You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment.

Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components of a program? How do you measure its success?

Despite the increasing demand for threat hunting, a prescriptive framework, which isn’t tied to a vendor, is hard to come by. Security leaders often ask our X-Force team, “Can you teach us how to do threat hunting? Are there any resources that can walk us through this?”

After hearing those questions repeatedly, Grifter, X-Force Head of Research John Dwyer and X-Force Global OT Incident Response Lead Sameer Koranne did some exploring. They searched publicly available sources for a central place that covers the operational pieces of threat hunting, including what an internal team looks for, processes that ensure a program’s success, and an overall definition of threat hunting and potential outcomes. They looked for technical and non-technical documentation and couldn’t find anything. Even the definition of threat hunting had a thousand different explanations. If an organization can’t define what threat hunting means, how will it know if its team is being successful? How will the team carry out the right vision of what threat hunting should entail? Companies must set their definition of threat hunting, its goals, why it’s important for them, and how they can direct their threat hunters to carry out their vision before they build a program.

To fill the framework gap, the X-Force team built their own. They will present it at the 2022 Black Hat conference. I asked them to provide a high-level summary of the talk. Below is the information they shared.

Building a Hypothesis

Despite the thousands of definitions, one component of threat hunting doesn’t change — the non-technical pieces are just as important as the technical ones. Threat hunting exercises are part of a business unit, and like anything else require defined processes for technical and business-focused stakeholders alike. It’s hard to justify a threat hunting investment without knowing the goal and actions to take to ensure success. Companies should know the stakeholders involved, their roles and how those roles are impacted by the engagement. Creating one mission statement for the program can help establish a consistent process.

Some companies build a threat hunting program that’s predominantly based on alerts. Threat hunting entails much more than alerts. It’s proactive, testable, and based on a hypothesis. For example, if you say, “I know malware ‘x’ exists,” you can then generate a hypothesis that states, “If malware ‘x’ was executed on my system, then I should be able to collect evidence ‘y’ and ‘z’ to prove that the malware is there.” In other words, if there is malware “x” it will look like “y” and “z.”

Threat hunters can then use that hypothesis when looking for the malware. They would look for the ‘y’ and ‘z’ evidence to detect it. An alert doesn’t exist for the malware yet. A threat hunter’s job is to try to find it. In their framework, John, Sameer and Grifter explain the components of an effective and ineffective hypothesis.

Top Questions to Ask About Threat Hunting

When creating a threat hunting program, it’s important to ask the right questions. The top ones include:

  • What is threat hunting to us? Again, it’s critical companies pick a definition that resonates with them. The definition will help set the vision for what they hope to achieve.
  • How do we know what to hunt for? Defining the hypothesis can help answer this question because it defines the threat and its traits.
  • How do we threat hunt? Establishing a repeatable process that takes you from the threat to the goal is critical. In their framework, the X-Force team defines a standard process that companies can use and customize based on their objectives.
  • How do we measure success? Understanding your KPIs for threat hunting is also key. You can map out those metrics using the framework or base them on the goals for your company — security and business alike. For example, a good metric may be, “number of vulnerabilities we remediated that could or did enable malware ‘x’ to infect our environment.” The metric ties directly to the objective of finding and preventing malware ‘x.’ An example of an ineffective metric may be “number of threats we find.” That metric doesn’t set you up for success.

You could also gather metrics based on a specific threat. For example, the ransomware Conti was popular in 2021. If you aim to discover if Conti has infected your environment, you may want to know the number of hunts your team executed in the last month that map to an observed behavior of Conti.

The Frequency of Threat Hunting

So how often should companies hunt for threats? X-Force recommends the number match the available data that is relevant to the hunt. If you want to hunt for a specific threat, the hunt needs to be tied to a data source, such as an event log. You need to understand how long the data is available to you and assign hunt frequency based on that number. If you have data for 30 days, then you would execute a threat hunt on a 30-day cycle, for example.

What to Expect at Black Hat 2022

If you are interested in learning more about the threat hunting framework, join the X-Force talk at Black Hat 2022.

The X-Force team is also presenting two more talks at Black Hat 2022. X-Force Red hacker Brett Hawkins will talk about how attackers can abuse Source Code Management (SCM) systems. The presentation will provide an overview of SCM systems, and detail ways to abuse some of the most popular ones such as GitHub Enterprise, GitLab Enterprise and Bitbucket to perform various attack scenarios.

X-Force Red hacker Dimitry Snezhkov is presenting a Black Hat talk and arsenal tool demonstration about payloads, ELF binaries, ELF section docking and unveil a proof-of-concept loader and injector tool for evading malware detection mechanisms.

Also, meet our X-Force hackers, responders, researchers and analysts at the IBM Security booth #BHNL B.

To learn more about X-Force visit: www.ibm.com/security/xforce

More from Threat Hunting

Racing Round and Round: The Little Bug That Could

13 min read - The little bug that could: CVE-2024-30089 is a subtle kernel vulnerability I used to exploit a fully updated Windows 11 machine (with all Virtualization Based Security and hardware security mitigations enabled) and scored my first win at Pwn2Own this year. In this article, I outline my straightforward approach to bug hunting: picking a starting point and intuitively following a path until something catches my attention. This bug is interesting because it can be reliably triggered due to a logic error.…

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today