In recent years, threat hunting has become an important component of information security programs. However, the definition of threat hunting remains a problem. Depending on who you ask, there are various interpretations of threat hunting and how it can be used. This prompted me to begin a series of posts on threat hunting.
I thought it would be easier to separate the different aspects of threat hunting into multiple, easily digestible posts. Like other niche areas of information security, threat hunting has several distinguishing characteristics. Some of the topics I want to cover in this series include:
- The basics and goals of threat hunting
- The differences between threat hunting and detection engineering
- The threat hunting process
- Threat hunting walkthroughs
- How to use threat intelligence to treat hunt effectively
- How to consume and share your research with the community.
What is threat hunting
In this first post, I’d like to go over the fundamentals of threat hunting and share my thoughts on how it can be used by an established information security program.
Threat hunting, in my opinion, is the proactive discipline of looking for suspicious activity on the corporate network. I want to emphasize the word “proactive” since this is where most people get confused. More on that in a second.
All threat-hunting tasks are carried out under the assumption that the network has been compromised and that threat actors are already present. The threat hunters’ goal is to proactively seek out and investigate any suspicious behavior within the network. To do that, they must have a good understanding of what normal looks like. Then, they can use a process based on hypotheses to look for abnormal behavior. I’ll talk more about the threat hunting process in a later post.
Most of the time, threat hunters are experienced individuals with a good understanding of the threat landscape. They know how adversaries are taking advantage of security misconfigurations and vulnerabilities. They are also well versed in various techniques that threat actors use in different attack stages.
Armed with that knowledge, threat hunters are proactively going through available data looking for anything that stands out. Later in the series, I will put together an article about what makes a good threat hunter, which will go deeper into the needed skills and knowledge.
The misconception about threat hunting
As mentioned above, many are under the misconception that threat hunting is a reactive task. Threat hunting should not include reactive tasks as the trigger. Simply put, a threat hunt should not start with a detection alert as the trigger or a set of IOCs. These activities should be regarded as part of an analyst’s investigation. I’ve included some examples to illustrate my point below:
Good examples (hypothesis-driven threat hunting)
- Threat actors use malicious scheduled tasks to maintain persistence.
- Look for abnormal scheduled tasks based on name, task run and frequency of execution.
2. Threat actors are exfiltrating a large amount of data.
- Using the available network telemetry, look for data uploads to sites like mega.io.
- Taking IOCs from a recent threat intelligence report, running them through our data, and looking for any hits.
- Investigating a detection triggered on a malicious word document run by the user.
Based on the preceding examples, I assume that the threat hunter has access to the necessary telemetry. If certain sources are unavailable, the threat hunter should record these telemetry gaps and later begin building the case for them to be added.
Before we begin hunting, we don’t need access to every possible log source. Having access to execution logs and a simple form of network logs should be a good starting point. Log retention and access are important factors to consider before forming a threat hunting team. A centralized location to store and parse logs for 30 days would be a good start.
Threat hunting goals and metrics
Despite the different meanings people assign to threat hunting, the overall goals remain the same. Some of these core goals are:
- Proactively search for threats.
- Highlight and investigate anomalies.
- Highlight and investigate telemetry collection gaps.
- Reduce false positives.
- Reduce the time to detection.
Organizations can expect a high Return On Investment(ROI) based on the time saved and the potential impact of a widespread incident. Additionally, the success of all the above goals can be measured and tracked. Some of the metrics may include:
- Number of findings
- Telemetry collection gaps
- Security improvement proposals
- Detections that have been created from a successful threat hunting operation.
The management team could use these metrics to show the positive impact of the threat hunting team and how the threat hunting outcomes directly translate to money saved by the organization.
This post discussed the basics of threat hunting, the objectives, and the essentials you’ll need to get started.
I tried to keep this article brief, but there is much more to cover. Consider this an introduction to the threat hunting series. Later postings will become more technical to cover the various threat hunting techniques and how to apply your security skills and expertise to find badness.
Follow me here and on Twitter for updates on the next posts for this series.