Open Season: Guide to Building a Threat Hunting Workflow Pt.1
As an experienced threat hunter, I have noticed the insufficient availability of step-by-step guides on how to set up the actual system to track and manage threat hunts. While there are a ton of frameworks and Excel spreadsheets out there, they all lack an explanation of “what does this all mean.” I hope this small series will help or at least spark some amount of creativity.
Disclaimer
- I am not a writer.
- I am not an expert in the tools, so there may be some items that could be done better. Please let me know!
The Problem
- Insufficient availability of “Here’s how to stand up threat-hunting” guides.
- The cost of third-party tools is high.
- Automating metrics is challenging.
- Tracking automation is difficult.
The Solution (that worked for us)
Using in-house corporate apps (M365, gSuite, etc.) has been a successful solution for our team. Most office suites have all the necessary tools to meet the requirements for setting up this system. For the purpose of this guide, I will be using Microsoft Tools, but the concepts can be easily translated to other office suites.
The Setup
Microsoft Lists
Why? It’s better than Excel and allows for more collaborative functionality, along with the ability to be automated using PowerAutomate or GraphAPI. Microsoft List can also be connected to multiple different metrics programs.
Alternatives: Notion, Air-table, Tables (Google-BETA), etc.
| Column | Type |
| ------------------------------------ | --------------------------------------------------------------- |
| Title | Single Line of Text |
| Initial Hypothesis | Multiple Lines |
| Priority | Choice (Low, Medium, High) |
| Status | Choice (Backlog, In-Progress, Review, Completed) |
| Assigned To | Person Field |
| Date Reported | Date Field |
| Inspiration/Reference | Hyperlink (Link to source of hunt idea) |
| Difficulty | Choice (Novice, Intermediate, Advanced) |
| Disposition | Choice (Proven, Disprove, Handoff) |
| Hunt Type | Choice (Trigger ex. Intelligence, MITRE, Alert) |
| Hunt Activity | Choice (Pursuit, Normal, Quest, Expedition, Epic) |
| Threat Actor | Choice (Threat Actor Related to hunt) |
| Age | Calculated (Created + Current date) |
| Tactic | Choice (Which tactic(s) being hunted) |
| Time Spent Minutes (TSM) | Number Field |
| Time Spent Hours (TSH) | Calculated from (TSM) |
| Total Dwell Time (Hours) | Number (Compromise to Discovery) |
| Mis-Configurations Found | Number |
| Vulnerabilities Found | Number |
| Security Recommendations | Number |
| Security Recommendations Implemented | Number |
| Scheduled Start | Date |
| Scheduled Completion | Date |
| Season | Choice (Will discuss more below) |
| Pyramid of Pain Categories (PoP) | Choice (IPs, Hashes, Domain Names, Network Artifacts, Tools, TTPs) |
| Analysis Techniques | Choice (Stacking, Frequency, etc.) |
| Description of Recommendations | Recommendations were given |
| OS Scope | Choice (OS being hunted) |
| Environment Scope | Choice (Environment being hunted) |
| Data Sources | Choice (Data sources used in the hunt) |Some Explanation
Some of these fields may not fit your organization, but let me explain some of the more nuanced items. Our fields took heavy influence from the TaHiTi Framework.
Season: A season is a set amount of time dedicated to a specific topic or threat actor that has been identified to attack a specific industry. It allows for a full mapping of attack patterns and gives teams a better view into specific areas of the org. At the end of a season (Quarterly, Bi-Quarterly), the threat hunting team will generate a report indicating all the results from the hunts and the MITRE Tactics that have been identified.
Pyramid of Pain Categories (PoP): This field helps identify the difficulty of the hunt using the Pyramid of Pain Model.
So imagine replacing HMM1, 2, 3+ with Novice, Intermediate, Advanced.
Hunt Activity: This is also used to add a qualitative measure for time.
- Pursuit: IOCs or a quick hunt on activity in a report.
- Normal: Hunt that lasts less than 3 weeks
- Expedition: 3–6 Weeks
- Epic: 6 weeks or more
- Quest: A repeatable hunt that needs human interaction.
Metrics
Depending on the tool you decide to use to build the repository, creating a dashboard should be a relatively simple task. If you’re using Excel or Google Sheets, just build another tab and make it a metric dashboard. If you are using a BI software, connect your list to it and create the dashboard there.
Conclusion
This is the general idea behind using a table-like software to manage threat hunts. In the next section, I will go over some of the documentation options that we have tried.