Cyber threat hunting

Last updated December 10, 2022

Cyber threat hunting is a proactive cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions."^[1] This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox (computer security) and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.^[2]^[3]

Methodologies

Threat hunting has traditionally been a manual process, in which a security analyst sifts through various data information using their own knowledge and familiarity with the network to create hypotheses about potential threats, such as, but not limited to, lateral movement by threat actors.^[4] To be even more effective and efficient, however, threat hunting can be partially automated, or machine-assisted, as well. In this case, the analyst uses software that leverages machine learning and user and entity behavior analytics (UEBA) to inform the analyst of potential risks. The analyst then investigates these potential risks, tracking suspicious behavior in the network. Thus, hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis.

Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses"
Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends"
Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans"

The analysts research their hypothesis by going through vast amounts of data about the network. The results are then stored so that they can be used to improve the automated portion of the detection system and to serve as a foundation for future hypotheses.

The Detection Maturity Level (DML) model ^[5] expresses threat indicators can be detected at different semantic levels. High semantic indicators such as goal and strategy or tactics, techniques and procedures (TTPs) are more valuable to identify than low semantic indicators such as network artifacts and atomic indicators such as IP addresses.^{[ citation needed ]} SIEM tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.^[6]

Indicators

There are two types of indicators:

Indicator of compromise - An indicator of compromise (IOC) tells you that an action has happened and you are in a reactive mode. This type of IOC is done by looking inward at your own data from transaction logs and or SIEM data. Examples of IOC include unusual network traffic, unusual privileged user account activity, login anomalies, increases in database read volumes, suspicious registry or system file changes, unusual DNS requests and Web traffic showing non-human behavior. These types of unusual activities allow security administration teams to spot malicious actors earlier in the cyberattack process.
Indicator of Concern - Using Open-source intelligence (OSINT), data can be collected from publicly available sources to be used for cyberattack detection and threat hunting.

Tactics, Techniques and Procedures (TTPs)

The SANS Institute identifies a threat hunting maturity model as follows:^[7]

Initial - At Level 0 maturity, an organization relies primarily on automated reporting and does little or no routine data collection.
Minimal - At Level 1 maturity, an organization incorporates threat intelligence indicator searches. It has a moderate or high level of routine data collection.
Procedural - At Level 2 maturity, an organization follows analysis procedures created by others. It has a high or very high level of routine data collection.
Innovative - At Level 3 maturity, an organization creates new data analysis procedures. It has a high or very high level of routine data collection.
Leading - At Level 4 maturity, automates the majority of successful data analysis procedures. It has a high or very high level of routine data collection.

Dwell Time

The dwell time either indicates the entire span of a security incident (initial compromise until detection and full cleanup) or the 'mean time to detect' (from initial compromise until detection). According to the 2022 Mandiant M-Trends Report, cyberattackers operate undetected for an average of 21 days (a 79% reduction, compared to 2016), but this varies greatly by region.^[8] Per Mandiant, the dwell time^[9] can be as low as 17 days (in the Americas) or as high as 48 days (in EMEA).^[8] The study also showed that 47% of attacks are discovered only after notification from an external party.

Example Reports

Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms

Example Threat Hunting

Threat hunting using DNS firewalls and data enrichment

Threat Hunting Methodologies

Inside the Network Perimeter

Reactive Threat Hunting - This method is triggered by a malicious event, typically after a data breach or theft is discovered. Efforts are typically focused on forensics and remediation.
Proactive Threat Hunting - This method actively seeks out ongoing malicious events and activities inside the network, the goal is to detect an in progress cyber attack. Efforts are typically focused on detection and remediation.

Outside the Network Perimeter

External Threat Hunting - This method proactively seeks out malicious threat actor infrastructure to map and predict where cyber attacks are likely to emerge to prepare defensive strategies. Efforts are typically focused on Cyber Threat Reconnaissance, Threat Surface Mapping and monitoring of third-party risks.

Related Research Articles

<span class="mw-page-title-main">Network security</span> Computer network access control

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like “Where am I most vulnerable to attack?”, “What are the most relevant threats?”, and “What do I need to do to safeguard against these threats?”.

<span class="mw-page-title-main">Computer security software</span> Computer program for information security

Computer security software or cybersecurity software is any computer program designed to influence information security. This is often taken in the context of defending computer systems or data, yet can incorporate programs designed specifically for subverting computer systems due to their significant overlap, and the adage that the best defense is a good offense.

Proactive cyber defence means acting in anticipation to oppose an attack through cyber and cognitive domains. Proactive cyber defence can be understood as options between offensive and defensive measures. It includes interdicting, disrupting or deterring an attack or a threat's preparation to attack, either pre-emptively or in self-defence. Common methods include cyber deception, attribution, threat hunting and adversarial pursuit. The mission of the pre-emptive and proactive operations is to conduct aggressive interception and disruption activities against an adversary using: psychological operations, managed information dissemination, precision targeting, information warfare operations, computer network exploitation, and other active threat reduction measures. The proactive defense strategy is meant to improve information collection by stimulating reactions of the threat agents and to provide strike options as well as to enhance operational preparation of the real or virtual battlespace. Proactive cyber defence can be a measure for detecting and obtaining information before a cyber attack, or it can also be impending cyber operation and be determining the origin of an operation that involves launching a pre-emptive, preventive, or cyber counter-operation.

<span class="mw-page-title-main">Advanced persistent threat</span> Set of stealthy and continuous computer hacking processes

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

<span class="mw-page-title-main">Security information and event management</span> Computer security

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.

ExtraHop is a cybersecurity company providing AI-based network intelligence that stops advanced threats across cloud, hybrid, and distributed environments.

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.

<span class="mw-page-title-main">Sqrrl</span> Cyber security company

Sqrrl Data, Inc. is an American company founded in 2012 that markets software for big data analytics and cyber security. The company has roots in the United States Intelligence Community and National Security Agency. Sqrrl was involved in the creation of, and actively contributes to Apache Accumulo and other related Apache projects. Sqrrl’s primary product is its threat hunting platform, designed for active detection of advanced persistent threats.

LogRhythm, Inc. is an American security intelligence company that specializes in Security Information and Event Management (SIEM), log management, network and endpoint monitoring and forensics, and security analytics. LogRhythm is headquartered in Boulder, Colorado, with operations in North and South America, Europe, and the Asia Pacific region.

In information technology, benchmarking of computer security requires measurements for comparing both different IT systems and single IT systems in dedicated situations. The technical approach is a pre-defined catalog of security events together with corresponding formula for the calculation of security indicators that are accepted and comprehensive.

Threat Intelligence Platform (TIP) is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.

Vectra AI, Inc. is a cybersecurity company with headquarters in San Jose, California.

Cyber threat intelligence (CTI) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

A blue team is a group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and to make certain all security measures will continue to be effective after implementation.

A threat actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe individuals or groups that perform malicious acts against a person or an organization of any type or size. Threat actors engage in cyber related offenses to exploit open vulnerabilities and disrupt operations. Threat actors have different educational backgrounds, skills, and resources. The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. There are a number of threat actors including: cyber criminals, nation-state actors, ideologues, thrill seekers/trolls, insiders, and competitors. These threat actors all have distinct motivations, techniques, targets, and uses of stolen data.

Deception technology is a category of cyber security defense mechanisms that provide early warning of potential cyber security attacks and alert organizations of unauthorized activity. Deception technology products can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, accurate, and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology enables a more proactive security posture by seeking to deceive an attacker, detect them and then defeat them.

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is a cybersecurity technology that continually monitors an "endpoint" to mitigate malicious cyber threats.

References

↑ "Cyber threat hunting: How this vulnerability detection strategy gives analysts an edge - TechRepublic". TechRepublic. Retrieved 2016-06-07.
↑ "MITRE Kill Chain" . Retrieved 2020-08-27.
↑ "Threat Intelligence Platform on War Against Cybercriminals" . Retrieved 2019-02-17.
↑ "Cyber Threat Intelligence (CTI) in a Nutshell" . Retrieved 2020-07-27.
↑ Stillions, Ryan (2014). "The DML Model". Ryan Stillions security blog. Ryan Stillions.
↑ Bromander, Siri (2016). "Semantic Cyberthreat Modelling" (PDF). Semantic Technology for Intelligence, Defense and Security (STIDS 2016).
↑ Lee, Robert. "The Who, What, Where, When and How of Effective Threat Hunting". SANS Institute. SANS Institute. Retrieved 29 May 2018.
1 2 "Mandian M-Trends 2022" (PDF). Mandiant. pp. 7, 9, 12, 16. Archived from the original on 2022-05-13. Retrieved 2022-05-16.
↑ In the Mandiant M-Trends report, dwell time "is calculated as the number of days an attacker is present in a victim environment before they are detected", which corresponds to the 'mean time to detect'.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Cyber threat hunting: How this vulnerability detection strategy gives analysts an edge - TechRepublic". TechRepublic. Retrieved 2016-06-07.

[2] "MITRE Kill Chain" . Retrieved 2020-08-27.

[3] "Threat Intelligence Platform on War Against Cybercriminals" . Retrieved 2019-02-17.

[4] "Cyber Threat Intelligence (CTI) in a Nutshell" . Retrieved 2020-07-27.

[5] Stillions, Ryan (2014). "The DML Model". Ryan Stillions security blog. Ryan Stillions.

[6] Bromander, Siri (2016). "Semantic Cyberthreat Modelling" (PDF). Semantic Technology for Intelligence, Defense and Security (STIDS 2016).

[7] Lee, Robert. "The Who, What, Where, When and How of Effective Threat Hunting". SANS Institute. SANS Institute. Retrieved 29 May 2018.

[Mandiant_M-Trends_Report-8] 1 2 "Mandian M-Trends 2022" (PDF). Mandiant. pp. 7, 9, 12, 16. Archived from the original on 2022-05-13. Retrieved 2022-05-16.

[9] In the Mandiant M-Trends report, dwell time "is calculated as the number of days an attacker is present in a victim environment before they are detected", which corresponds to the 'mean time to detect'.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]