Threat hunting is an essential part of security operations center services and should be incorporated at an early stage. Threat hunting is the art of finding the unknowns in the environment, going beyond traditional detection technologies, such as security information and event management (SIEM), endpoint detection and response (EDR) and others. There are multiple methods to perform hunting, and your team can select the one that fits best based on what you want to accomplish.

What is Threat Hunting?

David Bianco’s Pyramid of Pain shows how threat hunting needs to be executed to ensure threat actors can be detected, identified and isolated before they can disrupt the environment.

David Bianco’s Pyramid of Pain

Where Do You Hunt?

A successful hunt is based on the fertility of the environment. Hunters usually leverage SIEM and EDR tools as the basis for the hunt. They can also use other tools, like packer analyzers, to execute network-based hunts.

However, using SIEM and EDR tools require that all the “crown jewels” in your environment are integrated. This ensures an indicator of attack (IoA) and an indicator of compromise (IoC) can be leveraged for the hunt.

Types of Threat Hunting

Structured hunting. A structured hunt is based on the IoA and tactics, techniques and procedures (TTPs) of an attacker. All hunts are aligned and based on the TTPs of the threat actors. Therefore, the hunter usually is able to identify a threat actor even before the attacker can cause damage to the environment. This type leverages the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK) framework using both PRE-ATT&CK and enterprise frameworks.

Unstructured hunting. An unstructured hunt is initiated based on a trigger. It is more aligned to intelligence-based hunting, where the trigger could be any of the IoCs. This often is the cue for a hunter to start looking for pre- and post-detection patterns. The hunter can research as far back as the data retention and previously associated offenses allow. The hunter’s approach is based on this research.

Hunting Models

Intel-based hunting. This is a reactive hunting model. The inputs are the IoCs from threat intelligence sources. From there, the hunt follows predefined rules established by the SIEM and threat intelligence.

Intel-based hunts use IoCs, hash values, IP addresses, domain names and networks or host artifacts provided by intelligence sharing platforms such as computer emergency response teams (CERTs). An automated alert can be exported from these platforms and input into the SIEM as Structured Threat Information eXpression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII). Once the SIEM has the alert based on an IoC, the threat hunter can investigate the activity before and after the alert to identify any compromise in the environment.

Hypothesis hunting using a threat hunting library. This is a proactive hunting model. It is aligned with the MITRE ATT&CK framework, and it leverages global detection playbooks to identify advanced persistent threat groups and malware attacks.

Hypothesis-based hunts use the IoAs and TTPs of attackers. The hunter identifies the threat actors based on the environment, domain and attack behaviors employed to create a hypothesis in alignment with the MITRE framework. Once a behavior is identified, the threat hunter monitors activities for any patterns in order to detect, identify and isolate the threat. In this way, the hunter is able to proactively detect threat actors before they can actually do damage to the environment.

Custom hunting. This model is based on situational awareness and industry-based hunting methods. It identifies anomalies in the SIEM and EDR tools and is customizable based on customer requirements.

Custom or situational hunts are based on requirements received from customers or proactively executed based on situations, such as geopolitical issues and targeted attacks. These hunting activities can draw on both intel- and hypothesis-based hunting models using IoA and IoC information.

Hunting Frameworks

There are a number of threat hunting frameworks organizations can employ. Two of the most popular are:

The Targeted Hunting integrating Threat Intelligence framework. This framework is aligned to intel-based hunting. Triggers come from threat intelligence, historical incidents, red teaming activities and other sources.

The MITRE PRE-ATT&CK and ATT&CK frameworks. These frameworks have a knowledge base that can be leveraged for specific threat models and methodologies employed by adversaries.

Using combinations of these methods and resources as appropriate gives a threat hunting team a solid backbone with which to stand against threat actors.

More from Threat Hunting

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

How Do Threat Hunters Keep Organizations Safe?

Neil Wyler started his job amid an ongoing cyberattack. As a threat hunter, he helped his client discover that millions of records had been stolen over four months. Even though his client used sophisticated tools, its threat-hunting technology did not detect the attack because the transactions looked normal. But with Wyler’s expertise, he was able to realize that data was leaving the environment as well as entering the system. His efforts saved the company from suffering even more damage and…

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

RomCom RAT Attack Analysis: Fake It to Make It

The RomCom RAT has been making the rounds — first in Ukraine as it went after military installations, and now in certain English-speaking countries such as the United Kingdom. Initially a spear-phishing campaign, the RomCom attack has evolved to include domain and download spoofing of well-known and trusted products. In this piece, we’ll break down current RomCom realities, dive into the problems with digital doppelgangers and offer advice to help secure software downloads. RomCom Realities Despite the name, there’s no…