What is a Threat Hunting?
Many organisations today face unprecedented levels of cyber-attacks, and the trend keeps growing with each passing year. The Security Operations Center (SOC) is the first line of defence, with its analyst team and SIEM as its main analysis tool. Using the collected data, a Threat Hunting team proactively goes hunting for Indicators of Compromise (IOCs), any possible traces of adversary tactics, techniques, and procedures (TTPs) and anomalies.
If the threat actor manages to get into the environment undetected by the SOC team and is actively avoiding attention, it might take a long time to eventually detect the threat in the environment and by then it might be too late. The time taken between when an adversary has breached the environment to when they have been detected is called "Dwell Time".
One of the Threat Hunting team's core missions is to minimise "Dwell Time" as much as possible as well as to uncover any traces of tools, IOCs, or any other threat actor activities that bypassed SOC detection.
Even if the hunting activities didn’t uncover any malicious activity, the findings can be directed back to the SOC team for improvements in detection rules, increasing visibility, eliminating blind spots in the environment, etc.
In its basic form, Threat Hunting can be seen as a powerful extension for the SOC, which advances the SOC to the next maturity level and becomes a second layer of defence.
One of the best definitions of threat hunting comes from the “sqrll” team:
Threat Hunting is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.
Threat Hunting Framework Foundations
Threat Hunting is an iterative process that never stops. Findings from the successful or unsuccessful hunt form the basis of the next hunt. In order to use their time the most productively and avoid following poor leads and executing unrealistic hunts, the Threat Hunting team must follow a solid framework.
Choosing the right framework is a really important step when building your threat hunting capability. Frameworks are there for guidance, and it is always best to build your own framework based on the strongest points of the frameworks you have researched.
In this case, we would like to highlight the solid foundations on which each threat hunting framework could be built according to your needs and preferences. These foundations are visible in the majority of Threat Hunting frameworks today:
Threat Hunting Framework Foundations:
- Hypothesis Creation (Identification)
- Tools Required (Preparation)
- Analysis (Detection)
- Analytics & Automation (Improvements)
Stage 1 – Hypothesis Creation (Identification)
In this stage you must state reasonable assumptions about one or more adversaries and the tools and techniques they might use to enter or persist in your environment. This will form the basis of the hunt.
Two or more forms of evidence are needed to prove a hypothesis with a high degree of confidence.
In this stage we scope the size of our investigation, estimate which tools will be required and where the data will be sourced etc.
Stage 3 - Analysis (Detection)
This is critical stage where we conduct our analysis and either prove or disprove our hypothesis.
Stage 4 - Analytics & Automation (Improvements)
In this final stage, we summarise the results based on the outcome, document everything and implement metrics for measuring all the activity in this framework etc.
If evidence of the malicious activity is found and this is an active threat, it should be escalated to the Incident Response Team immediately.
This is a simplified version of a Threat Hunting framework. All the steps are very flexible and could be adjusted or changed based on your requirements and goals, i.e., “Objectives”, “Focus” and “Requirements” could be set based on your needs. Additional stages can be added and the threat hunting loop iterated through a number of times.
Threat Hunting Loop