The goal of Threat hunting is to reduce the time to detect between initial compromise by an attacker and the discovery of the attacker in the environment which is also known as Dwell Time.
Possible Reasons for Evasions from Detection:
It is important to note here that the above list is not exhaustive. It is also essential to take a note of the following before we move ahead to define the Threat Management Process & Procedures.
While establishing the Threat Management function into your organization which is also expected to carry out Threat Hunting, it is imperative that you identify the core values of your team and build an ethos of Threat Management function around those core values.
Some of the key values essential to drive your Threat Management function are mentioned below, it is important to note that this list is not exhaustive.
1. Assume the Breach & Attack – Hunting begins with a presumption that a breach or an attack has already taken place and has not been identified by conventional detection mechanisms.
2. Understanding the Adversaries – Understanding how various adversaries leverage different tools in their campaigns and what are the motivations of adversaries targeting your industry or the region helps in making correct assessments about malicious sightings in your organizational infrastructure.
3. Aim to Discover & Understand Unknowns – Leveraging Threat Intelligence into your hunting exercises enable you to find known unknowns through known TTPs and as you mature in your hunting you begin to subsequently uncover new TTPs adopted by various adversaries.
4. Adopt Iterative Approach – As highlighted earlier that Threat hunting is not a binary process and therefore it demands creativity, out of box thinking and the ability to understand and construct a view of pervasiveness of an assumed breach. As you find initial clues, you need to use them to perform further pivoting into your hunting exercises. This is an Iterative approach which allows you to connect various parts of the jigsaw puzzle and create a story or narrative.
5. Establish & Test Hypothesis – Hypothesis is an important starting point into your Threat Hunting and strengthens your iterative approach however it is noteworthy that teams remain wary of biases in testing their hypothesis.
6. Adopt Collaborative Approach – Prior to the adoption of a collaborative approach, it is imperative that your Threat Intelligence Platform that houses the Threat Intelligence is integrated with various other Security Devices like Firewalls, SIEM, Vulnerability Management tool, Sandboxing tools, in your organization to avoid its function in a silo. These integrations create an environment for collaboration among different sub-functions of Information Security. Remember that each threat analysts has his/her own expertise and since Threat hunting is an iterative process so it is imperative that each analyst takes the bait from his/her predecessor in Threat investigations and contribute in enhancing the horizon of Threat purview.
Please refer to below demonstrating the Framework of Integrations that I propose around Threat Intelligence platform. Some of these integrations may be limited to Threat Intelligence Platform capability to integrate with other Security Solutions while some may offer other integration capabilities as well like that of Integration with Exchange Server & Active Directory to pull in the Emails from Mailbox and having a copy of Active Directory Identities in TIP, however, I would caution against integrating these entities with TIP without engaging your Data Governance and Protection teams since it can create Privacy issues for users whose emails are fed to Threat Intelligence platform.
Threat Hunting Classification:
1. Driven by Hypothesis: It stems from a risk based approach where an organization that has performed a thorough risk assessment on their mission critical assets, intend to understand the existing threats to their crown jewels. Such Hunting exercises are therefore driven by a hypothesis which utilize incoming Threat Intelligence as an important component to initiate and drive their Threat Hunting exercises and further generating the Threat Intelligence.
A Hypothesis can be built based on inputs from Risk Assessment, Understanding of your crown jewels and through an understanding of various threat campaigns carried out by Adversaries. The most significant aspect of Hypothesis driven Threat Hunting exercise is the manner in which the teams test their hypothesis.
Remember that such exercises are Iterative by nature and require a collaborative effort to lead to a thorough conclusion.
2. Driven by Data: It is an approach adopted by teams to look for potential malicious sightings in their environment based on the data or Intelligence that they may receive and use it to look for similar signs in their environment either through SIEM, IDS/IPS, Firewall Logs etc. In such an approach, teams that receive IoCs either in the form of Incident Report or OSINT are used by a team to drive their hunting. Such hunting exercises may not necessarily lead to developing an understanding of Threat Actors motivations.
Threat Hunting changes the operational gear & mindset for the Security Operations Team by proactively going for the hunt, contrary to the norm of waiting for occurrence or identification of anomalous activity and broadly helps the entire organization have the conviction about their Security Posture based on the results of their exercises and not based on the lack of anomalous activities seen.