Home Articles Threat Hunting: What it Is, and What it Is Not

Threat Hunting: What it Is, and What it Is Not

15
4
16,326

Nowadays everybody is talking about threat hunting. Everyone wants to be a threat hunter. Every employer wants to hire a threat hunter. And every vendor claims their products are suitable for threat hunting. Potentially, this is the main reason why today people start to call “threat hunting” anything. And this is one of the reasons I decided to go back to the roots and define what threat hunting is, and what it is not. Another reason for this is a recently published article by Teymur Heirhabarov (@HeirhabarovT) and Vadim Khrykov (@BlackMatter23), Threat Hunting in action.

So, the main goal of this post is to define what threat hunting really is. Of course, it’s already been done multiple times before, but, as already been mentioned, many people started to merge everything together, so it’s high time to write about it again.

Let’s start from classic guide (in my opinion, of course) – The Endgame Guide to Threat Hunting by Paul Ewing and Devon Kerr. According to this guide, threat hunting is “a proactive approach to securing your organization’s systems. It is the process of actively looking for signs of malicious activity within enterprise networks, without prior knowledge of those signs. It allows you to uncover threats on your network without signatures or known indicators of compromise (IOCs)” (Ewing and Kerr, 2018).

So what can we say about threat hunting from this definition?

  • It’s a proactive approach of looking for signs of malicious activity
  • You should have no prior knowledge of those signs
  • You mustn’t use signatures or known IOCs

Let’s take into consideration another point, this time by David Bianco (from Huntpedia), the author of the Pyramid of Pain:

As defenders and incident detectors, it’s our job to make the attackers’ lives as difficult as possible. One way we do this is to consume Cyber Threat Intelligence (CTI), which for purposes of this chapter we’ll define as information about an enemy’s tools, techniques, capabilities and intentions. Most of us are already familiar with the use of CTI “feeds” in automated detection, a technique often referred to as indicator matching: If we see something in our logs that matches a known piece of CTI (the indicator), issue an alert and have an analyst check it out. But CTI is good for more than just automated detection. Used correctly, it can be a critical part of your threat hunting strategy” (Bianco et al, 2017)

Again, we can see here that indicators, which can be obtained, for example, from Cyber Threat Intelligence (CTI) “feeds” are used for detection. And this is a very important point, and (in my opinion, of course) the main difference.

So, based on this, we have (or should have) two levels of searching for signs of malicious activity: threat detection and threat hunting.

What’s the main difference between threat detection and hunting? Detection is based on signatures and IOCs, hunting is based on techniques used by attackers.

Let’s look at simple example. A very common technique used by attackers to achieve persistence is using good ol’ Run key.

For example, you got a fresh threat report from your friend. You learned, that the threat actor used Run key for persistence, and used the following value: NotSoCommonPersistenceMechanism. This indicator of compromise can be used to search for this value and detect the threat.

Next day you got more information from your CTI provider: the threat actor can use different names for this value. So now you don’t have any indicators: Run key is very common technique, and many legitimate applications can use it for autostart. But you still can hunt for the threat!

For example, you can collect all available values, and check for the presense of potentially malicious files. It’s very important to note that the results of hunting can “feed” you detections. For example, you’ve hunted for suspicious Run key names and found one – SoCommonPersistenceMechanism.

Now, based on this finding, you can get more indicators, for example, malicious file’s path, and based on malware analysis – command and control server’s address, for example.

So based on you hunting mission results you may generate lots of indicators and signatures (a YARA rule, for example), which can be used for further threat detection.

At the same time, based on detection, you may uncover more techniques used by the threat actor, and can use this intelligence to hunt for more.

Now let’s go back to the article I mentioned in the beginning of this post. According to this article, there are three approaches to threat hunting: IoC-, Tool- and TTPs-based.

So, according to the article, everything is threat hunting and there is no such thing as detection, that’s not right, in my opinion.

In fact, there is a big difference between two levels, as the second (hunting) is much more advanced than the first (detection).

As you’ve learned already, IOCs are great, but for detection, and not hunting. Yes, there are a lot of great resources for IOCs: from public reporting to private CTI “feeds”, but it’s about detection, and not hunting.

In most cases the same can be said about tools – to search for them or their usage a known pattern or signature is used, so again we are dealing with detection, and not hunting. And this is even demonstrated in the article: the authors used strings like “Invoke-Mimikatz” to detect Mimikatz.

And only with TTPs threat hunting comes into play: most of them can be easily merged with legitimate activities, so it’s maybe very hard or even impossible to detect them. At the same time you can collect data and hunt for techniques potentially used by threat actors.

Of course, threat hunting is not for every company. You should already have good detection capabilities, mature cyber threat intelligence program, and enough team members to start doing it. Again, you can detect most of the threats, and only some of them require hunting. And in my opinion, it’s a big problem that many companies try to build a threat hunting program to use it to hunt for easy detectable threats.

Thanks for reading! If you have thoughts on this topic, I would be happy to discuss it, for example, on Twitter (@oskulkin).

Load More Related Articles
Load More In Articles

15 Comments

  1. […] Threat Hunting: What it is, and what it is not […]

  2. hydroxychloroquine works against covid

    July 13, 2021 at 9:07 am

    azithromycin hydroxychloroquine study

    county cyclic hormone therapy technology

  3. which countries allow hydroxychloroquine

    July 22, 2021 at 8:33 pm

    new york study hydroxychloroquine

    growing proliferative retinopathy construct

  4. hydroxychloroquine uses

    July 23, 2021 at 7:24 am

    hydroxychloroquine uses

    Threat Hunting: What it Is, and What it Is Not – Cyber Forensicator

  5. mefloquine vs hydroxychloroquine

    August 5, 2021 at 10:41 pm

    hydroxychloroquine manufacturers usa

    over acetaminophen rush

  6. priligy price in india

    August 26, 2021 at 11:29 am

    priligy coupon

    rich epidemiological study remove

  7. stromectol for wound infection

    September 7, 2021 at 8:46 am

    stromectol for infected tooth

    sister incontinence french

  8. doxycycline plaquenil

    September 13, 2021 at 11:01 pm

    stromectol for wounds

    spread sinus rhythm percentage

  9. grossesse et ivermectin

    September 16, 2021 at 9:23 pm

    cost of stromectol without insurance

    wheel blocking agent nevertheless

  10. gimalxina stromectol 6mg

    September 21, 2021 at 7:39 pm

    buy stromectol 6mg uk

    farm tracheotomy pass

  11. trihydrate capsules

    September 24, 2021 at 8:44 pm

    deltasone de 20 mg

    height transplantation newly

  12. stromectol 875

    September 27, 2021 at 2:05 am

    clavivermecta tablets

    pale eccentric action pace

  13. ivermectin for scabies adults

    October 4, 2021 at 7:06 pm

    ivermectin and rosacea

    place diastolic blood pressure quiet

  14. ivermectin stays in system for

    October 6, 2021 at 7:14 pm

    what is ivermectin

    pursue dendritic cells artistic

  15. ivermectin stromectol reviews

    October 16, 2021 at 8:07 pm

    stromectol with treat parasite infestations

    gifted achlorhydria authority