What is Threat Hunting?

Threat Hunting is a proactive approach to find the patterns of the existing malware in our network. As it’s a focused way to find the security gaps that malware files would have evaded from a traditional security tool of an organization. Threat Hunting is very important to identify the “bad actors” in the network with malicious intent in the fast-growing cybersecurity landscape. 

Why threat hunting is important for an Organization? 

Besides, the traditional security tools like firewall, antivirus software, IDS/IPS, etc., tools will find most of the cybersecurity threats, but new Cybercriminals are existing with new tactics and techniques to attack the target. And most of the new techniques used by the attackers go undetected or evaded by the security tools for months or maybe a year depending on the Threat actors groups. Identifying the malicious files which pretend to be legitimate needs an investigation by Threat Hunting methodologies.

Understand most common attacking behaviours

Here, most of the Organizations and threat Hunters lag the basics of how and where to start the threat hunting. We need to first understand the few common attacking behaviours that hackers use to attack the victim. Only then it will be easy for us to start creating the Hunting hypothesis for the hunt that needed to start.

Top 20 adversary Techniques:

You might think that whether out of 200+ techniques that are identified by MITRE framework, only this top 20 would be enough to start with Threat Hunting, ultimately monitoring this top 20 behaviours must have the visibility to see around some popular vulnerabilities used by the attackers by monitoring them rather than hunting for all 200 plus adversaries. This would be a good start for creating a Threat Hunting Hypothesis.

Generating Hypothesis for Successful threat Hunting 

Every threat hunting begins by defining the hypothesis based on the organization requirement, it consists of certain criteria before approaching the threat hunt is,

  • First, we need to identify what data is needed and from which data source will be able to detect it.  
  • Understand and identify the specific attacking behaviour that we need to hunt for,
  • And finally, we need to understand the tactics and techniques behind the attacking behaviours and start with a hunt.

We will see the step by step methods to achieve the process of creating hunting hypothesis,

  1. Identify and select the tactics and techniques that you want to hunt.
  2. Identify the associated procedures of the specific group.
  3. Red Team/Blue Team to perform the attack simulation of the selected tactic and technique.
  4. Collection of evidence from the investigation performed by the hunter.
  5. Setting up the scope for hunting such as Hunting duration, Log sources for the hunt.

Step 1: Identify and select the tactics and techniques.

In this step, we will review the attack sources and select a technique. Here, we will utilize the MITRE ATT&CK framework to gather information on the group or TTP selected.

As an example, we will select a technique from one of the top 20 adversaries, Technique T1036 – Masquerading under “Defense evasion” Tactic.

Masquerading Technique

It is an adversary that may attempt to manipulate their artifacts and makes them looks appear like a legitimate process to avoid the detections from security controls. The masquerading technique occurs when the name or location of the object, legitimate or malicious is abused for the sake of evading the security tools for attacking the targets.

It is a form where the legitimate utilities of the system are renamed to misuse them by the attackers for evasion attacks. 

Step 2: Identify the associated procedure of the specific group. 

Here, while using the MITRE ATT&CK framework will be presented with the procedure for the technique. For masquerading technique, there are some of the known attack groups such as APT 29, APT32, NotPetya, Dragonfly 2.0, etc., pick one of the groups to initially start the hunt.

In this step, it is recommended to perform additional research on the associated groups you select to start hunting, as most of the information might not be available with MITRE. It was really important to do own research on the selected technique to understand the prerequisites, Procedures, and the requirement on the outcome of the threat actors.

Some of the sample blogs to understand the Masquerading technique you can check here and this Blog.

Step 3: Red team/Blue team to perform the attack simulation of the selected tactic and technique.

In this step, it’s not always necessary to perform the attack simulation, but depending on the hunt categories and information gathered in the previous step might require some details such as what data and logs are generated during the simulation or log source queries performed and identify the attacking behaviors during the detection.

This step sometimes might be time-consuming as it requires systems, tools, and monitoring capabilities to perform the search you selected within the environment.

For Example, SIEM tools to perform the search as per the requirement and applying the rules for log co-relation, aggregation related to the attacking techniques we need. 

Step 4Collection of evidence from the investigation. 

We need to start the investigation executed in the environment and we should look for the artifacts such as registry files, network logs, windows artifacts, etc.

Here in our case, we should,  

  • Look for known filenames in the unusual location are the suspects
  • File names are mismatched between the filename on disk and binary metadata this could be a suspect indicator that binary was renamed after it has complied.
  • Searching for the indications of common characters that may indicate an attempt to confuse the users into misidentifying the file type, such as space as the last character of a file name or the right-to-left override characters”\u202E”, “[U+202E]”, and “%E2%80%AE” etc.

In most of the investigation cases, we might return with few false-positive data logs which can be filtered out based upon the search performed on the environment to get benefited by the hunts. 

Step 5: Setting up the scope for hunting. 

       This is the final step in the process, where we have found the tactic, technique, and procedure and also identified attacking behaviors used by the hackers. And we are almost ready to begin the creation of the threat hunting hypothesis.  

And at last, we have come here to define the hunting scope, where it contains the hunting duration and what data and which log source can collect the required evidence.

  1. Hunting Duration – It is recommended to have the duration of the logs be investigated to be at least for a week. This could help us to capture the data from all the devices and network bandwidth for analysis. As the time frame is more it will be more difficult to investigate the captured logs for the suspicious pattern.
  2. Log source – Here we need to focus on the scope of devices that helps us collecting the logs. Few hunting techniques focus on critical business systems, some on certain data sources. We should always set the scope and limitations for the hunts that can be performed in feature as well.

For example: Defining the scope as,

Duration: 1 week

Data collection: All windows files capturing the unusual locations of legitimate utilities, while performing the file monitoring analysis where the files with known legitimate activities but with execution path as different from the regular folder path.

Some of the interesting Threat Hunting Hypothesis can be found here.

Conclusion

Maintaining the hunting metrics for the hunt performed and track every evidence that is found, so it will be recorded for showcasing to the management performed by the hunters and the time spent on creating a hypothesis and performing the hunts.

We can record such as,

  1. How often to perform the hunt?
  2. What are the technique and procedures covered using the MITRE framework?
  3. Historical events that were collected during the threat hunting?

By Michael

Writer of Infohaunt is an Cyber Security Professional have experience in SOC operations, Threat Management, Incident Response, Threat Hunting, Digital Forensics.