What Is Threat Hunting
Threat hunting is the proactive, analyst-driven process to search for attacker tactics, techniques, and procedures (TTP) within a network environment. Adversary TTPs are researched to understand what to search for in the log sources gathered by your SIEM or network analyzer tools.
Information about attacker TTPs most often originate in the form of indicators of compromise observed from threat intelligence sources such as vendor threat feeds, virus repositories, three-letter agency disclosures, and social media posts
Threat Hunting Activities
Rather than rely on alerts from the SIEM to kick off an investigation, analysts should be proactively engaging in threat hunting investigations to uncover suspicious or malicious activity. The workflow should incorporate formal activities to ensure an investigations integrity, such as, but not limited to;
- Curating tailored threat lists (IP, hash, domain, keywords)
- Researching the TTPs of various threat groups
- Crafting precision searches on the SIEM based off attack framework use-cases
- Monitoring news & social media for adversary information
Attack Frameworks & MITRE ATT&CK
The MITRE ATT&CK framework is a knowledge base of adversary behavior, a common language to share intelligence based off a standard model. The matrix can be used to organize and formulate proactive investigations by emulating adversary techniques that are most likely to target network environments.
The adversary tactics are at the top and the columns list all the known ways of accomplishing the tactic. Moreover, techniques can belong to more than one tactic. Analysts routinely use the matrix to craft precision searches, come up with SIEM use cases to trigger alarms, and start proactive investigations using the various tools at their disposal.
Threat lists should be compiled from various open source intelligence feeds, malware repositories, and malware researchers on social media in order to create a threat list to trigger alarm use cases in the SIEM.
Below are some examples of open sources of threat intelligence feeds;
- Abuse CH Feodo, Ransomware, SSL Blacklist, and URLHaus threat lists
- Mirai Botnet tracker
- VirusTotal Community Threat intelligence
- AlienVault Threat Intelligence Feeds
Analysts should proactively scour these sources to update and improve the threat lists that are triggering any IOC based SIEM alarms.
Now that you have a general idea of where to gather threat intelligence, the next part is, putting it all together with MISP.
MISP Project is an open source threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.
What makes MISP an excellent tool to incorporate into your security solution is how easy it is to share threat intelligence between different organizations or data feeds. MISP sharing comes in two flavors, feeds we all know such as abuse.ch and the ability to connect to other MISP instances.