Authored by PTP’s Rich Hauke, CISSP and Steve Hoevenaar, CISSP
While working with our customers to cost effectively address key risks and to make sense of the security threat landscape, PTP leverages the NIST Cybersecurity Framework. PTP utilizes this framework to manage cybersecurity risk, analyze critical functions, and improve security. The framework describes the five basic, high-level cybersecurity activities as Identify, Protect, Detect, Respond, and Recover. Identify is to know what systems, assets, data, and capabilities exist in your environment; Protect is to utilize proper safeguards to deliver critical functions; Detection is the proper implementation of tools and resources to identify cybersecurity events; Response involves the activities required to take action on detected events; and Recovery covers the activities required to implement resilience plans and to restore services and capabilities impacted during a cybersecurity event. This discussion covers Threat Hunting as part of the Detect activities. Threat hunting is an important process beyond the traditional security monitoring activities utilized to minimize risk in the environment. We also utilize the MITRE ATT&CK knowledge base of adversary tactics as a key component of our threat hunting toolkit.
Threat Hunting Methodology
The goal of threat hunting is to expand or improve the threat detection capabilities that are in place. It’s a highly creative process with no concrete methodology to follow. There are three stages to the process: planning, conducting the hunt, and executing on the findings. Think of the following more as guideposts along the journey.
Planning
Ensure a good understanding of the network and environment. Familiarity with the environment is the best tool available. Use the following to begin formulating the hunting goal.
Understand the network layout:
- Where are the weak points and points of exposure?
- What products and services are running on the network?
- What management tools are used on the network?
- Where are the critical assets and what are they?
- What is already being looked for and how well is it being done?
- Where are the gaps in coverage?
- Do not duplicate effort by looking things that are already effectively handled.
- How would someone attack the network?
- What assets (physical and logical) would be target?
- How would the asset be compromised?
- What tools and methods would be used?
- How have treats against these assets behaved in the past?
The existence of threat intelligence is a boon; however, avoid getting bogged down in the details. For example, it’s better to understand that PowerShell is used in a number of attacks than to concentrate on details that a particular threat actor used the crackit.ps1 PowerShell script against a collection of banks within the last 90 days from IP subnet X.Y.Z.0.
Conducting the Hunt
Research the target in the MITRE ATT&CK knowledge base and other OSINT (Open Source Intelligence) resources. Think about how the target can be compromised and the known techniques that have been utilized in the past. At this point it is important to step back and drop the thought limitations imposed by rules and boundaries. Your adversary disregards the law and will utilize policy and procedures manuals to their advantage. Look at possible detection methods to understand what data needs to be acquired. Document the data sources to be tapped or created to provide activity indicators.
Utilize available tools and resources to gather data related to the target detection methods. Do not get frustrated if the correct resources are unavailable, that is a valid finding to be addressed. Mine the available data for Indicators of Compromise (IOCs) or unusual behavior. Some of these processes may require extensive data mining resources or techniques. Discuss with management about resources required and ask for help early on in the process if required.
Document the findings, positive and negative or any other information that can be used to better the investigative process.
Executing on Findings
Don’t expect results from every hunt as not every hunt will come up with actionable results.
If the hunt reveals IOCs or other issues, open discourse with the customer and communicate the findings appropriately. If the hunt reveals additional monitoring methods or capabilities that need to be implemented, detail the findings and recommendations and bring them to the attention of the appropriate team to be addressed.
Threat hunting is a combination of investigative and forensic techniques to reveal undetected activity. While requiring varying amounts of resources and a certain level of creativity to perform, the return for PTP’s customers and security partners is realized in the increased security and availability of critical functions and capabilities overall.