Threat hunting (also known as cyber threat hunting) lies at the heart of modern security response services. It seeks unknowns in a security environment. It goes beyond security information and event management (SIEM) and other passive detection methods. Instead, threat hunting uses proactive search methods through networks, endpoints, and datasets to hunt suspicious activities that evade the detection of existing tools.
Two Types of Threat Hunting
Structured hunting looks for the indications of attack (IoA) and an attacker’s techniques tactics, and procedures (TTPs). All structured hunts use and align to attacker TTPs. This is how threat hunters often identify threat actors before they can cause damage to a security environment. This type of hunt uses the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK) framework, which uses enterprise and PRE-ATT&CK frameworks.
Unstructured hunting begins with a trigger event. This approach is better suited to intelligence-based hunting, where the trigger could be an indicator of compromise.
Often, the trigger is the cue for a hunter to start looking for pre- and post-detection patterns. Hunters can look for these patterns in old data records wherever data retention and associated offenses permit. The hunter’s approach is based on this research.
Threat hunting uses three models, which include:
- Intel-based hunting. This reactive hunting model uses the IoCs from threat intelligence sources as inputs. Then, the hunt uses pre-designed rules set up by threat intelligence and the SIEM.
- Hypothesis hunting with a threat hunting library. This proactive hunting model is well-suited to the MITRE ATT&CK approach. It uses globally recognized detection methods to identify malware attacks and advanced, persistent attackers. Hypothesis-based hunts use attacker TTPs and IoAs. Hunters identify bad actors based on domain, environment, and attack behavior data. Used together, hunters create a hypothesis that aligns with the MITRE framework.
After identifying a behavior, threat hunters monitor activities for patterns that help to detect, identify, and isolate the threat before it does damage.
- Custom hunting. This approach uses industry-specific hunting methods and AI situational awareness. Custom hunting methods identify anomalies in EDR tools and the SIEM, and customer requirements provide the data. You can run these hunts proactively with requirements received from customers or with situation-based information, such as targeted attacks and geopolitical issues.
Here are two of the most popular threat hunting frameworks:
- Targeted hunting methods integrated with threat intelligence. This framework aligns with intel-based hunting methods. Triggers come from threat intelligence, historical incidents, red teaming activities, and other sources.
- MITRE PRE-ATT&CK and ATT&CK. This framework includes common methods used by adversaries and extensive knowledge bases that you can apply to specific threat models.
By combining these methods and resources, threat hunting teams get the solid foundation that they need to stand against cyber attackers.