THREAT

HUNTING

Presented By Samuel D A JUNE 2, 2023

What is Threat hunting?
Threat hunting is the human centric process of proactively searching data and discovering cyber threats.

Importance of Threat Hunting:

It is Drastic change from the traditional reactive approach of waiting for
an internal system, such as an IDS to notify them that they have been
breached.
The hunter detects threats that nothing else detected.
Threat hunter must have knowledge of various types of attacks and often
deep understanding of how they manifest, which helps with knowing how
and where to detect them.
Knowing about attacks means knowing where to search for them. In many
cases it will be required that you to identify how to detect the said attack
which require you to simulate it and to fill knowledge gaps otherwise not
provided by sources.
Threat hunting aims to reduce the dwell time by identifying threats in a
very early stage of the Infection
By doing so, it may be possible to prevent attackers from gaining a
stronger foothold in the environment and remove them from the network.
Why Risk Assessment
report is Important in
Threat hunting? With Risk Assessment report, a hunter can
determine where his focus should be which
means no vital system should be over
looked. So that resources will not be wasted
focusing on a less vital system.

Threat assessment report and business

impact analysis report can be used to
determine systems which require more
focus.
PYRAMID OF PAIN
As we go up the pyramid of pain, the harder it will be to obtain the adversary
specific IOCs.
If we obtain those adversary specific IOCs then we’re forcing the adversary to
change their attack methods, which is not easy task for them and which also
not impossible too.
CYBER KILL CHAIN

First Five stages are known as

Intrusion stage and last 2 stage
known as active breach stage.
Our goal is to stop the adversary
from progressing up the kill chain.
Doing this in early stages of the
chain is always preferred.
Goal is to detect the adversary
before their objective is achieved.
THREAT HUNTING
MINDSET:

Threat Intelligence
Digital Forensics
THREAT INTELLIGENCE:
It is data on threats. Information will come in various forms from various sources.
Data can be Ip address, domain names, hashes, APT groups.
Data becomes Intelligence when it is analyzed.

3 TYPES OF THREAT INTELLIGENCE:

Strategic: who, why and where
Tactical: what and when
Operational: How

As hunters, we are more focused on tactical and

operational Intelligence, how adversary does what they do, so we
can detect it and prevent further escalation through attack chain.
So this type of hunt is focused on known bad information.
Digital Forensics:
Hunter focusing on host, network and memory forensics when hunting for unknown
threats.
Sources:
Network, VPN, Firewall logs, Memory forensic artifacts, passive DNS.
Hunter will analyze the digital artifacts to see if there is any indication of threat.
Hunters won’t wait for alert from one appliance regarding potential threat. It is Proactively
hunting. Human Based Detection.
Hunting is of 2 types:
Attack based – did pass the hash happen in my network
Analytics based – does anything look malicious.

Our goal of hunting is to transform successful hunts into automated detection,

outcome of it may be an initial observation of a threat and which starts a forensic investigation.
This Detects Threats more successfully.
INDICATORS OF COMPROMISE (IOCS):
IOCs are pieces of forensic data, such as data found in system log entries or
files, that identify potentially malicious activity on a system or network.
IOCs aid Information security and IT pro’s in detecting
Data Breaches, Malware Infections or other threat activity
By monitoring for IOCs, organizations can detect attacks and act quickly to
prevent breaches from occurring, or limit damages by stopping attacks in
earlier stages.
IOCs are XML documents that help security professionals capture diverse
information about threats, including attributes of malicious files,
characteristics of registry changes, and artifacts in memory.
MITRE ATT&CK FRAMEWORK:
MITRE’s Adverbial Tactics, Techniques and common knowledge
(ATT&CK) is a curated knowledge base and model for cyber
adversary behavior, reflecting the various phases of an
adversary’s attack lifecycle and the platforms they are known to
target.
Each technique contains an explanation, procedure examples (
often linked to threat reports), mitigation and detection. It also
includes metadata such as System requirements and permissions
required to perform the technique
We want to detect based on the adversary’s TTPs.
Data Analysis
To start hunting, we need to determine what we want to hunt for, based on
a hypothesis, and then perform the hunt by looking at data we have.
Before we hunt, we need to collect data. When collecting we should ensure
that we have a purpose based on what we want to find in that data to avoid
collecting a mountain of noise populated logs.
Data Analysis is usually performed on a SIEM systems
Analyzing the data means searching, aggregating, filtering and joining data
together.
Searching data gives us the ability to find answers to our questions. Big
benefit is that searching will present us with the ability to identify
anomalies.
Searching queries will be specific to the tool that we are using for analysis.
HUNTING METHODOLOGY:
Every hunt begins by defining a hypothesis. It consists of
Identify the specific behaviour we want to hunt for.
Understand the attack technique behind it
Identify what data we need to detect it.

To achieve this we use 5 step process

Pick a tactic and technique
Identify associated procedure
Perform an attack simulation
Identify evidence to collect
Set scope
CREATING PLAYBOOK BASED ON THE HYPOTHESIS:
For Example let’s take Lateral movement,
Adversaries have gained access to a system and are attempting to move laterally to other
systems in the network.
Playbook:
1. Define scope: Identify the network and endpoints for this hunt
2. Gather data: collect and analyze the following data sources to identify potential lateral
movement attempts. (Endpoints logs, Network logs, Application logs, Active Directory
logs)
3. Develop Queries: Develop and run queries across the collected data sources to identify any
suspicious activity related to lateral movement. Queries may include – Any attempt to
connect to our system or network and any attempt to exploit vulnerability to gain access or
any attempt to use compromised credentials to access our system.
4. Analyze results: Review the results of the queries to identify potential IOCs
5. Take action.
6. Report
Minimizing Human Intervention:
Gathering Threat Intelligence reports from various sources and having
dashboard to manage it easily and monitor regularly.
Analyzing those reports
Getting IOCs from known attacks from various sources and using these
IOCs to prevent known threats by adding these IOCs or integrating into our
security tools
Creating IOCs by simulating attacks and adding into security tools
Creating queries based on the hypothesis and from MITRE ATT&CK
Framework to make our security tool detect threats automatically.
And creating trigger based on the hypothesis.
Threat Intelligence based hunting can be used to detect known
threats and we can automate it to minimize the human
intervention and Forensic based hunting can be carried out to
detect about the unknown threats and we can share it across
security tools and automate its detection if we encounter the
same threat in future.
 Proposed Timeline
FIRST MONTH SECOND MONTH THIRD MONTH FOURTH MONTH

Collecting Threat From previous analysis, Detecting threats both Hunting on real time
Intelligence reports and creating IOCs and manually and by clients and making 20
Analyzing it. Also playbooks to detect those automation and hunts successfully and
collecting IOCs and threats in future. And to improving the automation detecting more threats.
Adding into security tools create Detection rules and making detection Hunting will be based on
to find known threats. based attack and more efficient both automation (Threat
hypothesis and Intelligence) and
Integrating into security Forensics based ( Manual)
tools. to Detect threats more
successfully.
Thank You!