Threat Hunting?

David Bianco’s Pyramid of Pain shows how threat hunting needs to be executed to ensure threat actors can be detected, identified and isolated before they can disrupt the environment.

David Bianco’s Pyramid of Pain

Where Do You Hunt?

A successful hunt is based on the fertility of the environment. Hunters usually leverage SIEM and EDR tools as the basis for the hunt. They can also use other tools, like packer analyzers, to execute network-based hunts.

However, using SIEM and EDR tools require that all the “crown jewels” in your environment are integrated. This ensures an indicator of attack (IoA) and an indicator of compromise (IoC) can be leveraged for the hunt.

Types of Threat Hunting

Structured hunting. A structured hunt is based on the IoA and tactics, techniques and procedures (TTPs) of an attacker. All hunts are aligned and based on the TTPs of the threat actors. Therefore, the hunter usually is able to identify a threat actor even before the attacker can cause damage to the environment. This type leverages the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK) framework using both PRE-ATT&CK and enterprise frameworks.

Unstructured hunting. An unstructured hunt is initiated based on a trigger. It is more aligned to intelligence-based hunting, where the trigger could be any of the IoCs. This often is the cue for a hunter to start looking for pre- and post-detection patterns. The hunter can research as far back as the data retention and previously associated offenses allow. The hunter’s approach is based on this research.

Hunting Models

Intel-based hunting. This is a reactive hunting model. The inputs are the IoCs from threat intelligence sources. From there, the hunt follows predefined rules established by the SIEM and threat intelligence.

Intel-based hunts use IoCs, hash values, IP addresses, domain names and networks or host artifacts provided by intelligence sharing platforms such as computer emergency response teams (CERTs). An automated alert can be exported from these platforms and input into the SIEM as Structured Threat Information eXpression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII). Once the SIEM has the alert based on an IoC, the threat hunter can investigate the activity before and after the alert to identify any compromise in the environment.

Hypothesis hunting using a threat hunting library. This is a proactive hunting model. It is aligned with the MITRE ATT&CK framework, and it leverages global detection playbooks to identify advanced persistent threat groups and malware attacks.

Hypothesis-based hunts use the IoAs and TTPs of attackers. The hunter identifies the threat actors based on the environment, domain and attack behaviors employed to create a hypothesis in alignment with the MITRE framework. Once a behavior is identified, the threat hunter monitors activities for any patterns in order to detect, identify and isolate the threat. In this way, the hunter is able to proactively detect threat actors before they can actually do damage to the environment.

Custom hunting. This model is based on situational awareness and industry-based hunting methods. It identifies anomalies in the SIEM and EDR tools and is customizable based on customer requirements.

Custom or situational hunts are based on requirements received from customers or proactively executed based on situations, such as geopolitical issues and targeted attacks. These hunting activities can draw on both intel- and hypothesis-based hunting models using IoA and IoC information.

Hunting Frameworks

There are a number of threat hunting frameworks organizations can employ. Two of the most popular are:

The Targeted Hunting integrating Threat Intelligence framework. This framework is aligned to intel-based hunting. Triggers come from threat intelligence, historical incidents, red teaming activities and other sources.

The MITRE PRE-ATT&CK and ATT&CK frameworks. These frameworks have a knowledge base that can be leveraged for specific threat models and methodologies employed by adversaries.

Using combinations of these methods and resources as appropriate gives a threat hunting team a solid backbone with which to stand against threat actors.

More from Threat Hunting

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today