Threat Hunting: Important things on how to start hunting?
Threat Hunting is one of the important part of cybersecurity to hunt manually for threats on the network to help reduced the dwell time and minimise the breach impact. This can be achieved by proactively searching data for signs of compromise and discovering cyber threats. The goal is to detect threat that none of technology can detect.
Type of Hunters:
Ad-hoc — are suitable for Small-size business and execute hunt as needed.
Analyst and Hunter — are suitable for Commercial/Medium-size business and execute hunts regularly.
Dedicated Hunter — are more suitable for Enterprise business and execute hunts constantly.
Runbook
This six stages is what we would need to achieve excellent outcome on Threat hunting and stop adversary objectives (Kill Chain):
Prepare
This stage helps you establish your hunting foundations. The important points to consider in this stage are:
Business objective — This can be related to specific organization sector threat hunt like Health, IT, Telecom etc where the adversary is targeting. Additionally, the hunt can be defined by risk analysis report and hunt on critical assets. The important goal for this is to know how well you are protected by technology and hunt accordingly.
Threat Intelligence collection — There are multiple sources for new threat feeds and can be used to hunt with IOA/IOC. So, keeping up to date on TI would be really curial for hunting new threats. Furthermore, POC collection or CVSS on CVEs would be also consider as important to hunt for any vulnerability exploitation.
Security Frameworks — Mapping the threats into framework would help organize the hunt and know better about the adversary behaviour. There are few frameworks that can be used: Mitre ATT&CK, Diamond Model, Sqrrl and knowledge on Cyber Kill Chain, Pyramid of Pain.
EXAMPLE: Threat Intel Report
[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
[2] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a
Scope
This stage helps to you create a path on threat hunting which will lead by the foundation describe in first stage. Scoping has two important steps:
STEP1: Selecting Threat Hunt type
Structured hunt can also be referred as “Known bad hunt”. A structured hunt is informed by indicators of attack (IoAs) through threat intelligence, high-risk/high-value entities, or known threat actor TTPs. In contrast, unstructured hunt can also be referred as “Anomaly-based”. An unstructured hunt is informed by indicators of compromise (IoCs) or through anomalous data observation.
EXAMPLE: Reviewing the threat report
[1] I would choose to go with Structured — TTP-Driven
[2] I would choose to go with Unstructured — Data-Driven
STEP2: Hypothesis Creation
This will help in Identify specific behaviour to hunt:
- Creating a Hypothesis using structured type, hunter needs to be Strategic, Tactical and Operational. For example: Asking questions to scope: “What — they do” | “How — the adversary does”?
- Creating a Hypothesis using unstructured type, hunter need to be analytical. For example: Asking questions to scope: Did….this happen in my network? Does anything in….data look malicious?
EXAMPLE: Hypothesis
According to threat Intelligence, Lockbit Ransomware group is targeting various organizations. If LockBit ransomware attacks are present on the network, we should be able to find traces on vary significantly in observed tactics, techniques, and procedures (TTPs) used by the group.
Data
This stage helps to gather all the important information for your hunting. Important details to be collected are:
Tactic and Technique — Based on the intelligence, hunter need to identify all the tactics, techniques used by threat and if needed re-define the hypothesis.
Data source and requirement — Based on techniques collected, data source requirements are also documented. [https://attack.mitre.org/datasources/]
TIP: I would recommend to use WORKBENCH tool by Mitre Engenuity on the stage.
EXAMPLE: Tactic and Technique for LockBit
Plan
This stage helps to determine gaps and research on adversary based on intelligence. The important planning points are:
Tools and Adversary Patterns — This would be deep dive research on all the procedure(s) and tools used by adversary based on the data stage. This research would also help building sub-hypothesis and hunt individually on each sub-hypothesis.
Identify Gaps — A final review on any gaps in data sources and threat details so that there is no waste of time and inaccurate outcome.
EXAMPLE: Research on procedures
Execute
On this stage actual hunting starts based on all knowledge gather from pervious stages. The most important thing on this stage is to be excited to hunt and stop adversary before reaching the goals. Additionally, some main things to know to execute hunting:
Adversary Emulation —This can be helpful to get accurate pattern on the threat and support to re-define sub-hypothesis.
Test —Start with the broad hunt search to see the output and move to more narrow hunts search specific to the threat TTP defined in sub-hypothesis.
PLEASE NOTE: Emulation can be skipped if research on threat procedure(s) are well gathered.
Start the HUNT!!
Result
This is the final stage where you would document all the finding on the hunts executed.
SUCCESS — create a report that will summarize the hunt details and any opportunity for detection engineering or incident response engagement.
FAIL— create a report that will summarize the hunt details and review the “PLAN” stage for any gaps, if correct, we can conclude with on intrusion on the network and verify any opportunity for detection engineering.
Once the final report is completed, move to another threat hunt…
HAPPY HUNTING!!
Sqrrl hunting loop is the perfect summarization for Threat Hunting.
References:
[2] https://academy.picussecurity.com/home
[3] https://www.immersivelabs.com/
[4] https://www.threathunting.net/sqrrl-archive
[5] https://www.nist.gov/system/files/documents/2017/04/20/2017-04-10_-_sqrrl_enterprise.pdf
[6] https://sansorg.egnyte.com/dl/hfu5PAbiPz
[8] https://chandraktrivedi.blogspot.com/2022/06/threat-hunting-introduction.html
