Threat Hunting

By Robin Rajan

Threat hunting, also known as cyber threat hunting, is a proactive approach to identifying previously unknown, or ongoing non-remediated, threats within an organization's network.

Cyber threat hunters bring a human element to enterprise security, complementing automated systems. They are skilled IT security professionals who search, log, monitor and neutralize threats before they can cause serious problems.

The art of threat hunting finds an environment's unknowns. It goes beyond traditional detection technologies, such as security information and event management (SIEM), endpoint detection and response (EDR). Threat hunters comb through security data. They search for hidden malware or attackers and look for patterns of suspicious activity that a computer might have missed or judged to be resolved but isn't.

Types of Threat Hunting

A trigger points threat hunters to a specific system or area of the network for further investigation when advanced detection tools identify unusual actions. The hypothesis or trigger serves as a springboard for a more in-depth investigation into potential risks. And these deeper investigations are structured, unstructured, and situational hunting.

• Structured Hunting: A structured hunt is based on an indicator of attack (IoA) and tactics, techniques, and procedures (TTPs) of an attacker. All hunts are aligned and based on the TTPs of the threat actors. Therefore, the hunter can usually identify a threat actor even before the attacker can cause damage to the environment. This hunting type uses the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK) framework, using both PRE-ATT&CK and enterprise frameworks. (There are a number of comparable products, including Mandiant Threat Intelligence, CloudSEK, PhishLabs and Cerberus. For the purposes of our illustration, we’ll focus on MITRE.) MITRE ATT&CK, a framework that uniquely describes cyberattacks from the attacker’s perspective, is being adopted by organizations as a tool for analyzing threats and improving security defences. MITRE has ATT&CK broken out into a few different matrices: Enterprise, Mobile, and PRE-ATT&CK. Each of these matrices contains various tactics and techniques associated with that matrix’s subject matter.
  The Enterprise matrix is made of techniques and tactics that apply to Windows, Linux, and/or MacOS systems. Mobile contains tactics and techniques that apply to mobile devices. PRE-ATT&CK contains tactics and techniques related to what attackers do before they try to exploit a particular target network or system.

• Unstructured Hunting: An unstructured hunt is initiated based on a trigger, one of many indicators of compromise (IoC). This trigger often cues a hunter to look for pre- and post-detection patterns. Guiding their approach, the hunter can research as far back as the data retention and previously associated offenses allow.
• Situational or entity-driven: A situational hypothesis comes from an enterprise's internal risk assessment or a trends and vulnerabilities analysis unique to its IT environment. Entity-oriented leads come from crowd-sourced attack data that, when reviewed, reveal the latest TTPs of current cyber threats. A threat hunter can then search for these specific behaviors within the environment.

Threat Hunting Tools

Hunters use data from managed detection and response (MDR), SIEM and security analytics tools as a foundation for a hunt. They can also use other tools, like packer analyzers, to execute network-based hunts. However, using SIEM and MDR tools require that all essential sources and tools in an environment are integrated -- this integration enables IoA and IoC clues to provide adequate hunting direction.

• Managed Detection and Response (MDR)

MDR applies threat intelligence and proactive hunting to identify and remediate advanced threats. This type of security solution can help reduce the dwell time of attacks and deliver fast, decisive responses to attacks within the network.

• Security Information and Event Management (SIEM)

Combining security information management (SIM) and security event management (SEM), SIEM offers real-time monitoring and analysis of events as well as tracking and logging of security data. It can uncover user-behavior anomalies and other irregularities that provide an essential lead for deeper investigation.

• Security Analytics

Security analytics strives to go beyond basic SIEM systems to offer deeper insights into security data. Combining the big data harvested by security technology with faster, more sophisticated and more integrated machine learning and artificial intelligence (AI), security analytics can accelerate threat investigations by providing detailed observability data for cyber threat hunting.

Hunting Models

• Intel-Based Hunting

Intel-based hunting is a reactive hunting model that uses indicators of compromise (IoCs) from threat intelligence sources.

Intel-based hunts can use IoCs, hash values, IP addresses, domain names, networks, or host artifacts provided by intelligence-sharing platforms such as computer emergency response teams (CERTs). An automated alert can be exported from these platforms and input into the SIEM as structured threat information expression (STIX) and trusted automated exchange of intelligence information (TAXII). Once the SIEM has the alert based on an IoC, the threat hunter can investigate the malicious activity before and after the alert to identify any compromise in the environment.

• Hypothesis Hunting

Hypothesis hunting is a proactive hunting model that uses a threat-hunting library. It's aligned with the MITRE ATT&CK framework and uses global detection playbooks to identify advanced persistent threat groups and malware attacks.

Hypothesis-based hunts use the indicators of attacks and tactics, techniques and procedures (TTPs) of attackers. The hunter identifies the threat actors based on the environment, domain and attack behaviors employed to create a hypothesis aligned with the MITRE framework. Once a behavior is identified, the threat hunter monitors activity patterns to detect, identify and isolate the threat.

What's the difference between threat hunting and threat intelligence?

Threat intelligence is a data set based upon attempted or successful intrusions, usually collected and analyzed by automated security systems with machine learning and AI.

Threat hunting uses this intelligence to carry out a thorough, system-wide search for bad actors. In other words, threat hunting begins where threat intelligence ends. Even more, a successful threat hunt can identify threats that have not yet been spotted in the wild.

Also, threat hunting uses threat indicators as a lead or hypothesis for a hunt. Threat indicators are virtual fingerprints left by malware or an attacker, a strange IP address, phishing emails or other unusual network traffic.

Conclusion

Threat hunting enables users to actively look for harmful activities to stay ahead of current dangers. The majority of cyberattacks will be stopped in their tracks by cutting-edge technologies like behavioral AI, which are also necessary to provide the visibility threat hunting requires. However, criminal actors are constantly coming up with new tricks to get beyond enterprise network security.

To prevent vectors like insider threats and highly targeted attacks, organizations must take precautions. Using the knowledge of human analysts might add an extra layer of protection.

EisnerAmper does not endorse any product or service or warrant that any products or services are appropriate for any particular business.