Threat Hunting - Introduction

Threat Hunting is human centric process of proactively searching data and discovering cyber threats.


Hunter:

Offensive-based Strategy | Think like Attacker | Understand Cyber-Threat & Kill Chain | Knowing Network Architecture | Data Analysis

Business goals are: 

Reducing the dwell time, and minimizing residual risks by stopping adversaries before completing their objectives.

The technical goals of threat hunting are: 

  • Detecting threat that none of technology can detect
  • Detecting the adversary before the goal is achieved, not at code execution. 
  • Detecting advanced attacks which are evading security controls
  • Detecting TTPs instead of IOCs, and
  • Detecting malicious behavior quicker and more frequently.

Framework/Model for Hunters: 

  • Mitre ATT&CK - Tactics or Tools, Techniques & Procedures - This help to identify IoC and method on adversary entry point > pivot > goals
  • Pyramid of Pain
  • Cyber Kill Chain
  • Diamond Model (This can be link to Mitre ATT&CK and Kill Chain to perform Defense Gap Analysis)


Threat Hunt Mindset

Threat Intelligence Division (Known/Indicator-based detection) - Strategic | Tactical | Operational

As Hunter, Tactical (What | When) | Operational (How) information (Know Bad hunt) 

  • Tactical (What | When) > This is were TTP, Chain Kill and Diamond Models are used to identify the adversary pattern of attacks, also know signature. 
  • “What - they do” | “How - the adversary does” 

Digital Forensic - (Technique/Anomaly-based/Unknown) - Network | Host | Memory Forensics/Analysis

Hunter will still use TI but one step ahead on analyzing for any IoC - Human based detection 

  • Attack Based Hunting | Did….this happen in my network? 
  • Analytics-Based Hunting | Does anything in….data look malicious? 

Threat Hunting Simulation - Practice | Learn


Hunting Start-up:

Threat Intelligence | Know 

As an Hunter, keep up to date on:

  • Threat intelligence Report, 
  • Threat Feeds (Sharing and Exchange) and 
  • IoC/IoA

Threat Hunting Hypothesis

Hypothesis Methodology

  • Pick a Tactic & Technique
  • identify procedure(s) 
  • Perform an attack simulation or Data analysis
  • Evidence collected 
  • Scope


After Successful hunting, create detection or optimize query/rule/signature to improve defensive gap and proceed with next hunting. 



References:
[1] https://my.ine.com/ 
[2] https://www.threathunting.net/reading-list 
[3] https://www.sans.org/white-papers/37172/ 

Posted by
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)