Open in app

Sign in

Write

Sign in

Continuous Threat Hunting

Mehmet Ergene
Blu Raven
Published in
3 min readSep 21, 2020

I have been reading and watching a lot of content about threat hunting for quite a while now. However, something regarding the threat hunting process is not very clear to me. The common threat hunting process is more or less as follows:

Based on this process, each hunting investigation results in one of the following:

  • Uncover new TTPs
  • Respond to an incident
  • Improve/Enrich Analytics (develop detections)

What if it is not possible to improve analytics; in other words, it is not possible to develop an automated detection mechanism? Should we just leave the hypothesis and not address it anymore? Or, should we only focus on the hypothesis that can be detected?

Let’s look at the example below

Hypothesis: Most attacks involve C2(Command and Control). C2 involves beaconing. By analyzing traffic patterns, we can detect beacons, investigate them and decide whether there is C2 traffic or not.

Investigate: We can list top 20–30 URL domains and/or IP addresses with the highest number of connections, or with the longest connection time, and analyse them to check whether there are command and control activities or not.

Problem: This investigation most likely results in lots of legitimate activity because not all beacons are malicious. Therefore, developing a detection for the scenario will probably create around 20 or less false positive alerts per day, and this is an unwanted situation for SOC analysts. Does that mean we should stop hunting for the hypothesis as it’s not possible to have an automated detection?

I don’t think so

Instead, we can schedule a report/query for investigation and export the results to a csv file. With the help of automation/scripting, we can check the Virus Total score, domain age, and other related information. Then, we can analyze the results and see whether there is malicious activity or not.

What to do if we can’t develop a detection mechanism?

Unfortunately, it is not possible to develop detection for every hypothesis. If it were possible, vendors would already include detections in their products, and we would not need a threat hunting process. Since this is not the case, we need a more comprehensive analysis process/methodology.

Even though the long tail analysis is one of the most used ways during threat hunting, it is not something that can be turned into a detection easily. To overcome this issue, we can modify the process like below:

If it is possible to develop a detection for the hypothesis, do the development and maintenance. Proper detection development and maintenance can be done by a separate team as well.

If it is not possible to develop detection, there are two options:

  • Develop a detection which generates low/informational severity alerts. Periodically investigate the alerts for possible malicious activity. You might already have some built-in low/informational severity detections. The reason for having low/informational severity is to prevent SOC analysts from being flooded by the alerts. Imagine being bombarded by countless alerts. Analysts might hate you!
  • Develop hunting content (queries, reports, etc.). Analyse the output of the hunting content periodically. Use automation where possible to reduce the time spent on analysis.

To make the hunt repeatable, we can create a hunting schedule for the hypotheses which cannot be detected with a detection content and perform investigations periodically.

After this modification, the process becomes something similar to what is shown below:

Conclusion

Clearly, we cannot detect everything just by developing detection mechanisms. For more effective hunting, we should also focus on things that cannot be detected but need to be manually hunted. By doing so, in addition to the common method, which detects malicious activities automatically and alerts us, we can create a more efficient process that covers malicious activities which cannot be detected automatically. An extra benefit is that this procedure also helps us to detect unknown TTPs.

Every organization has its own process and way of working regarding threat hunting. In this post, I tried to reflect my personal approach and opinion. I hope it provides you with a different perspective.

Happy hunting!

Cybersecurity
Threat Hunting
Threat Detection
Process
Security

--

--

Mehmet Ergene
Blu Raven

Written by Mehmet Ergene

1.5K Followers
Editor for

🚀 Master KQL at https://academy.bluraven.io for Threat Hunting, Detection Engineering, and Incident Response | Threat Researcher | DFIR | SIEM | @Cyb3rMonk

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams