Академический Документы
Профессиональный Документы
Культура Документы
CONTENTS
INTRO TO HUNTING............................................................................................................................ 02
1|Page
Threat Hunting Procedures
1. Intro to Hunting – What it is, Why It’s Important,
Hunting is a proactive, hypothesis-based investigation process of cyber-attacks. Threat hunting is the
human-driven, proactive and iterative search through networks, endpoints, or datasets to detect
malicious, suspicious, or risky activities that have evaded detection by existing automated tools.
Threat hunting has been around for a while, but it has only recently become a focus of modern
enterprise Security Operation Centres (SOCs). Hunting can revolutionize the threat detection efforts
of an organization,
The purpose of hunting is specifically to find what is escaped by the automated alerting and
monitoring systems. Hunting is searching for anomalies by patrolling through data, rather than
investigating a call in from SIEM.
It is also important to keep in mind that successful hunting is tied to capabilities in three different
areas:
(the Hunting Maturity Model is just a prescriptive model, and many organizations will sometimes be
at varying levels of capabilities: excelling at some criteria and less advanced in others)
2|Page
Figure 2: Threat-hunting maturity model
The Hunting Maturity Model describes five levels of an organization’s proactive detection capability.
Each level of maturity corresponds to how effectively an organization can hunt based on the data
they collect, their ability to follow and create data analysis procedures (DAP), and their level of
hunting automation. The HMM can be used by analysts and managers to measure current maturity
and provide a roadmap for improvement. Often these improvements focus on a combination of tools,
processes, and personnel.
Analytical Mindset: This is, without question, the most important skill an analyst can possess.
Without the innate curiosity in and pursuit of the “huh … that’s weird,” an analyst can have all the
data in the world, but they will inevitably find themselves missing pieces of the puzzle. The analyst
needs to be able to make reasoned assumptions and chart a new course when the trail runs cold.
Log Analysis: Logs from services and devices are just a couple of the most important and underutilized
sources of intelligence for any security department. The ability to analyze logs for anomalies and pivot
between data sources to see the big picture is a key competency.
Network Forensics: The ability to read and understand packet capture data and determine the
malicious nature of network traffic. If you’re fortunate enough to extend your NSM capabilities to the
endpoint with an EDR product, a sound foundation in host-based forensics is key to compliment your
network knowledge.
Network Architecture: An understanding of different network devices and how they operate within
the environment.
Attacker Lifecycle: Understanding the different events that happen at any given stage in an attack
lifecycle will better prepare your analysts to compartmentalize and prioritize their findings and
activities.
3|Page
Tools: This is an incredibly broad area, but at a foundational level, an understanding of how log
aggregators ingest data as well as the function of packet capture analysis tools are essential for the
analyst to understand.
OS Architecture: Different operating systems represent different attack vectors. A strong grasp of
Windows- and Linux-based operating systems is essential.
Attack Methods: Exploit Kits, Malware, Phishing, and software misconfigurations. Understanding
how an attacker attempts to penetrate your network is key to hunting for indicators of the behavior.
4|Page
CTI’s main objective is to provide companies an in-depth understanding about the cyber-threats that
poses the greatest risks to their infrastructure and how to protect their business in the long run
Cyber threat intelligence gathers raw information about new and existing threat actors from many
different sources. CTI teams then analyze the collected data to produce appropriate threat
intelligence management and feeds reports full of only the most important information that can be
utilized by automated security control solutions and management to make security decisions for the
company. The fundamental purpose of this kind of security is that it helps to keep companies
informed of the advanced threats and exploits.
The below graphic is defining the data collection framework which is designed to help organizations
focus on discovering and qualifying the security incidents and attack.
5|Page
Figure 4: Data Collection Framework
Internal Sources: internal sources are those data which generates in the boundary of an organisation
such as past incidents, SIEM alerts, VA/PT reports etc. these data sources are very important and
helpful for threat hunter to build the hypothesis. The hypothesis which are built on the internal data
sources are very much effective and realistic. Below are some examples of internal sources:
• Past incidents
• Reconnaissance attempts against your infrastructure
• Threats to specific line of business and industry verticals
• Threats to customers’ intellectual property
• VA/PT reports
External Sources: the external sources for development of hypothesis are those data which are
generates outside of the boundary of an organisation or data publish by the other vendors such as
Threat intel feeds, TTP’s of an attack, OSINT, threat advisories, govt. advisories, etc. The hypothesis
which are builds on the external sources are proactive hypothesis which are one step ahead then the
monitoring system. Below are some examples of external sources:
6|Page
Figure 5: MITRE ATT&CK Refresher
MIRTE ATT&CK Recent Developments: https://attack.mitre.org/resources/updates/
7|Page
IV. Hypothesis: HTTP referrer header
Hunt For: Malicious referring domains
Possible Threat: Watering hole and JS exploit kits
Format: Count, HTTP referrer, HTTP status code (302)
8|Page
Format: Count of traffic, Client IP, Server IP, Server port
9|Page
5. Other Hunting Hypothesis
This rating is reserved for threats that will result in an impact to the organization.
HIGH
A threat is categorized as HIGH if:
MEDIUM
A threat is categorized as MEDIUM if:
LOW
A threat is categorized as LOW if:
Prepared By:
-Vishal Kumar
Threat Analyst
11 | P a g e