Threat Hunting

Threat hunting is a proactive cyber defense activity. “It is the process of proactively and repetitively detecting and isolating advanced threats that can circumvent existing security solutions.” This often creates a contrast to traditional threat management measures. These measures often involve examining evidence-based data after alerting, such as firewalls, intrusion detection systems (IDS), malware sandboxes (computer security), and SIEM systems.

Threat hunting is traditionally resolved by a security analyst as a manual process. The analyst conducts research by examining various data to form hypotheses about potential threats using vulnerability knowledge and experience. However, it can be automatically supplemented or machine-assisted in threat hunting machines to be more effective and efficient. In this situation, the analyst is aware of machine usage and software using user and asset behavioral analytics (UEBA) and the analyst about potential risks. The analyst then investigates these potential risks and removes suspects from the network. Threat hunting therefore centers on a hypothesis that begins and is constantly recurring in a continuous loop.

Threat Hunting Strategy

In the process of threat hunting, analysts confirm their predictions by researching large amounts of network action data. The results are then used to form the basis of automatic part guards and hypotheses in the detection system.
Analytics Based: “Used to develop machine computers and UEBA aggregate risk scores that can also serve as hunting shelters”
Situational Awareness Based: “Crown Jewel analysis, corporate risk assessments, expectations in company or employee departments”
Intelligence Based: “Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans”

Threat hunting is the practice of proactively searching and detecting cyber threats. This process involves iterative scanning of the network to look for unidentified cyber threats. Cyber threat hunting aims to find malicious actors that have managed to bypass the initial security defenses and infiltrated the network. When an attacker penetrates the network, they can bypass the initial endpoint security defenses and remain on the network for months, collecting data, searching for confidential information or displaying login information that would allow them to move horizontally. Advanced detection capabilities are needed to detect such an attacker and to prevent the attack from continuing to try the network’s defenses. This is why threat hunting is an essential component of any defense strategy. They are increasingly attaching importance to threat hunting for the frontlines of the latest cyber threats and rapid response to potential attacks.

Threat hunting controversies are an emerging approach that threat hunters often assume are inside the system and are used to find out of habitually the presence of malicious intent. In proactive threat hunting, this acceptance often falls into three main categories:
1. Hypothesis-driven research: Such constructs are often triggered by new threats identified through attack data collected in a large pool. This protection offers insights into attackers’ latest tactics and methods by shaking off the latest tactics, techniques and methods (TTP) of attackers. When a new TTP is identified, threat hunters try to identify in their environment what the attackers are trying to find in their particular item.
2. Research Based on Known Indicators of Harm or Indicators of Attack: This threat hunting approach involves using tactical threat intelligence to catalog the most known IOCs and IOAs related to new threats. This becomes the triggers threat hunters use to expose potential stealth attacks or ongoing malicious operations.
3. Advanced analytics and machine operation studies: The Third Approach combines powerful data analysis and machine operation to detect potential malicious activity flag-keeping features by scanning large amounts of usage. These typical anomalies translate into hunting referrals for scrutiny by expert analysts.
All of these measures combine threat intelligence units with advanced security technology, combining human retention efforts to proactively protect an organization’s systems and overall human retention.

The Unified Kill Chain

Cyberattacks tend to follow a predictable pattern that should be understood by defenders. This pattern was initially documented as the now famous Lockheed Martin Cyber Kill Chain. This model has been adapted and modernized over time by multiple vendors. The Unified Kill Chain is a notable modernization of the model. This model defines 18 broad tactics across three generalized goals, which provides defenders with a reasonable framework for designing appropriate defenses according to attackers’ objectives. Let’s look at these goals:

• In: The attacker’s goal at this phase is to research the potential victim, discover possible attack vectors, and gain and maintain reliable access to a target environment.
• Through: Having gained access to a target environment, the threat actor needs to orient themselves and gather supplemental resources required for the remainder of the attack, such as privileged credentials.
• Out: These tactics are focused on completing the objective of the cyberattack. In the case of double extortion ransomware, this would include staging files for exfiltration, copying those files to attacker infrastructure, and, finally, the large-scale deployment of ransomware.

The Unified Kill Chain

Management Primer

When a vulnerability is discovered in a released software or hardware product and reported to the vendor that owns the vulnerable product or service, the vulnerability will ultimately be assigned a CVE identifier at some point. MITRE Corporation started a catalog of all CVEs, called the CVE List, in 1999. The CVE List can be accessed at https://cve.mitre.org/cve/search_cve_list.html.

The U.S. National Vulnerability Database (NVD) was established in 2005 by the National Institute of Standards and Technology (NIST). The NVD imports data from the CVE List and adds metadata to it (including metrics and scoring information) (CVE, 2020). The NVD can be used to track publicly disclosed vulnerabilities in all sorts of software and hardware products across the entire industry. The NVD is a publicly available database that can be accessed at https://nvd.nist.gov.

The following are some of the factors explaining why it can be a long time between a vendor receiving a report of a vulnerability and releasing a security update for it:

• Identifying the bug: Some bugs only show up under special conditions or in the largest IT environments. It can take time for the vendor to reproduce the bug and triage it. Additionally, the reported vulnerability might exist in other products and services that use the same or similar components. All of these products and services need to be fixed simultaneously so that the vendor doesn’t inadvertently produce a zero-day vulnerability in its own product line. I’ll discuss zero-day vulnerabilities later in this chapter.
• Identifying all variants: Fixing the reported bug might be straightforward and easy. However, finding all the variations of the issue and fixing them too is important as it will prevent the need to re-release security updates or release multiple updates to address vulnerabilities in the same component. This can be the activity that takes the most time when fixing vulnerabilities.
• Code reviews and testing: Ensuring the updated code actually fixes the vulnerability and doesn’t introduce more bugs and vulnerabilities is important and sometimes time-consuming.
• Functional testing: This ensures that the fix doesn’t impact the functionality of the product — customers don’t appreciate it when this happens.
• Application compatibility testing: In the case of an operating system or web browser, vendors might need to test thousands of applications, drivers, and other components to ensure they don’t break their ecosystem when they release the security update. For example, the integration testing matrix for Windows is huge, including thousands of the most common applications that run on the platform.
• Release testing: Ensuring the distribution and installation of the security update works as expected and doesn’t make systems unbootable or unstable.

Important distinctions

Detection engineering can be misunderstood, partly because some processes overlap with other functions within a security organization. We can clarify detection engineering’s position with the following distinctions:

• Threat hunting: The threat hunting process proactively develops investigative analyses based on a hypothesis that assumes a successful, undetected breach. The threat hunting process can identify active threats in the environment that managed to evade current security controls. This process provides input to the detection engineering program as it can identify deficiencies in detections. The data that’s available to detection engineering is typically the same data that threat hunters utilize. Therefore, threat hunting can also identify deficiencies in the existing data collection infrastructure that will need to be solved and integrated with the detection infrastructure.
• Security operations center (SOC) operations: SOC teams typically focus on monitoring the security environment, whereas detection engineering provides inputs to SOC teams. While the SOC consumes the products of the detection engineering functions, they typically work very closely with them to provide feedback for detection or collection improvements.
• Data engineering: Data engineers design, implement, and maintain systems to collect, transform, and distribute data, typically to satisfy data analytics and business intelligence requirements. This aligns with several goals of detection engineering; however, the detection engineering program is heavily security-focused and relies on data engineering to produce the data it needs to build detections.

Threat hunting has several benefits in the field of cybersecurity. These include:

1. Proactive Defense: Instead of waiting for automated systems to alert you to a threat, threat hunting seeks to identify them before they become a problem. This proactive approach can help you catch threats before they cause damage.

2. Improved Security Posture: By actively searching for threats, you can gain a better understanding of your organization’s security posture. This can help you improve your defenses and reduce your risk of a breach.

3. Faster Response Times: When you’re actively hunting for threats, you can respond to them more quickly. This can reduce the amount of damage a threat can do.

4. Reduced Impact of Breaches: If a breach does occur, threat hunting can help you minimize its impact. By identifying the breach quickly, you can take steps to contain it and prevent further damage.

5. Enhanced Knowledge and Skill: Threat hunting requires a high level of knowledge and skill. By practicing threat hunting, your IT team can gain valuable experience and improve their abilities.

6. Detailed Insights: Threat hunting can provide detailed insights into threats that automated systems might miss. This can help you understand the threat landscape better and develop more effective defenses.

7. Custom Defense Strategies: With threat hunting, you can develop custom defense strategies that are tailored to your organization’s specific needs and risk profile. This can result in more effective and efficient protection.

References

• NIST. (n.d.). Retrieved from National Vulnerability Database: https://nvd.nist.gov/vuln
• CVE. (March 5, 2020). CVE Numbering Authority (CNA) Rules. Retrieved from https://www.cve.org/ResourcesSupport/AllResources/CNARules
• Howard, M. (May 9, 2021). “The Best Security Advice I Can Give…”. Retrieved from https://michaelhowardsecure.blog/2021/05/09/the-best-security-advice-i-can-give/.
• CVE. (n.d.). CVE-2018–8653 Detail. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8653
• MITRE ATT&CK® (n.d.). Retrieved from https://attack.mitre.org/.