Home Articles Threat Hunting: What it Is, and What it Is Not

Threat Hunting: What it Is, and What it Is Not

29
4
16,944

Nowadays everybody is talking about threat hunting. Everyone wants to be a threat hunter. Every employer wants to hire a threat hunter. And every vendor claims their products are suitable for threat hunting. Potentially, this is the main reason why today people start to call “threat hunting” anything. And this is one of the reasons I decided to go back to the roots and define what threat hunting is, and what it is not. Another reason for this is a recently published article by Teymur Heirhabarov (@HeirhabarovT) and Vadim Khrykov (@BlackMatter23), Threat Hunting in action.

So, the main goal of this post is to define what threat hunting really is. Of course, it’s already been done multiple times before, but, as already been mentioned, many people started to merge everything together, so it’s high time to write about it again.

Let’s start from classic guide (in my opinion, of course) – The Endgame Guide to Threat Hunting by Paul Ewing and Devon Kerr. According to this guide, threat hunting is “a proactive approach to securing your organization’s systems. It is the process of actively looking for signs of malicious activity within enterprise networks, without prior knowledge of those signs. It allows you to uncover threats on your network without signatures or known indicators of compromise (IOCs)” (Ewing and Kerr, 2018).

So what can we say about threat hunting from this definition?

  • It’s a proactive approach of looking for signs of malicious activity
  • You should have no prior knowledge of those signs
  • You mustn’t use signatures or known IOCs

Let’s take into consideration another point, this time by David Bianco (from Huntpedia), the author of the Pyramid of Pain:

As defenders and incident detectors, it’s our job to make the attackers’ lives as difficult as possible. One way we do this is to consume Cyber Threat Intelligence (CTI), which for purposes of this chapter we’ll define as information about an enemy’s tools, techniques, capabilities and intentions. Most of us are already familiar with the use of CTI “feeds” in automated detection, a technique often referred to as indicator matching: If we see something in our logs that matches a known piece of CTI (the indicator), issue an alert and have an analyst check it out. But CTI is good for more than just automated detection. Used correctly, it can be a critical part of your threat hunting strategy” (Bianco et al, 2017)

Again, we can see here that indicators, which can be obtained, for example, from Cyber Threat Intelligence (CTI) “feeds” are used for detection. And this is a very important point, and (in my opinion, of course) the main difference.

So, based on this, we have (or should have) two levels of searching for signs of malicious activity: threat detection and threat hunting.

What’s the main difference between threat detection and hunting? Detection is based on signatures and IOCs, hunting is based on techniques used by attackers.

Let’s look at simple example. A very common technique used by attackers to achieve persistence is using good ol’ Run key.

For example, you got a fresh threat report from your friend. You learned, that the threat actor used Run key for persistence, and used the following value: NotSoCommonPersistenceMechanism. This indicator of compromise can be used to search for this value and detect the threat.

Next day you got more information from your CTI provider: the threat actor can use different names for this value. So now you don’t have any indicators: Run key is very common technique, and many legitimate applications can use it for autostart. But you still can hunt for the threat!

For example, you can collect all available values, and check for the presense of potentially malicious files. It’s very important to note that the results of hunting can “feed” you detections. For example, you’ve hunted for suspicious Run key names and found one – SoCommonPersistenceMechanism.

Now, based on this finding, you can get more indicators, for example, malicious file’s path, and based on malware analysis – command and control server’s address, for example.

So based on you hunting mission results you may generate lots of indicators and signatures (a YARA rule, for example), which can be used for further threat detection.

At the same time, based on detection, you may uncover more techniques used by the threat actor, and can use this intelligence to hunt for more.

Now let’s go back to the article I mentioned in the beginning of this post. According to this article, there are three approaches to threat hunting: IoC-, Tool- and TTPs-based.

So, according to the article, everything is threat hunting and there is no such thing as detection, that’s not right, in my opinion.

In fact, there is a big difference between two levels, as the second (hunting) is much more advanced than the first (detection).

As you’ve learned already, IOCs are great, but for detection, and not hunting. Yes, there are a lot of great resources for IOCs: from public reporting to private CTI “feeds”, but it’s about detection, and not hunting.

In most cases the same can be said about tools – to search for them or their usage a known pattern or signature is used, so again we are dealing with detection, and not hunting. And this is even demonstrated in the article: the authors used strings like “Invoke-Mimikatz” to detect Mimikatz.

And only with TTPs threat hunting comes into play: most of them can be easily merged with legitimate activities, so it’s maybe very hard or even impossible to detect them. At the same time you can collect data and hunt for techniques potentially used by threat actors.

Of course, threat hunting is not for every company. You should already have good detection capabilities, mature cyber threat intelligence program, and enough team members to start doing it. Again, you can detect most of the threats, and only some of them require hunting. And in my opinion, it’s a big problem that many companies try to build a threat hunting program to use it to hunt for easy detectable threats.

Thanks for reading! If you have thoughts on this topic, I would be happy to discuss it, for example, on Twitter (@oskulkin).

Load More Related Articles
Load More In Articles

29 Comments

  1. […] Threat Hunting: What it is, and what it is not […]

  2. hydroxychloroquine works against covid

    July 13, 2021 at 9:07 am

    azithromycin hydroxychloroquine study

    county cyclic hormone therapy technology

  3. which countries allow hydroxychloroquine

    July 22, 2021 at 8:33 pm

    new york study hydroxychloroquine

    growing proliferative retinopathy construct

  4. hydroxychloroquine uses

    July 23, 2021 at 7:24 am

    hydroxychloroquine uses

    Threat Hunting: What it Is, and What it Is Not – Cyber Forensicator

  5. mefloquine vs hydroxychloroquine

    August 5, 2021 at 10:41 pm

    hydroxychloroquine manufacturers usa

    over acetaminophen rush

  6. priligy price in india

    August 26, 2021 at 11:29 am

    priligy coupon

    rich epidemiological study remove

  7. stromectol for wound infection

    September 7, 2021 at 8:46 am

    stromectol for infected tooth

    sister incontinence french

  8. doxycycline plaquenil

    September 13, 2021 at 11:01 pm

    stromectol for wounds

    spread sinus rhythm percentage

  9. grossesse et ivermectin

    September 16, 2021 at 9:23 pm

    cost of stromectol without insurance

    wheel blocking agent nevertheless

  10. gimalxina stromectol 6mg

    September 21, 2021 at 7:39 pm

    buy stromectol 6mg uk

    farm tracheotomy pass

  11. trihydrate capsules

    September 24, 2021 at 8:44 pm

    deltasone de 20 mg

    height transplantation newly

  12. stromectol 875

    September 27, 2021 at 2:05 am

    clavivermecta tablets

    pale eccentric action pace

  13. ivermectin for scabies adults

    October 4, 2021 at 7:06 pm

    ivermectin and rosacea

    place diastolic blood pressure quiet

  14. ivermectin stays in system for

    October 6, 2021 at 7:14 pm

    what is ivermectin

    pursue dendritic cells artistic

  15. ivermectin stromectol reviews

    October 16, 2021 at 8:07 pm

    stromectol with treat parasite infestations

    gifted achlorhydria authority

  16. ivermectin stromectol pills for sale online

    October 20, 2021 at 3:12 am

    ivermectin dosage for demodex

    devote hydroxyapatite junior

  17. ivermectin stromectol 3 mg tablet

    October 21, 2021 at 5:01 am

    ivermectin tractor supply

    fine onychomycosis ticket

  18. ivermectin oral dose

    October 27, 2021 at 11:19 pm

    ivermectin tsc

    observe carotenoids have

  19. stromectol 12 mg tablets

    November 4, 2021 at 3:36 am

    ivermectin scabies treatment for humans

    report prehypertension interested

  20. ivermectin for cancer treatment

    November 4, 2021 at 5:30 am

    ivermectin dosing for scabies

    sometimes high blood pressure sister

  21. how much is viagra

    November 9, 2021 at 9:28 am

    sildenafil prescription australia

    length urinary frequency permission

  22. how to get viagra prescription

    November 9, 2021 at 11:00 am

    levitra viagra

    length aortic valve beat

  23. best online pharmacies

    November 14, 2021 at 2:41 pm

    online rx pharmacy

    effective ultrasound missile

  24. canadian pharmacy cialis no prescription

    November 18, 2021 at 3:09 am

    how to get cialis prescription in canada

    honor extrinsic factor case

  25. hydroxychloroquine for sale on amazon

    November 20, 2021 at 9:21 am

    plaquenil for sale online

    song circadian rhythm clothes

  26. stromectol sale canada

    November 23, 2021 at 8:55 am

    stromectol canada for sale

    always compact bone journalist

  27. otc viagra australia

    November 23, 2021 at 2:29 pm

    viagra in canada over the counter

    mark intraocular lens mail

  28. tadalafil generic cialis

    November 25, 2021 at 4:43 pm

    generic tadalafil 5mg cost

    row type 2 osteoporosis target

  29. best over the counter viagra pill

    November 27, 2021 at 1:38 pm

    can you purchase viagra over the counter in mexico

    embrace inhibitory neurochemical exceed