Introduction to Threat Hunting
What is Threat Hunting?
- “Threat Hunting” buzzword sounds really cool! And it is a very focused area in the security industry from the past few years. But what does it actually mean?
- In threat hunting, you are looking for malware or an attacker which is already hiding in your network may have been there for a long time. Most of the attacks are detected by properly configured EDRs (Endpoint Detection and Response), firewalls, and other security solutions. But most of the organizations fail to detect Advanced Persistent Threats (APTs). Why?, because as the name says, these types of attacks are Advanced in terms of tactics and techniques + Persistent for a long time in the network.
- So here comes the role of Threat Hunter to look and detect the threats which are not detected by automated detection tools and security solutions.
- That’s why threat hunting is always called the Proactive approach. Means detecting suspicious, unknown, and evil things in the network before they can harm your organization.
Why do we need Threat Hunting:
- Threat Hunting helps us to identify gaps in visibility, detection and response. It helps to improve the detection capability and it also helps to understand your own network.
- By doing threat hunting we can find previous, unknown and undetected compromises.
- According to the Mandiant IR Group report: Alerts are only generated for 9% of attacks, and 53% of attacks are completely missed in enterprise environments.
- A recent report from CrowdStrike says that dwell time is 95 days. Dwell time is the time between an attacker has compromised the environment and it is detected.
- Through a threat hunting program, we can detect those threats and reduce the gap of our detection capability.
The mindset of Hunter:
- To start Threat Hunting, you need to create a mindset of a hunter. You have to think like an attacker. What will the attacker target in my organization? For what purpose and How it will target?
- Or you just think like if you are an attacker what will you target, what will be your motive to do an attack and what techniques you use to do an attack.
- To understand how an attacker attacks, There are various models of attacker methodology from which we can start to build a foundation for a hunting strategy. Some of these include:
- The Lockheed Martin Cyber Kill Chain
2. The Mandiant Attack Lifecycle
3. The MITRE ATT&CK Framework
Misconceptions about Threat Hunting:
There are a lot of misconceptions in the industry about Threat Hunting.
- Hunting can be fully automated:
Threat Hunting requires human inputs in analysis and detections. Threat Hunting is a proactive approach. If an automated tool has found something and then you are remediating, then that is a reactive approach not proactive or Hunting. Automation is must required in modern SOCs, it can be your starting point for hunting.
2. Hunting can only be done by professionals:
Anyone who has a basic knowledge of various types of attacks, networking, security solutions like AntiVirus, Firewall, IPS, etc. can start Threat Hunting. By doing threat hunting you’ll learn more about it.
3. Hunting is expensive
The misconception is that you have to hire additional staff for hunting threats. You can start hunting by creating a team of analysts who are already working in the organization by separating a few hours weekly for threat hunting from normal routine work.
How to start Threat hunting?
- To start threat hunting in your SOC, create a centralized logging system where you collect all types of logs like Firewall, IPS, EDR, routers, proxy, DNS, AD, windows and linux servers, etc.
- You need the right tools which help you in threat hunting. You can start with ELK stack which helps you to get logs from multiple endpoints, analyzing the logs easily, and to create visualizations and dashboards for monitoring and getting more visibility.
- Before starting threat hunting, you need to know what is normal in your environment, so anything which is abnormal will stand out and be noticed.
- You need Threat Intelligence platforms to detect what is abnormal, like IP addresses, file hashes, domains, etc. There are so many open source and free Threat Intelligence platforms there like Cisco Talos, AlienVault OTX, VirusTotal, IBM Xforce, urlscan.io, abuseIPdb, etc.
To start Threat Hunting here is six steps which will help you :
- Form a Hypothesis:
The hypothesis is an assumption that what you are going to prove or disprove in your environment.
Form up a hypothesis that an attacker group for ex. APT36 has already compromised the network and is hiding in your environment. Now look for the IOCs which are published by researchers, look for what tactics, techniques and procedures (TTPs) this APT group is following. Check all the TTPs used by the APT group in your environment. Look for firewall logs, registry values, powershell logs, AD logs, OS and DNS logs, etc.
2. How to search:
One of the techniques you can use is ‘Long Tail Analysis’.
The least common thing is more important because this seems unusual to what is normal. For example, one software is installed on only two systems. Advanced attackers nowadays are not installing malware in all the systems at once. They start with one or two systems and then they laterally move in the network.
3. Threat Intelligence
Now you got something useful (in this case an exe file), check that executable’s hash in virustotal, or check in any.run, joe sandbox, or hybrid-analysis. These are free online malware analysis tools. Check other IOCs related to that malware, you can get this by checking IOCs in threat intel platforms.
4. Triage and Response
You are now sure that this executable is something that can cause harm to your organization. Remove that executable from the system, check for the system if anything else is there in the system.
5. Automate
Now you have file hash and other analytics data. You can use that data or IOCs, to automate detection like creating a rule in the SIEM tool. So if again this type of attack happens it will be automatically detected and alerted. There is a saying, “You hunt only once and detect every time”.
6. Document and Report
Document all your findings in a proper way, from where you have started to hunt, what was your hypothesis, what you have checked, which logs you have analyzed, what you found and what action you have taken, is your hypothesis proved or not, what’s the conclusion, etc.
Resources for Hunter:
Below are some links which will help you to learn more on Threat Hunting and their techniques.
- https://github.com/ThreatHuntingProject/ThreatHunting/tree/master/hunts
- https://github.com/hunters-forge/ThreatHunter-Playbook/tree/master/resources
- https://www.peerlyst.com/posts/resource-the-threat-hunting-wiki-claus-cramon
- https://www.linkedin.com/company/threathunting/
- https://logz.io/learn/complete-guide-elk-stack/
- https://attack.mitre.org/
- https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
- https://www.fireeye.com/mandiant/purple-team-assessment.html
- https://www.sans.org/reading-room/whitepapers/threathunting
- https://www.youtube.com/user/TheSANSInstitute
- https://www.youtube.com/c/SANSDigitalForensics/playlists
- https://cyberwardog.blogspot.com/
- https://github.com/Cyb3rWard0g
- https://threathunterplaybook.com/introduction.html
References:
- Hunt Evil — Your Practical Guide to Threat Hunting by Sqrrl
https://www.threathunting.net/files/hunt-evil-practical-guide-threat-hunting.pdf
2. Find_Evil — Threat Hunting | SANS@MIC Talk by Anurag Khanna: https://www.youtube.com/watch?v=GrhVz1Sjd_0
3. The Hunter’s Handbook by Karen Scarfone
4. https://www.cybersecfill.com/threat-hunting-in-cybersecurity/
6. https://blog.paloaltonetworks.com/2020/06/cortex-start-threat-hunting/
7. https://www.cybersecfill.com/threat-hunting-in-cybersecurity/
8. https://www.controleng.com/articles/understand-the-cyber-attack-lifecycle/
