In the world of cybersecurity there are always new concepts appearing, marketing words that can start to sound with different force. I remember a few years ago at the BlackHat security conference they started with EDR (Endpoint Detection and Response), Machine Learning and the now famous Artificial Intelligence (AI). Today we hear Threat Hunting as a function within the cybersecurity threat detection process because more and more people are acting as hunters trying to follow the clues, identifying movements, keeping track of everything that happens in a given environment in order to determine how it has been affected and the level of severity.
A while ago, SIEM (Security Information Event Management) promised us to identify the different phases of an attack by applying security correlations to detect threats, which in other words was associating different sources of information by joining data at some point in order to determine what is happening, has happened or will happen in our infrastructure.
So we have been seeing this concept of identifying threats in information technologies for some time now, and there are multiple methodologies, standards, studies and many technological products. But let's focus on these times.
Threat Hunting, ... What makes this concept different from the threat detection processes of a few years ago? I think the answer lies in the famous 3 V's: Variety, Velocity and Volume.
The number of attacks, the diversity of attacks and a high variety of both characteristics and targets, along with the volume of information we need to collect to understand the whole environment also plays a very important role. So Threat Hunting actually leads us to create a more proactive process.
It is also important to emphasize the difference between detecting something that is happening, detecting it by a known rule, to assuming that we are under attack, assuming that we have already been breached and from that premise proving the opposite.
The initial focus of Threat Hunting is going to be "We are already Vulnerable", there is an attacker inside my infrastructure, I am exposed, then .... I have to find him.
In A3Sec we will be holding a webinar in a few weeks where we will show the advantages of Threat Hunting.
How we do Threat Hunting
We can find various information on the internet, but I would like to take you through the concept that already exists and without the intention of inventing the black thread of the matter. We start with the Kill Chain.
We understand that there are a series of phases in which an attacker can achieve the identification, exploitation and compromise of a technological infrastructure.
The image above shows us what these phases of the Kill Chain look like. Below is an image that explains a little more in detail.
A
Now with the steps in mind, let's look at the following ATT&CK concept from MITRE (https://attack.mitre.org). Mitre is a US non-profit organization that conducts different research and the ATT&CK Matrix is a knowledge base that documents a series of tactics, techniques and procedures (TTP) that attackers use against their victims.
An example of the ATT&CK matrix is as follows:
We now have a path to follow Kill Chain and a set of tactics, techniques and procedures so we have an important part for Threat Hunting. Understanding these concepts and how they come together will help us within our Threat Hunting journey.
Now ... the tools.
What tools can we use for Threat Hunting?
In productive environments always include elements such as a SIEM, an EDR, a SandBox, Honeypots, IDS and contextualization sources, threat intelligence data sources, such as blacklists, domain lists or Hash of files recognized as malicious, will help us to create our threat hunting processes.
The more we can automate, the better. Contextualizing information, investigating where it has been seen before, who has seen it and whether it is a recognized risk, can be a repetitive task that can take longer than necessary when hunting, so having scripts or programs, or even a SOAR, is essential.
If we wanted to build a Threat Hunting Lab to see how all these elements work, there is a compilation of tools called Helk (Article ) by Roberto Rodriguez @Cyberwardog, who has used Open Source software to create a platform that supports this concept for learning and creating your own threat cycles, which helps in sharpening both your eye and increase your experience. The series of posts that Threat Hunting Lab (Article ) created can be interesting.
Now for a productive environment we need a SIEM as a base. I recommend this post (Article ) of our expert Patricia Chavez, in which she talks about the characteristics to consider in a SIEM.
If you want to see how an EDR can work, we have a video created by another A3Sec expert Jorge Imúes, where he shows an attack and how we can observe it with a state-of-the-art EDR.
Threat Hunting, although it seems new, is a compendium of multiple methodologies using new tools in a world full of data and information in pieces. The association of these pieces with experience, not only your own, but also other people's, can help you hunt better, find the attackers' paths and identify an attack more efficiently.
To summarize, we can conclude:
- Know your environment.
- dentify how tools talk to each other.
- Take advantage of external knowledge (TIP Threat Intelligence Platforms - TTPs).
- Make a hypothesis: I have been hacked is no longer a can happen, it is when it will happen to me.
- Research to generate long-term knowledge.
- Consider tools that allow you to learn and evolve in your hunting processes.
These processes are not a foolproof recipe for identifying threats, but by structuring the detection processes you can improve response times and adapt to an organizational reality beyond looking for Plug&Play solutions. The solutions that support your Threat Hunting process should reduce integration, learning and reaction times.