The buzz word first came in 2014 and individuals who were actually performing activities such as hunting for adversaries within network interested in Threat Hunting agreed with it on all aspects. During Threat Hunting and/or intelligence gathering or incident response we are mostly concentrating on identifying indicators of compromise and normally follow these steps:
- Collect Indicators of Compromise – Basic/Advanced Threat intelligence platform – Yes I have collected Indicators of compromise from all over world than what ?
- Compare the IOCs with internal logs – SIEM – to understand the extent of infection – lateral movements as we say. One can also use specific tools for this – carbon black, palantir, dark trace etc.
- Detect and mitigation – most of the time by running anti-virus and/or restoring the system from backup or re-installing a fresh copy.
Most organisation perform mentioned points believing that this is their Incident Response plan and threat hunting procedure, but they actually only performed 2-3 stages – Identification, Recovery and Follow-up/lesson learned.
This is somewhat I call as Reactive approach, as the name suggests incident response – responding to an incident. However, there is another approach -pro-active approach – where team of experience Incident Responders will look through the network and identify anomalies and/or unwanted entities within a network. Threat Hunting was it called. The days of external organisations notifying you of an infection or data exfil or their own data showing up on pastebin are increasing and organisation must have Threat Hunting and IR capabilities well invested and implemented. Proper Process and procedure are important as well in understanding how to perform these duties. Consider following:
Following is the pyramid of pain
http://detect-respond.blogspot.com.au/2013/03/the-pyramid-of-pain.html
The diagram has a scale that shows relationship between the indicators of compromise a Threat Hunter or an incident responder can find and how much pain it will cause to use them to detect the adversary.
Threat hunting and Incident response goes beyond just deploying a product within the network and responding based on what it alerts. It goes beyond normal rule and/or signature based mechanisms to detect threats that one cannot detect with just plug-n-play devices. Both requires human factor to perform these actions. Deep diving into the networks and looking for adversaries (active defense and/or pro-active investigations) is a must have within the organisation and Incident Responders and IT Team must work hand in hand. And don’t forget to involve Forensics. Yes, we need forensics to gather evidence properly.
Threat Hunting phases :
- Create and/or define Hypotheses
- Investigate via tools and techniques
- Identify new patterns and TTP (Tools, techniques and procedure)
- Inform and update analytics platform and/or database
- Start 1
It’s my pleasure to announce that I recently got honoured to co-author a book with Don Murdoch. The book will be used as a field guide and/or playbook for Threat hunters during Threat Hunting.
Happy Hunting !!!!