August 5, 2020 By Asheesh Kumar
Aby Chacko
3 min read

Threat hunting is an essential part of security operations center services and should be incorporated at an early stage. Threat hunting is the art of finding the unknowns in the environment, going beyond traditional detection technologies, such as security information and event management (SIEM), endpoint detection and response (EDR) and others. There are multiple methods to perform hunting, and your team can select the one that fits best based on what you want to accomplish.

What is Threat Hunting?

David Bianco’s Pyramid of Pain shows how threat hunting needs to be executed to ensure threat actors can be detected, identified and isolated before they can disrupt the environment.

David Bianco’s Pyramid of Pain

Where Do You Hunt?

A successful hunt is based on the fertility of the environment. Hunters usually leverage SIEM and EDR tools as the basis for the hunt. They can also use other tools, like packer analyzers, to execute network-based hunts.

However, using SIEM and EDR tools require that all the “crown jewels” in your environment are integrated. This ensures an indicator of attack (IoA) and an indicator of compromise (IoC) can be leveraged for the hunt.

Types of Threat Hunting

Structured hunting. A structured hunt is based on the IoA and tactics, techniques and procedures (TTPs) of an attacker. All hunts are aligned and based on the TTPs of the threat actors. Therefore, the hunter usually is able to identify a threat actor even before the attacker can cause damage to the environment. This type leverages the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK) framework using both PRE-ATT&CK and enterprise frameworks.

Unstructured hunting. An unstructured hunt is initiated based on a trigger. It is more aligned to intelligence-based hunting, where the trigger could be any of the IoCs. This often is the cue for a hunter to start looking for pre- and post-detection patterns. The hunter can research as far back as the data retention and previously associated offenses allow. The hunter’s approach is based on this research.

Hunting Models

Intel-based hunting. This is a reactive hunting model. The inputs are the IoCs from threat intelligence sources. From there, the hunt follows predefined rules established by the SIEM and threat intelligence.

Intel-based hunts use IoCs, hash values, IP addresses, domain names and networks or host artifacts provided by intelligence sharing platforms such as computer emergency response teams (CERTs). An automated alert can be exported from these platforms and input into the SIEM as Structured Threat Information eXpression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII). Once the SIEM has the alert based on an IoC, the threat hunter can investigate the activity before and after the alert to identify any compromise in the environment.

Hypothesis hunting using a threat hunting library. This is a proactive hunting model. It is aligned with the MITRE ATT&CK framework, and it leverages global detection playbooks to identify advanced persistent threat groups and malware attacks.

Hypothesis-based hunts use the IoAs and TTPs of attackers. The hunter identifies the threat actors based on the environment, domain and attack behaviors employed to create a hypothesis in alignment with the MITRE framework. Once a behavior is identified, the threat hunter monitors activities for any patterns in order to detect, identify and isolate the threat. In this way, the hunter is able to proactively detect threat actors before they can actually do damage to the environment.

Custom hunting. This model is based on situational awareness and industry-based hunting methods. It identifies anomalies in the SIEM and EDR tools and is customizable based on customer requirements.

Custom or situational hunts are based on requirements received from customers or proactively executed based on situations, such as geopolitical issues and targeted attacks. These hunting activities can draw on both intel- and hypothesis-based hunting models using IoA and IoC information.

Hunting Frameworks

There are a number of threat hunting frameworks organizations can employ. Two of the most popular are:

The Targeted Hunting integrating Threat Intelligence framework. This framework is aligned to intel-based hunting. Triggers come from threat intelligence, historical incidents, red teaming activities and other sources.

The MITRE PRE-ATT&CK and ATT&CK frameworks. These frameworks have a knowledge base that can be leveraged for specific threat models and methodologies employed by adversaries.

Using combinations of these methods and resources as appropriate gives a threat hunting team a solid backbone with which to stand against threat actors.

More from Threat Hunting

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today