Prelude
The purpose of this article is to give the reader the overview of a threat hunting method. Also how to fit threat hunting in SOC.
I am a little bit paranoid and my question to the reader is:
How do you know that you have not been hacked?
Definition
The goal of threat hunting is to provide proactive opportunity to uncover attacker presence in an environment.
Threat hunting is sitting in the middle of the Incident Response tetragon.
Preparation
Detection and Analysis
Containment, Eradication, Recovery
Post-Incident Activity
Hypothesis-driven investigation
Kill Chain Analysis And Mitre Att&ck
I am not going into the details of the Cyber Kill Chain, but with Mitre Att&ck, we are able to categorizing tacticts and techniques for different adversaries; therfore defenders can identify attack behaviors that might fit into a given stage of each model.
With Threat Intelligence we are able to analysie potentional adversaries for our industry. Than we start to hunt these techniques with our IR/Threat Hunt team.
Example
Lets say that company_A is in the banking sector. With threat intellingence we collect the APTs/adversaries TTPs, who are “working” in this financial sector.
One actor is Scattered Spider. In mitre we can see what tactics/techniuques they use.
Scattered Spider Tactics and Techniques
Our threat hunters start to hunt these techniques with custom scripts, SIEM filters, host-, network- and memory forensics and unitlize with mitre d3fend framework. We can use Sigma rules for detection for these special techniques.
For example presistence, account manipulation: Cloud accounts:
Cloud Accounts
In blue color we can see the countermeasures, in yellow color the artifact. We have to check all the countermeasuers, that do we apply these in our environment?
Conclusion
Hypothesis-driven investigation is just one method of many. The investigations should be already in a reactive technique, but with threat hunting we are able to open our eyes more horizontally, and if we need we can dig deeper.