Threat Hunting. What is it? Why do I need to do it? How do I get started?
Over the next few weeks I am hoping to write a number of articles looking at the aspect of threat hunting. Essentially to give a sound overview for someone who has never heard of the term before, or someone wanting to implement this into their operation.
The Google definition of threat hunting is:
“Threat hunting is the process of seeking out adversaries before they can successfully execute an attack. … Threat hunting is a proactive technique that combines security tools, analytics, and threat intelligence with human analysis and instinct”
A pretty accurate and detailed summary. However I look at it with a simpler view. Finding the malicious activity before it causes you issues.
The majority of Security Operations are very reactive teams, especially in their infancy. A successful threat hunting program or model can allow for a more proactive element within a Security Operations Center (SOC).
All cyber security functions have to adapt quickly to new threats, adversaries and vulnerabilities. It is a modern-day natural selection – survival of the fittest. If SOCs do not adapt and change, by becoming more proactive then they are likely to struggle and thrive. I belive that threat hunting is the number 1 way to enure you continue to survive “cyber security evolution”.
At a very high level, a SOC needs to be utilising threat intelligence, organisational awareness and an attacker mindset to dig deep into system logs, security events and network traffic on a regular basis in order to detect a change, anomaly or malicious Indicators of Compromise.
So where do I begin?
Firstly, it is important you have a good understanding of the Cyber Threat Kill Chain. If you have never heard of this before. I suggest your read this first!
Having this understanding will allow you to direct a hunt to the correct stage of the chain and look for the malicious activity. For example, if you are hunting for lateral movement through your network from new or questionable hosts, there is no point looking for the delivery of a malicious payload in email logs. You are better focusing your efforts reconnaissance activity, such as network scanning with nmap.
Next you need to answer 2 questions. Why do you need to hunt? What are you looking for?
This is known as hypothesis creation. You need to create a question that your threat hunt is going to answer. So, if you need to hunt because you are aware of a new infostealer malware, you are going to be looking for the IOCs that relate to this malware. Therefore;
“Threat intelligence indicates that there is a new variant of malware that aims to steal credentials or financial data from our endpoints, I will now hunt on known IOCs to see if they are present on our endpoints and infrastructure.”
I will go into this topic in further detail in another blog post.
A really easy way to start hunting is using open source threat intelligence, gathering lists of IOCs such as domains, file hashes and IP addresses and looking for hits on your endpoints, network and proxy logs. It’s very basic, its easy to do, but its a start!
Tools such as AlienVault OTX, Cisco TALOS Blog and MX Toolbox can give you enough IOCs that relate to known threats for you to start searching for.
You should follow well understood and reoccurring threats such as Emotet, TrickBot and GandCrab to gather new IOCs frequently to allow you to start hunting! You may just find that one of these IOCs has slipped past perimeter controls and installed on a endpoint. Identifying this, is what would be considered a successful threat hunt.
I hope that this short and sweet post has given you an idea on what threat hunting is, why you need to introduce this to a SOC or Cyber Operation and what you need to be looking to do in order to start!
There will be plenty more on this topic such as;
- Different types of hypothesis
- Threat Hunting Cycle
- Different types of analysis
- Process and Procedures
Just to name a few. Thanks for reading!