Nowadays everybody is talking about threat hunting. Everyone wants to be a threat hunter. Every employer wants to hire a threat hunter. And every vendor claims their products are suitable for threat hunting. Potentially, this is the main reason why today people start to call “threat hunting” anything. And this is one of the reasons I decided to go back to the roots and define what threat hunting is, and what it is not. Another reason for this is a recently published article by Teymur Heirhabarov (@HeirhabarovT) and Vadim Khrykov (@BlackMatter23), Threat Hunting in action.
So, the main goal of this post is to define what threat hunting really is. Of course, it’s already been done multiple times before, but, as already been mentioned, many people started to merge everything together, so it’s high time to write about it again.
Let’s start from classic guide (in my opinion, of course) – The Endgame Guide to Threat Hunting by Paul Ewing and Devon Kerr. According to this guide, threat hunting is “a proactive approach to securing your organization’s systems. It is the process of actively looking for signs of malicious activity within enterprise networks, without prior knowledge of those signs. It allows you to uncover threats on your network without signatures or known indicators of compromise (IOCs)” (Ewing and Kerr, 2018).
So what can we say about threat hunting from this definition?
- It’s a proactive approach of looking for signs of malicious activity
- You should have no prior knowledge of those signs
- You mustn’t use signatures or known IOCs
Let’s take into consideration another point, this time by David Bianco (from Huntpedia), the author of the Pyramid of Pain:
“As defenders and incident detectors, it’s our job to make the attackers’ lives as difficult as possible. One way we do this is to consume Cyber Threat Intelligence (CTI), which for purposes of this chapter we’ll define as information about an enemy’s tools, techniques, capabilities and intentions. Most of us are already familiar with the use of CTI “feeds” in automated detection, a technique often referred to as indicator matching: If we see something in our logs that matches a known piece of CTI (the indicator), issue an alert and have an analyst check it out. But CTI is good for more than just automated detection. Used correctly, it can be a critical part of your threat hunting strategy” (Bianco et al, 2017)
Again, we can see here that indicators, which can be obtained, for example, from Cyber Threat Intelligence (CTI) “feeds” are used for detection. And this is a very important point, and (in my opinion, of course) the main difference.
So, based on this, we have (or should have) two levels of searching for signs of malicious activity: threat detection and threat hunting.
What’s the main difference between threat detection and hunting? Detection is based on signatures and IOCs, hunting is based on techniques used by attackers.
Let’s look at simple example. A very common technique used by attackers to achieve persistence is using good ol’ Run key.
For example, you got a fresh threat report from your friend. You learned, that the threat actor used Run key for persistence, and used the following value: NotSoCommonPersistenceMechanism. This indicator of compromise can be used to search for this value and detect the threat.
Next day you got more information from your CTI provider: the threat actor can use different names for this value. So now you don’t have any indicators: Run key is very common technique, and many legitimate applications can use it for autostart. But you still can hunt for the threat!
For example, you can collect all available values, and check for the presense of potentially malicious files. It’s very important to note that the results of hunting can “feed” you detections. For example, you’ve hunted for suspicious Run key names and found one – SoCommonPersistenceMechanism.
Now, based on this finding, you can get more indicators, for example, malicious file’s path, and based on malware analysis – command and control server’s address, for example.
So based on you hunting mission results you may generate lots of indicators and signatures (a YARA rule, for example), which can be used for further threat detection.
At the same time, based on detection, you may uncover more techniques used by the threat actor, and can use this intelligence to hunt for more.
Now let’s go back to the article I mentioned in the beginning of this post. According to this article, there are three approaches to threat hunting: IoC-, Tool- and TTPs-based.
So, according to the article, everything is threat hunting and there is no such thing as detection, that’s not right, in my opinion.
In fact, there is a big difference between two levels, as the second (hunting) is much more advanced than the first (detection).
As you’ve learned already, IOCs are great, but for detection, and not hunting. Yes, there are a lot of great resources for IOCs: from public reporting to private CTI “feeds”, but it’s about detection, and not hunting.
In most cases the same can be said about tools – to search for them or their usage a known pattern or signature is used, so again we are dealing with detection, and not hunting. And this is even demonstrated in the article: the authors used strings like “Invoke-Mimikatz” to detect Mimikatz.
And only with TTPs threat hunting comes into play: most of them can be easily merged with legitimate activities, so it’s maybe very hard or even impossible to detect them. At the same time you can collect data and hunt for techniques potentially used by threat actors.
Of course, threat hunting is not for every company. You should already have good detection capabilities, mature cyber threat intelligence program, and enough team members to start doing it. Again, you can detect most of the threats, and only some of them require hunting. And in my opinion, it’s a big problem that many companies try to build a threat hunting program to use it to hunt for easy detectable threats.
Thanks for reading! If you have thoughts on this topic, I would be happy to discuss it, for example, on Twitter (@oskulkin).