When detection mechanisms rely on patterns and signatures, and adversaries often switch tactics, threat hunting process comes to the rescue.
An effective threat hunting process helps reduce the time from break-in to detection, reducing the amount of damage caused by attackers. Therefore, a hunter has a chance to discover an intruder in an organization before it even causes a lot of damage related to financial loss, leakage of confidential information or loss of reputation.
Threat Hunting is an active search for adversaries in the organization's infrastructure, without any knowledge they are there, during which it searches for patterns of malicious activity that have not been detected by any other detection mechanisms. The goal of this process is to reduce the damage caused by threat actors by reducing the time of detection of adversary, which can be up to 9 months. There are many approaches to dealing with threat hunting. The common part of all these methods is the fact that data is collected from multiple sources and then analysed for anomalies that are not handled by SOC. In this process, an invaluable knowledge base, especially for those who start their adventure in this area and do not know where to start, is the database of TTPs prepared by ATT&CK MITRE. It contains many valuable suggestions on how attackers work.
Another important aspect related to the Threat Hunting methodology are the so-called compromise indicators, although here there is sometimes a dispute whether this should be part of the Threat Intelligence or Threat Hunting process. In my opinion, this is an element that can be successfully implemented by both teams, if there is such a division in the organization, because it is often the case that Threat Hunters are able to obtain information or find IoC related to suspicious activities on their own. So, the cooperation between these teams it is very important to complement each other. It follows from this, that cooperation between these teams is very important to complement each other. Another method is to use custom searches based on tips from various thematic guides and your own experience and knowledge of technology and monitored environments. Figure 1 shows what this Threat Hunting process might look like.
The collection of data is a very important element of every Threat Hunting process because it is the material on which every researcher works. The type of data sources and their retention time determine how deep Threat Hunter can dive in to search for traces of hacker activity. And there are a lot of these data sources.
The first step in the Threat Hunting process is to formulate a hypothesis whether a group characteristic for our sector, such as for example APT38 which attacks financial organizations, is sometimes not active in our organization. There are many such and similar hypotheses that fit the business context of our organization or are related to Threat Intelligence. The characteristics of the most popular groups of cybercriminals can be found in ATT&CKMITRE knowledge base, and information about threats on the pages CIS Controls,ENISA Threats Taxonomy, CIS Alerts or blogs dedicated to this topic.
The threat hunting process can include statistical analysis, behavioural analysis, and machine learning. Statistical analyses concern the detection of anomalies, trends, or deviations from baselines. They can be easily detected in systems that allow easy configuration and analysis of specific views, such as for example Sycope, which is a system to monitor network traffic. Figures 3 and 4 show examples of views that facilitate statistical analysis.
In the case of behavioural threat analysis, threat hunters try to model the attack chain. Useful tools in this area include for example: CALDERA, Atomic Red Team or ATT&CK Simulator.
In the case of detecting a threat and its analysis confirming the criticality of a given find, the next step is to try to find these threats in the context of the entire organization. Then, after filtering out False Positives, create a mechanism to automatically detect these types of threats. Such detection mechanisms, after reaching a certain maturity consisting in effective detection of threats, can be successfully transferred to the SOC, so that from now on certain threats are overseen in a procedural manner.
Security monitoring teams are becoming increasingly aware of the fact that there are no security systems that can protect organizations against any type of cyber-attack, especially APT attacks. Therefore, the fashion for the so-called Threat Hunting is no longer just a fashion, but a particularly important task as part of a comprehensive process of detection and handling security incidents. So, if you do not have such a process in your organization, consider introducing it to make you even more aware of how much suspicious activity your security team does not see. To learn such a process in the context of network traffic monitoring, the Sycope system can be effectively used, for example during the Network Threat Hunting Academy, but even this will not replace the fun when you start detecting so far undetected network anomalies and threats based on this or another Network Security Monitoring system.