Threat Hunting Series: The Threat Hunting Process

Disclaimer

The threat hunting mental models

Before diving into the actual process, I want to cover the two different mental models that a threat hunter can apply to the threat hunting process. Based on the initial hypothesis, I use these two models to separate the different types of threat hunting.

Attack-Based hunting

Attack-based hunting is applicable when hunting for a certain attack technique. In most cases, I find myself hunting for an attack that is known and documented. Attack-based hunting is faster, especially if Indicators of Attack(IOAs) are readily available through third-party research.

  1. Hunting for suspicious process execution activity originating from Microsoft Word documents.
  • Mitre ATT&CK ID: T1204.002 (Execution)
  1. Hunting for domains/IPs associated with the recent campaign of <insert fav malware here>.

    - Checking for pre-defined malicious IOCs is not threat hunting. Check out my previous posts here and here to find out why.
  2. “Hunting” (not really) across all hosts in our environment for a malicious word document that was detected on one of the hosts.

    - A detection event cannot be the trigger of a threat hunting operation.

Data-Based hunting

Unlike attack-based threat hunting, this mental model is more advanced since it does not follow a predetermined path. During data-based hunting, the threat hunter is not searching for specific evidence of an attack technique but instead looking for abnormal activity in the dataset of interest.

  1. Search for suspicious process execution of unknown binaries launched from non-system directories.
  1. Search for suspicious process execution of PowerShell that downloads and executes the payload in memory.
  2. This could be a good example of attack-based threat hunting, but the hypothesis is too specific to be considered data-based threat hunting.

The threat hunting process

The steps involved in threat hunting are listed below. I’ll go through each one, explain how they work, and then give some examples.

1) Establish a hypothesis

The hypothesis drives the threat hunt. This is where threat hunters decide what they will hunt for in the environment. As was already established, the threat hunter assumes that this malicious activity has occurred within the network.

2) Establish evidence

Based on the hypothesis, the threat hunter should research the evidence of the expected malicious activity. Searching for existing writeups from other researchers could be enough to collect the IOAs needed to start hunting.

3) Identify Sources

Identify the data sources that should contain evidence of the malicious activity. Some examples of data sources are:

  • Network traffic logs
  • Process execution logs
  • Authentication logs
  • etc.

4) Identify Fields

After establishing the type of attack or the specific IOAs of an attack on our hunting operation, we can concentrate on the specific fields we should query. Whether the data source has network or process execution-related logs, we can choose the individual fields that will help us spot the malicious activity.

5) Query the data

We now have all of the information we need to build our queries. We could adjust a couple of core components when forming these queries. The first variable is the timeframe. This is how far back we choose to search in the available data.

6) Analyze the data

Once we have the results from our queries, we can start manipulating the data to make it as easy as possible to analyze and spot anomalies. We can apply several analysis techniques depending on what we are hunting for and which mental model we follow. This article from CyborgSecurity — Threat Hunting Tactics & Techniques — does a great job explaining the different threat hunting analysis techniques we can use to spot malicious activity. In short, some of my favourite data-based hunting analysis techniques are frequency analysis and stack counting.

The threat hunting process in action

In this section, I’ll use the two threat hunting examples I gave above, based on the two different mental models, to explain the different steps of the process.

Attack Based Example

Establish a hypothesis

Hunting for suspicious process execution activity originating from Microsoft Word documents.

  • Mitre ATT&CK ID: T1204.002 (Execution)

Establish evidence

  1. Winword.exe creates child processes.
  2. Winword.exe injects malicious code into other processes.
  3. Winword.exe reaches out to unknown public servers to download binaries.

Identify sources

  1. Process execution logs
  2. Evidence of macro execution via “TrustRecords” entry in the registry below:

Identify fields

ParentProcessName: winword.exe

Query the data

Example ELK query:

Analyze the data

The figure below is an example of the findings we would expect to see if suspicious behavior was observed in the network:

Data-Based Example

Establish a hypothesis

Hunting for previously undetected malicious binaries executing from temp directories.

Establish evidence

Using clustering analysis to look for outliers based on the process name and the path of the process. We hope to identify binaries executed in isolation by a small number of hosts in the environment.

Identify sources

  • Process Execution Logs

Identify fields

  • ProcessName
  • ProcessPath
  • Count of ProcessName occurrence
  • Count of hosts associated with the same process

Query the data

In elasticsearch, we will need to create a visualization to get the data above and their aggregate values. The below query will be in Splunk for demonstration purposes.

  • $Recycle.bin
  • C:\ProgramData
  • C:\Users\Public
  • AppData\Local\Temp
  • AppData\Roaming\Temp

Analyze the data

Like attack-based hunting, analyzing the data might take some time, depending on the returned results. When we first execute a new threat hunt, it can take some time to investigate the results, and we might even fall into rabbit holes. However, with experience, and getting to know the environment we are hunting in, there will be less friction, and the analysis speed will improve.

Conclusion

After understanding and practicing the threat hunting process for some time, each phase will become easier to step through. It is important to note that the threat hunting operation doesn’t end with the analysis.

References:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kostas

Kostas

I’m Kostas and I am a security researcher. My interests lie in #ThreatIntel, #malware, #IR & #Threat_Hunting. I either post here or at http://thedfirreport.com/