Open in app

Sign in

Write

Sign in

Mastodon
Designed by FreePic

Advanced Threat Hunting Techniques: Part 2

Emanuele (Ebalo) Balsamo
Purple Team
Published in
7 min readSep 25, 2024

--

Leveraging Threat Intelligence Platforms

In Part 1 of this series, we explored anomaly detection and behavioral analytics as crucial components of advanced threat hunting. These techniques allow security teams to identify malicious activity by recognizing deviations from normal behavior and correlating activity to known attack techniques, such as those in the MITRE ATT&CK framework. However, threat hunting doesn’t occur in a vacuum; the effectiveness of any threat hunt can be amplified by incorporating external intelligence to provide context and additional layers of insight.

In Part 2, we will delve into how to leverage Threat Intelligence Platforms (TIPs) in your threat hunting efforts. We’ll explore how TIPs can enrich internal data, provide a more complete picture of emerging threats, and help threat hunters identify and neutralize adversaries more effectively.

The Role of Threat Intelligence in Threat Hunting

Threat intelligence platforms (TIPs) serve as aggregators and analyzers of external intelligence, allowing organizations to collect, curate, and apply real-time threat intelligence feeds in their environments. They provide valuable context about the tactics, techniques, and procedures (TTPs) used by adversaries, as well as Indicators of Compromise (IoCs) such as malicious domains, IP addresses, file hashes, and more.

How TIPs Complement Threat Hunting

  • Contextual Awareness: TIPs provide context about known adversaries, helping threat hunters understand the bigger picture — who the attackers are, what their objectives might be, and how they typically operate.
  • Real-Time Data: Continuous updates from global threat feeds provide near-real-time intelligence about ongoing campaigns, newly discovered malware variants, and evolving attack methods.
  • Collaboration and Sharing: TIPs allow organizations to share intelligence with partners, government agencies, or industry-specific ISACs (Information Sharing and Analysis Centers). This shared intelligence can significantly enrich a threat hunting team’s understanding of adversary behavior.

Do you like my content and you want to see more?

Consider supporting my work via Patreon! Remember to follow me on LinkedIn and subscribe to the newsletter to stay updated with the latest posts!

1. Incorporating IoCs into Threat Hunting

While behavioral analytics and anomaly detection are powerful tools, integrating IoCs from TIPs provides concrete artifacts to search for during a hunt. These IoCs can include IP addresses, domains, file hashes, URLs, and email addresses that have been observed in real-world attacks.

Benefits of Using IoCs in Hunting:

  • Indicator Matching: Many TIPs aggregate IoCs from various sources, including malware repositories, public threat databases, and government advisories. Threat hunters can correlate these IoCs with internal network traffic, log data, and endpoint activity.
  • Threat Correlation: Correlating an internal alert (e.g., an anomalous network connection) with a known malicious IP address from a TIP strengthens the hypothesis that the network might be compromised.
  • Enrichment of Findings: TIPs often provide additional context around each IoC, such as the adversary group behind it or the malware family it’s associated with. This context allows for more informed decisions and targeted response actions.

Example: Hunting for Known Malicious Infrastructure

A threat hunter identifies unusual outbound network traffic to an unfamiliar IP address. By querying their TIP, the hunter discovers that this IP address is associated with a known botnet. This additional intelligence provides immediate validation of the suspicious behavior and shifts the focus from exploration to containment and eradication.

Best Practices for Using IoCs:

  1. Relevancy Filtering: Not all IoCs are created equal. Prioritize high-confidence IoCs that are relevant to your organization’s industry or threat landscape.
  2. Automated Matching: Use your Security Information and Event Management (SIEM) system or network monitoring tools to automatically cross-reference incoming data with IoCs from your TIP to detect potential matches in real time.
  3. Expiring IoCs: Adversaries often change their infrastructure. Always consider the freshness of IoCs, as older ones might no longer be relevant to ongoing threats.

2. Leveraging TTPs for Proactive Hunting

While IoCs can help identify specific artifacts of an attack, TTPs provide deeper insight into the behaviors and methodologies used by adversaries. This is where TIPs shine by providing a continuous feed of adversarial TTPs that can be integrated into the threat hunting process.

How TIPs Help with TTP-Based Hunting:

  • Cross-Campaign Analysis: TIPs track patterns of behavior across different attack campaigns, providing visibility into the common TTPs used by threat actors across multiple engagements.
  • Adversary Profiling: Threat intelligence platforms can help threat hunters build detailed profiles of known adversary groups by summarizing the typical TTPs they use, which can be cross-referenced with internal detections to identify sophisticated attackers.

Example: Detecting Fileless Malware Using TTPs

A TIP reports that an advanced persistent threat (APT) group is increasingly using fileless malware techniques, leveraging PowerShell scripts and in-memory execution to avoid detection. A threat hunter can focus their efforts on identifying abnormal use of PowerShell in their environment, looking for behavior such as process injection or unusual script execution patterns.

Because fileless malware doesn’t leave behind traditional artifacts like malicious files or hashes, relying on IoCs alone wouldn’t suffice. However, understanding the TTPs associated with fileless attacks enables a more focused and effective hunt.

Using MITRE ATT&CK and Threat Intelligence Together

Many TIPs have begun to integrate with the MITRE ATT&CK framework, mapping adversary TTPs to ATT&CK techniques. This allows threat hunters to structure their hunts around specific ATT&CK techniques commonly used by the adversary groups active in their industry.

For instance, a TIP might alert that a specific APT group is using T1218: Signed Binary Proxy Execution to bypass security controls. With this information, threat hunters can prioritize looking for signs of signed binaries being misused within their environment.

3. Automating Threat Hunting with TIPs

Manually searching through logs and network data for IoCs or behavioral patterns can be time-consuming. TIPs offer automation capabilities that can greatly enhance the efficiency of threat hunting efforts.

Automation Use Cases for TIPs in Hunting:

  • Automated Enrichment: TIPs can automatically enrich internal telemetry, such as suspicious IP addresses or file hashes, with external intelligence. This allows threat hunters to focus on more strategic analysis rather than manual correlation.
  • Hunting Playbooks: Many TIPs come with predefined playbooks that can be integrated with SIEMs and SOAR (Security Orchestration, Automation, and Response) platforms. These playbooks help automate the hunting process by triggering hunts based on specific IoCs or TTPs.
  • Continuous Monitoring: TIPs can be set up to continuously monitor threat landscapes and alert the threat hunting team when new, high-confidence IoCs or TTPs are discovered that match patterns within their environment.

Example: Automating IoC Correlation

A threat hunter receives an alert from their TIP that a newly discovered domain associated with an active phishing campaign has been observed communicating with internal systems. Through automated integration with the organization’s SIEM, a rule is triggered that quarantines the infected endpoint and alerts the security team for further investigation.

This automated detection and response allow for rapid containment of threats, reducing the time to detection (TTD) and time to response (TTR).

4. Sharing and Collaborating on Threat Intelligence

An often underutilized aspect of TIPs is their ability to facilitate threat intelligence sharing between organizations. Collaborative threat hunting is becoming more important, as threat actors frequently reuse infrastructure, tools, and methods across multiple organizations.

Threat Sharing Frameworks:

  • ISACs (Information Sharing and Analysis Centers): Industry-specific ISACs allow for sharing intelligence with organizations facing similar threats, such as financial services, healthcare, or government sectors.
  • STIX/TAXII Protocols: TIPs often support STIX/TAXII standards, which allow for structured threat intelligence sharing between organizations. Using these protocols, organizations can share critical intelligence such as IoCs, adversary profiles, and incident response tactics.

Benefits of Collaborative Hunting:

  • Broader Threat Visibility: Collaborating with other organizations, especially those in the same industry, increases your visibility into the threats that are likely to target your environment.
  • Faster Detection: By sharing intelligence in real-time, organizations can collectively reduce the time it takes to detect and respond to new threats.

Example: Collaborative Threat Detection via ISAC

A financial services company notices a rise in spear-phishing attacks targeting its executives. By sharing IoCs and TTPs with other financial institutions via an ISAC, the broader community is able to detect and block similar attacks more quickly. This collaborative effort improves collective resilience against the threat actor’s campaign.

Conclusion: Maximizing the Power of Threat Intelligence in Hunting

Threat Intelligence Platforms are an indispensable tool for advanced threat hunting, providing hunters with the necessary context, real-time data, and TTP insights needed to detect and mitigate sophisticated threats. By integrating IoCs into your hunting workflow, focusing on adversary behaviors, and automating the correlation of intelligence with internal data, you can significantly improve your threat-hunting capabilities.

Moreover, TIPs enable greater collaboration through intelligence sharing, enhancing the collective defense of your organization and its partners. Ultimately, the combination of anomaly detection, behavioral analytics, and external threat intelligence leads to a more proactive and efficient threat-hunting approach.

By leveraging cutting-edge TIPs alongside your internal detection tools and expertise, you can stay one step ahead of adversaries and enhance the overall security posture of your organization.

Final Thoughts: Combining proactive anomaly detection and behavioral analysis with rich external intelligence from TIPs provides a comprehensive approach to hunting down even the most sophisticated adversaries. These techniques form the backbone of advanced threat hunting and enable security teams to move beyond reactive defenses and into the realm of proactive cyber defense.

Threat Hunting
Threat Intelligence
Mitre Attack
Cybersecurity

--

--

Emanuele (Ebalo) Balsamo
Purple Team

Written by Emanuele (Ebalo) Balsamo

27 Followers
Writer for

Cybersecurity Specialist | Offensive Security Expert Focused on red teaming, offensive security, and proactive defense measures

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams