Cyber threat hunting is an active cyber defense activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." This contrasts with traditional threat management measures, such as firewalls, intrusion detection systems, malware sandbox, and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.
To maximize the chances for success for a given hunt, and over time threat hunters must follow a well-structured process when conducting a hunt. The most successful hunt teams follow a hypothesis-based framework, rooted in the scientific method of inquiry. This is an approach that’s grounded in logical reasoning and empirical evidence and was designed to prevent biases and assumptions from influencing results. It also enables continual learning and repeatability. When applied to threat hunting, this method guides the hunter to establish hypotheses for each stage in the attack chain introduced earlier in this paper, and then define the type of evidence that can be collected to either confirm or reject the hypothesis.
When following this methodology, each hunt progresses through the following steps.
- Define the attack scenario. Rather than generally searching for various types of threats, the starting point is to define a specific, narrowly focused threat that could be underway in the environment. The scenario can be created based on current threat intelligence feeds, the results of a threat research team, or an understanding of attacks carried out against similar organizations. In this step, the hunter should think through the overall TTPs that could be used, the targets within the network that could be attacked, and the various vulnerabilities that can be exploited by this type of attack.
- Formulate hypotheses by stage. In this step, the hunter assesses the goals of the attacker for each stage in the attack chain, then makes an “informed guess” about what tools and techniques the attacker might use and what evidence might be created by their activities.
- Identify and gather evidence to investigate each hypothesis. Hunt teams will need to assemble the data sources that they’ll analyze within their hunt. As they seek to prove or disprove a given hypothesis with a high degree of confidence, multiple forms of evidence are usually needed. Hunters will also need to document where their data comes from, ensuring that sources are both contextualized and consistent.
- Leverage analytics to reveal results. During this stage, evidence is correlated and subject to analytical and visualization techniques to uncover relationships within it. In this step, threat hunters need to establish a baseline of what is normal for the given variables they are analyzing within the environment and should have a good understanding of what data patterns are associated with an adversary’s activity for the given stage in the attack chain.
- Report results. It is key to document the types of evidence collected, the nature of the analysis performed, and the logic behind the conclusions that are reached while the hunt is still in process. This enables the hunt team to communicate with management as well as incident responders when it’s necessary to do so. It is also a vital step in continual learning, both individual and the organization.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization that offers cyber threat services that include RedXray and Cyber Threat Analysis Center (CTAC) to aid organizations for cyber threat hunting, notifications, and analysis. Service descriptions can be found at https://www.wapacklabs.com. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Comments