Threat Hunting
Threat hunting is an organized, systematic approach to seeking out indicators of compromise on networks using expertise and analytic techniques.
- designed to detect the presence of threats that have not been discovered by normal security monitoring
- utilizes insights gained from threat intelligence
- proactively discovers evidence of TTPs
- can provide useful information to the Incident Response (IR) preparation process
- demonstrating the value of investments in security tools
- showing the need for improvements to detection and analysis processes
- intelligence fusion and threat data
- In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs
- org with a SIEM and threat analytics platform can apply intelligence fusion techniques
- primarily manual process whereby a threat hunter (or security analyst) reviews various sources of information and uses their skills and experience to identify potential threats
- find threats by using:
- TTPs
- indicators of compromise (IoCs)
- indicators of attack (IoAs)
- confidence levels from threat information data
Maneuver, In threat hunting, is the concept that threat actors and defenders may use deception or counterattacking strategies to gain positional advantage.
- is a military doctrine term relating to obtaining positional advantage
Lateral movement is the process by which an attacker is able to move from one part of a computing environment to another.
Process
- establish hypothesis
- how an attacker might attack our organization
- think of indicators of compromise (IoC) associated with the hypothesis
- after discovering compromise, move into incident response process
Entity-driven Hunt
Entity-driven hunts look for external threat actors based on TTPs observed by the cyber defense community in recent attacks identified.
Managed security service provider (MSSP) is a third-party provision of security configuration and monitoring as an outsourced service.
- most orgs cannot afford a dedicated threat-hunting team
- have knowledge, skills, resources, and analytics tools to identify threats efficiently
Focus Areas
- Misconfiguration Hunting
- involves searching for
- misconfigured systems, services, or applications that attackers could exploit,
- including searching for weak passwords, open ports, or unpatched software
- misconfigured systems, services, or applications that attackers could exploit,
- involves searching for
- Isolated Network Hunting
- involves searching for vulnerabilities in physical access points that could be used to gain access to the isolated network
- Business-critical Asset Hunting
- involves searching for vulnerabilities and threats that could impact these assets by searching for:
- unauthorized access attempts
- unusual traffic patterns
- or suspicious activity that could indicate an attack
- involves searching for vulnerabilities and threats that could impact these assets by searching for: