The Concept of Threat Hunting

The purpose of threat hunting is to analyze routine activities and network traffic to identify potential anomalies indicative of malicious actions which may result in a complete breach. Threat hunting describes the methods used to identify malicious cyber activities within an organization's network in a systematic way. Threat hunting subscribes to an "assume breach" mentality; a crucial strategy designed to help protect against advanced cyberattacks, mitigate any intrusion's impact, and develop a procedural approach to cyber resilience.

Cyber threat hunting is a primarily manual process whereby a threat hunter (or security analyst) reviews various sources of information and uses their skills and experience to identify potential threats. Based on cyber threat intelligence, known attack techniques, and other information, threat hunters develop and validate assumptions about potential threats while gathering and analyzing data from various sources, both within the organization and externally. For example, after finding evidence that a threat actor has gained access to the environment, a threat hunter might look for evidence that the attacker also performed lateral movement. To improve their effectiveness, threat hunters focus on well-established tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), indicators of attack (IoAs), and confidence levels provided by threat information data to identify threats, understand exploits, and reveal an attacker's activities.

Entity-driven hunts look for external threat actors based on TTPs observed by the cyber defense community in recent attacks identified. Crowdsourced attack data is a valuable source of information as it exposes the TTPs of current, active cyberattacks. An effective threat hunt team can often detect a threat actor before they are in a position to damage the environment.

Dedicated threat-hunting teams are out of reach for most organizations, so managed security service providers (MSSP) fill this gap by providing the necessary knowledge, skills, resources, and analytic tools to help organizations locate unusual activities and hidden threats efficiently. 

CrowdStrike Falcon Complete managed services monitoring dashboard displaying observed TTPs

Description of the Picture: 

The header at the top shows a search bar that represents the Status: New. The upper section has three compartments with different options for each of the following: Severity, Tactic, and Technique.

 Below the compartments, there are sections titled "Fancy Bear Detected," with items included in each section given a Severity, a Tactic and Technique, and a Detect Time.

Focus Areas

Misconfiguration Hunting 

Misconfigurations in IT systems can create vulnerabilities that attackers can exploit. Misconfiguration hunting involves searching for misconfigured systems, services, or applications that attackers could exploit, including searching for weak passwords, open ports, or unpatched software.

Isolated Network Hunting 

Isolated networks, such as air-gapped networks or networks with limited connectivity to the internet, are often thought to be more secure. However, attackers can still target these networks by exploiting vulnerabilities in connected systems or through physical access. Isolated network hunting involves searching for vulnerabilities in physical access points that could be used to gain access to the isolated network.

Business-critical Asset Hunting 

Attackers often target business-critical assets, such as databases, servers, or applications. Business-critical asset hunting involves searching for vulnerabilities and threats that could impact these assets by searching for unauthorized access attempts, unusual traffic patterns, or suspicious activity that could indicate an attack. An organization's processes used to manage critical assets can also be targeted, such as new user creation, money transfer, access permission approvals, and other similar high-risk functions.

Indicators of Compromise

Cybersecurity analysts and threat hunters collect indicators of compromise (IoCs) to identify, investigate, and mitigate threats. IoCs suggest that a security incident may have occurred, such as traffic from an IP or domain associated with malicious activity. IoCs can be identified in system and applications logs, network monitoring software, endpoint protection tools, and security information and event management (SIEM) platforms. Security teams can quickly identify and respond to security threats by collecting and analyzing these indicators. IoCs can help provide a summary of malicious actions, giving security professionals an easy way to identify the potential source of a security incident. The summary information also informs a response plan by identifying the systems and services to isolate or monitor and which users and accounts may need to be locked. Collecting and analyzing IoCs makes it possible to accurately and efficiently describe security issues, helping protect organizations from future threats.

As the name implies, indicators of compromise do not prove a successful attack or breach has occurred. Instead, an IoC points to a specific event, pattern, or sequence of events that may indicate trouble. After identifying an IoC, security analysts must validate it to more confidently determine if it is a false positive, warrants monitoring, or requires a full incident response.

Role of Digital Forensics

Indicators of compromise (IoCs) can be identified using digital forensics techniques, which analyze digital artifacts left behind on a compromised system or network. These artifacts include log files, memory dumps, network traffic, and file system information. Once IOCs have been identified, they are used to generate threat intelligence data to detect and prevent future attacks of a similar nature. For example, IOCs can be input into security tools such as intrusion detection systems (IDS) or security information and event management (SIEM) systems to help detect and respond to similar events in real-time. Additionally, digital forensic analysis may reveal specific details regarding vulnerabilities or misconfigurations that led to a breach. Overall, digital forensics plays a critical role in identifying and analyzing IOCs.

Indicators of compromise (IoCs) are essentially pieces of forensic data providing evidence of a potential intrusion into a system or network. An IoC indicates a high likelihood of unauthorized access to a system or that a successful attack has occurred. Indicators such as these help security analysts identify malicious actors early in the cyber kill chain, possibly before significant damage occurs. Attack indicators are similar to IoCs, but instead of focusing on the forensic analysis of an attack that has already happened, attack indicators focus on identifying the attacker's activities as an attack is occurring.

IoCs take many forms, such as odd network patterns, unusual account behaviors, unexpected or unexplained configuration changes, and unfamiliar new files on a system. Some common IoCs include unusual outbound network traffic (such as large volumes of outbound DNS traffic), logins occurring from unexpected geographic locations, suspicious privileged user account behavior, unusual changes in log files, protocols associated with command-and-control activities, traffic to known questionable URLs or IP addresses, and distributed denial-of-service (DDoS) attacks. Suspicious privileged user account activity is particularly concerning as it is likely strong evidence that a successful and significant breach of the organization's defensive measures has occurred. 

Other potential IoCs include unusual network traffic, users unexpectedly accessing systems from foreign countries, unusual DNS requests or DNS requests to malicious domains/IPs, universal resource locators (URLs) or protocol elements indicating malicious command-and-control servers, changes to system files, malware infection, and many others. Frequently, IoCs are provided to organizations through intelligence reports and electronic data feeds, which often update security products like Web Application Firewalls, EDR solutions, web proxies, and intrusion detection tools. As the community of defenders increases in size and capability, the information and details made available to others to help look for signs of trouble also increases. Some indicators are very apparent, such as ransomware infection of a desktop, while other indicators are far more subtle and nonobvious. For most organizations, threat hunting is practically only possible with help from individuals and organizations working at the forefront of this field. Applying threat-hunting techniques often requires using data provided by information-sharing platforms and "field notes" created by professional incident responders. For example, sites such as Uncoder.io provide "cookbook" information that can be translated into many different SIEM and EDR formats. Feeding this data into SIEM and EDR products helps quickly locate indicators of compromise. When an organization becomes aware of specific threat actor groups targeting particular products and industries, services like uncoder.io provide the precise search criteria threat hunters need to help them quickly and efficiently locate signs of trouble.

   Analysing Indicators of Compromise

This diagram shows how uncoder.io provides details regarding an attacker copying the Windows SAM file to the AppData directory and translates the details into a search string that can be used with Splunk (or other 27+ SIEM, EDR, XDR platforms) to search for any matching events.

Decoy Methods and Concepts

Active Defense

An active defense describes using offensive actions to outmaneuver an adversary to make an attack harder to execute. An active approach to cyber defense seeks to increase the likelihood that hackers will make a mistake and expose their existence or methods of attack. Active defense approaches can stop attacks in progress while gaining a greater understanding of attacker methodology. 

Honeypots

Honeypots seek to redirect malicious traffic away from live production systems. They can provide an early warning regarding ongoing attacks to assist defensive teams in identifying and responding before attacks affect critical systems. Also, honeypots will collect intelligence on the attackers and their techniques. Research honeypots extend this practice by single-mindedly focusing the collection of information on observed attack methods and malicious activity happening "in the wild" or, more specifically, on Internet-facing systems. High-interaction honeypots leverage a complete operating system and are more challenging for expert attackers to spot. Active decoys draw attackers away from corporate assets by using false information placed on endpoints that point to legitimate-looking servers and services but instead lead attackers to decoy systems. Advanced deception solutions automatically identify and reroute malicious traffic away from real assets and toward decoys, leading to earlier detection and engagement. Some advanced deception technologies can leverage threat intelligence data to identify and respond to emerging threats better.

The Attack Report page of the Modern Honey Network (MHN) Honeypot using the Dionaea sensor

Description:

A heading in the top left reads M H N Server.

The page is titled Attacks Report. Below the title, a search filter is shown with a Sensor, HoneyPot, and Date filter. 

Below this, the table is depicted that consisting of 6 columns and 10 rows. The column headers are: Date, Country, Source I P, Destination port, Protocol, and Honeypot. Each row reads "dionaea" in the HoneyPot column.

Honeypots supplement a threat-detection strategy; they are an additional security layer that can help detect attacks in advance. Honeypots can also help assess how a security team will react to a live cyberattack, thereby helping to identify potential areas of improvement. Unlike intrusion detection systems, honeypots do not utilize predefined attack signatures or threat intelligence. Honeypots can be expensive to operate and maintain because they require special knowledge to safely implement and specialized skills to identify and interpret empirical attack methods effectively. All of this while simultaneously preventing attackers from acting on their objectives!