Threat Hunting

(OBJ 4.8)

Threat Hunting

• Proactive cybersecurity technique to detect threats that haven't been discovered by normal security monitoring
• Involves actively seeking out potential threats within your network, as opposed to waiting for them to trigger alerts
• Focused on analyzing data within the systems that we own and operate on a daily basis.

Steps in Threat Hunting

• Establishing a Hypothesis
  • Conduct threat modeling to identify potential threats with high impact
  • Answer:
    • "Who might want to harm us?"
    • "Who might want to break into our networks?"
    • "How might they be able to do that?"
  • Use threat intelligence to form hypotheses about threat actors or campaigns that may target your organization
• Profiling Threat Actors and Activities
  • Create scenarios to understand how attackers might attempt an intrusion and what their objective may be
  • Determine the type of threat actor (insider, hacktivist, criminal, nation state)
  • Identify their objectives and potential targets
• Threat Hunting Process
  • Utilizes security monitoring and incident response tools
  • Analyzes logs, system data, file systems, and registry information
  • Focuses on finding threats not detected by existing rules
  • Start by assuming that the current rules haven’t flagged potential threats
    • Normal sensors excel at detecting known threats with established signatures in the defense systems
    • Threat hunting is looking for new things that may not already have signatures created for them.
  • Seeks new tactics, techniques, and procedures used by threat actors
    • Seek undetected issues
    • Focus on what bypasses existing rules
    • Explore cases where queries do not yield expected data
• Key Considerations
  • Threat hunters must stay updated on the latest attacks and threats
    • The goal in threat hunting is to uncover and detect new threat tactics and IoCs
  • Use advisories and bulletins published by vendors and researchers to identify new TTPs and vulnerabilities
  • Utilize intelligence fusion and threat data, combining SIEM logs with real-world threat feeds
    • Usually available as TTP or IoC threat data feeds that can be combined with your SIEM to identify suspicious activity in your own networks
  • Example
    • If a process is suspicious, examine other infected hosts and check for similarities
    • Identify how the malicious process was executed on various hosts
    • Identify and create new signatures for the IPS to block future attacks

Benefits of Threat Hunting

• Improves detection capabilities by identifying threats that bypass existing defenses
  • Reveal attack methods, which allows for updated rules for more accurate future detection and prevention
• Enhances threat intelligence by correlating external threat feeds with internal logs
• Provides actionable intelligence to strengthen security measures