top of page
Search
Writer's picturePreCySec
Jun 5, 20226 min read

What is Threat Hunting and Why Do All Businesses Need It?


A wolf in sheep's clothing


Introduction


Nowadays, multiple cyber security solutions and products aid security teams and analysts in detecting and responding to a variety of cyber threats. No solution is perfect, hence there will always be a sophisticated threat or techniques that fly under the radar of such solutions. May it be solutions for endpoints, email, network and so forth.


These “silent” threats are the ones that will most likely include a more sophisticated set of tactics, techniques, and procedures (TTP). Before adversaries strike, a foothold in the target organization network is achieved, usually via one of the commonly seen initial access vectors:

  • Weak or leaked credentials

  • Phishing/social engineering

  • Zero-day vulnerabilities and network exploits

  • Insider threats

  • Etc.

Then, a certain dwell time is elapsed via maintaining some kind of persistence on a compromised device(s). The dwell time is the period starting from the compromise until the detection of malicious activity. Since 2020 dwell times have been declining. This correlated with the progress and improving the accuracy of detection in cyber security solutions and increasing Ransomware attacks rate. It was mentioned that the mean dwell time during 2020 was 24 days, and down to 21 days during 2021. It was noted in the latest M-Trends 2023 that in 2022 the number fell to 16 days.



What is Proactive Threat Hunting?


Unlike automated Cyber Security detection systems and solutions, the concept of threat hunting is to not wait for signs of known malicious activity, or in other words - being reactive. Proactive Threat hunting is a proactive approach to uncovering any undetected suspicious and malicious activity in order to solidify cyber security and detection processes. It can also involve searching for the recently discovered tactics, techniques and procedures (TTPs).


Threat hunting can be seen as a "search and destroy" tactic. As mentioned, threat Hunting is not a replacement for automated Cyber Security detection solutions or SOC teams, but rather a complimentary operation having the goal of ensuring that anything that passive detection measures missed is hunted for and detected. Threat Hunting is the proactive approach to securing our network. An effective Threat Hunting process will help us reduce the time passed between intrusion to discovery, and of course, reduce the scale of the damage done by attackers.



What Are The Key Differences Between Reactive Incident Response and Proactive Threat Hunting



Incident response and threat hunting walk hand in hand and can be unified into one cycle of operations. Incident response will usually be conducted once a security breach is identified following an alert or a correlation of alerts pointing to malicious activity. Proactive threat hunting of dwelling threats, regardless of alerts and detections, could naturally lead to an incident response cycle if threats are found.


Threat Hunting & Incident Response Unified Life-Cycle and Stages


Threat Hunting Types


Every hunt must have a predefined hypothesis. The hypothesis will include the type of activity the hunter is looking for, the relevant threat landscape, the strategy and the Threat Hunting process detecting such activity. The Threat hunting types are the following:

Intel-Based

  • Intelligence-Based hunting is a reactive type of Threat Hunting approach that is focused on using and searching IOCs.

  • IOCs can be collected from threats detected in our network or in the wild. Also, there are a lot of intelligence-sharing platforms such as MISP and Computer Emergency Response Teams (CERT).

  • An IOC can be a domain name, URL, IP address, unique filename, hash value, suspicious process name, email address, unusual user agents, and more.


TTPs-Based

  • Will usually align with MITRE ATT&CK framework (but not only, but you can also base your threat hunting process on other threat frameworks).

  • TTPs-Based: This is the most proactive type of threat hunting approach. This approach focuses on searching for IOAs (Indicators of Attack) within our network.

MITRE Techiques Tactics & Procedures (TTP)

Custom Hunting

  • Based on environmental and situational awareness.

  • The understanding of what is the relevant threat landscape for the industrial sector the organization is under

  • The notion of the infrastructural weak points and attack surface, is followed by continuous risk assessment.

  • In cases where a customer uses external threat hunting teams/services, the customer may list specific requirements for the hunt based on their familiarity with the environment.



Threat Hunting Techniques


What are Threat Hunting techniques? As mentioned earlier in the post, Threat Hunting types address the hunting strategy and hypothesis, where the techniques are the practical methods of implementation. The different Threat Hunting techniques are the following:


Searching


The more straightforward approach is where the hunter searches for specific indicators and artifacts. It may be threat intelligence driven. This approach is effective when let’s say, your organization suffered a security incident, and you have a set of post-incident indicators of compromise (IOC) you want to search. Such indicators can be detected as attacker C2 IP addresses, hashes of detected malware and tools, etc. However, it may be less effective when targeting behavior, heuristics, or anomalies. Being accurate with your input indicators is key, as searching for a generic value may lead to an enormous number of results that will be near impossible to analyze (and pointless in most cases!).


Clustering


Usually based on statistics and artificial intelligence/machine learning. Clustering is made by separating groups of similar data with predefined characteristics. The data groups are taken from a larger data set that contains all the actual data. We will dive into this technique in this post.


Grouping


The process of taking a set of various unique indicators and identifying when many of them appear together based on predefined criteria. For example, you have the objective of looking for a specific technique (under a specific tactic) and the tools that are commonly used tools in that technique. To be more specific – you are hunting for lateral movement using PsExec (known process names, service creations network logons in event logs, etc.) and RDP connections (msiexec.exe, rdpclip.exe, type 10 logons in event ID 4624). As for the criteria – events/logs in a predetermined time frame. Like in Searching, grouping is based on already known indicators of behaviors you are hunting for (such as IOCs). This approach is less effective in detecting deviations from baselines and anomalies (just like in searching).


Stack Counting


You have gathered connection logs. May it be from endpoints (i.e., Sysmon connections events) or from the FW(s). Now, you are counting the number of occurrences of IP addresses seen in the logs. On one hand, you can see IP addresses that 90% of endpoints were seen connecting to, frequently. On the other hand, two IP addresses popped right into your eyes, where only two machines connected to. Additional Analysis and reputation checks raise even more suspicion… And congratulations! You have successfully hunted suspicious activity in your network! It’s that easy. Sometimes all that is needed is a real-life scenario. This technique is easy to execute and commonly used by hunters. In the example scenario, IP addresses were the “stacked” value, but process names, hashes and more values can be stacked. Do note, numeric values are usually not stacked well like all other values ;)


Scatter Plots, Box Plots and Isolation Forests


In this post, we will not dig into these approaches. In real-world Threat Hunting scenarios, security teams will execute the more common techniques such as Searching, Grouping and stack counting. Scatter-plotting, box-plotting and isolation forests will be based on numeric data and the relationships between those numeric values. Machine learning and heavy preparation will be required. For more details, you can refer to the ThreatHunter-Playbook by Cyb3rWard0g.


Tips for the Threat Hunter


Know The Environment You Are Hunting on!


In order to conduct an effective and successful hunt, a threat hunter must be familiar with the environment and spend a significant amount of time studying the normal behavior, baselines and policies. In many cases (when providing external threat hunting services) time will not be on the hunter's side. there will be not much time to study the environment. However, it is crucial to gather as much prior information and knowledge as possible before initiating the hunt. The main goal of threat hunting is distinguishing normal from abnormal.



Automate Where Possible


Based on the hypothesis and the chosen threat hunting model, know what data you want to collect and the tools you will use to process it during the hunt. Do not shy away from spending time automating processes. Yes, it will often be time-consuming or challenging, but certainly worth it! Manual tasks are the enemy as time is the most important resource we have. Spend it wisely on key data rather than investing lots of it on filtering irrelevant data and logs in real time.


Be Aware


As we all know, threat actors and adversaries are sharpening and improving their toolsets and capabilities, while becoming more and more sophisticated. New techniques are discovered almost on a daily basis. As threat hunters, we have the sole responsibility of staying up to date with the latest news in the Cyber Security field. To achieve that, constant consumption of threat intelligence feeds and resources is key.



Thank you for reading our content!

The PreCySec team.

bottom of page