Mitigate threats by going on the offensive
While the definition of threat hunting may be straightforward—proactively hunting for threats—the reality of implementing a threat-hunting program is a bit more complicated, as there are different threat-hunting methodologies to choose from.
In order to optimize an offensive approach like threat hunting, it helps to first know the granular ins and outs of your IT/security stacks so you can ensure they're producing actionable information. Once a plan is in place, you should be able to quickly identify signs of compromise across networks, systems, and application environments.
Kicking it off
A solid threat-hunting program usually begins by generating a hypothesis and noting aspects like:
- Program name
- Program purpose
- Expected analysis techniques for the hunt
For example, if your goal is to identify anomalous user-agent strings, documentation might state, “Looking for abnormally short or long user-agent strings or known bad strings.” These actions will help spur deeper thinking and insight as to what your team wants to accomplish with its threat-hunting program. Mitigating threats then occurs by conducting searches against plan criteria, reporting the findings, and launching a plan to secure environments with the help of any and all stakeholders.
Common threat-hunting models
Each established model has its own formula and is essentially a collection of processes designed to take you through a structured approach to searching for specific threats.
The Paris model
The model is named after its ultimate shape on graph paper, it places an emphasis on automation and automated alerts. The entire purpose of this model is to get teams to a state where new use cases are being generated from R&D and having the ability to execute on them.
The TAHITI model
The Targeted Hunting Integrating Threat Intelligence (TAHITI) model is the result of a collaborative effort between several Dutch financial institutions. This model incorporates the Management, Growth, Metrics and Assessment (MaGMa) tool, a spreadsheet that guides stakeholders through the process of generating use cases, operationalizing the hunt, and documenting findings. TAHITI also leverages the “Pyramid of Pain'' concept, designed to make an attack more painful for the threat actor the higher up the hunting-methodology pyramid an organization chooses to go.
The Diamond model
This intriguing model begins with 3 questions to aid in defining strategy:
- What are you hunting?
- Where will you find it?
- How will you find it?
The model contains four approaches based on features of malicious activity:
- An adversary-centered approach can provide deep visibility into threat-actor activities. How are they creating and managing infrastructure? What are their capabilities? The main drawbacks are twofold: This approach relies heavily on the likelihood threat actors will make highly visible mistakes, and it may also require teams to leverage vast resources.
- A victim-centered approach features many opportunities for varied types of hunts where data should be easily obtainable. The drawback is that the sheer number of hunt types could lead to an undisciplined effort.
- An infrastructure-centered approach places focus on a potential adversary’s infrastructure as opposed to that of the threat hunter. There are existing frameworks—such as RiskIQ’s PassiveTotal tool—a team can leverage. The drawback is that hunt findings with this type of approach may not be all that relevant.
- A capability-centered approach leverages data that teams uncover from adversaries. It features the VirusTotal malware library that can be used to generate YARA roles to help scan environments. The drawback is that limited access to adversary tools could hinder the ability to hunt.
Attack vs. data hunting
What exactly does this mean? It might not make sense in any other context, but there are benefits to both attack-based hunting and data-based hunting. Perhaps the biggest advantage attack-based methodologies have is that they can be automated. This is primarily possible because this method is based on indicators of compromise (IoC), such as known bad IP addresses.
Thus there are “landmarks” on which to map the hunt. However, IoCs do tend to become quickly less relevant, so attack-based hunting mostly relies on data from the past month. Teams might want to perform a hunt of this nature if there’s been a recent large-scale breach that could have global implications.
Data-based hunting is a process that incorporates lots of filtering, sorting, and visualization. It’s a manual methodology that primarily looks at more historical trends and anomalies. Teams will usually extrapolate insights from data reaching as far back as six months.
You, too, can start a threat hunt!
Stakeholders should weigh some key criteria when deciding if a threat-hunting program is right for them and worth the money and time spent. If an organization resides in a high-risk or heavily regulated industry, it is likely to be at least a semi-regular target for threat actors. And, allocating personnel or specialists to this task will be an area of heavier investment.
However, this doesn’t have to be a time-consuming process. For example, Managed Detection and Response (MDR) services from Rapid7 will perform wide-ranging threat hunts on behalf of an organization. It also frees up resources by letting someone else—a trusted partner—deal with threat alerts.
Restating the importance of the planning phase, it’s of paramount importance to be clear on your objective. In this way, teams will ultimately know if enacting a threat hunt is necessary and/or if they have the technological capability from an equipment or personnel perspective to successfully launch. From here, more insight will follow on the ability to scale the program. How frequently are hunts needed? Are there extenuating circumstances that may require off-plan hunts? And, perhaps the most important question, do automation capabilities exist and, if not, how can they be acquired and implemented?
For a deeper exploration of threat hunting, how to quickly stand up a hunting program, and much more, head over to this on-demand webcast.