The document discusses threat hunting techniques and achieving maturity in threat hunting programs. It introduces threat hunting and defines it as proactively searching networks to detect advanced threats. It then covers threat hunting maturity models ranging from initial to leading levels. Common threat hunting techniques like searching, clustering, grouping and stack counting are explained. The threat hunting loop process of creating hypotheses, investigating, uncovering patterns and informing analytics is also outlined. Finally, two practical threat hunting case studies on potential command and control activity and suspicious emails are described.
4. Threat Hunting Basics
• What is Threat Hunting?
It is "the process of proactively and iteratively searching through networks to
detect and isolate advanced threats that evade existing security solutions.“
• Why is Hunting Required?
Alerting from Security systems is important, but cannot be the only focus of a
detection program.
Primary goals of a hunting program should be to improve detection by
prototyping new ways to detect malicious activity and then turning those
prototypes into effective new automations.
There are no “one size fits all”-type solutions in threat hunting.
5. How many of you think that
your organization does
Threat Hunting?
7. • At least some routine data
collection.
• Incorporate TI searches
• Hunting from central location
like SIEM
• Similar to HMM 3 but
involves
automation.
• Involves automation
of majority of data
analysis procedure.
• Threat Hunters create
procedures using their own
data analysis technique.
• Aided by Linked data
analysis, data visualization
and Machine Learning
• Follow data analysis
procedures available on
Internet.
• Most organizations with
Active Threat Hunt program
falls under this category.• Relies Primarily on automated
alerting. (e.g. SIEM, IDS/IPS)
• Alerting by Threat Indicators
fed to monitoring systems.
• At this level you cover only
the basics.
Hunting Maturity Model (HMM)
Initial
[HMM 0]
Minimal
[HMM 1]
Innovative
[HMM 3]
Procedural
[HMM 2]
Leading
[HMM 4]
8. Now, do you think that your
organization does some level
of Threat Hunting?
9. What level of threat hunting
maturity that your
organization has achieved?
11. • Searching
• Clustering
• Grouping
• Stack Counting
Primary Threat Hunting Techniques
• Searching is the process of querying data for specific results or
artifacts.
• Requires finely defined search criteria to prevent result overload.
Example:
Searching for IOCs for a specific exploit like Gh0stRAT.
Domain = mdzz2019.noip.cn
• Stack Counting involves counting the number of occurrences for
values of a particular type, and analyzing the outliers or
extremes of those results.
Example:
Categorizing particular kinds of outbound connections by frequency.
Benign web traffic that goes through port 80, ports 55419, 2266,
3333, and 21 which only have one connection each.
• Clustering is a statistical technique, aided by Machine Learning.
• Consists of separating groups (clusters) of similar data points based on
certain characteristics out of a larger set of data.
Example:
Multiple servers accessed by only a few machines, at a time when other
machines didn’t access these servers at all.
Port 445 access to Web Servers from few Desktops / Laptops
• Grouping consists of taking a set of multiple unique artifacts and
identifying when multiple of them appear together based on specific
criteria.
Example:
Visualize the frequency and command execution across hosts in specific
timeframe.
whoami command spawned by a script
12. How many of you think Threat
Hunting is a technique?
14. Often the First Threat Hunting Result
• Why did it fail?
Because Threat Hunting is a PROCESS.
• Create a hypothesis according to Business requirements and then
follow the Hunting Loop.
Indicators from Internet
[IP / URL]
Proxy Logs
[IP / URL]
X =
Search Finished.
[0] No match Found
15. THREAT HUNTING LOOP
Create
Hypothesis
Investigate
via Tools and
Techniques
Uncover
new
patterns
Inform and
Enrich
Analytics
• Hypothesis:
An educated guess, about some type of activity
that might be going on in your IT environment.
• Investigate:
Discover new malicious patterns in their data and
reconstruct complex attack paths to reveal an
attacker’s Tactics, Techniques, and Procedures
(TTPs).
• Uncover:
Uncover the specific patterns or anomalies that
might be found in an investigation.
• Analytics:
Automate its detection so that your team can
continue to focus on the next new hunt.
16. What do you need for Threat Hunting?
You can’t hunt if you don’t have the right data, but what is the right
data?
General List of Datasets
• Endpoint Data
[E.g. Process execution metadata; Registry access data; File Data; Network Data;
File Prevalence]
• Network Data
[E.g. Network session data; Proxy logs; DNS Logs; Firewall Logs; Switch & Router
Logs]
• Security Data
[E.g. Threat Intelligence; SIEM Alerts; Friendly Intelligence]
18. Case Study I: Potential C2 Activity
• Goal: Identify potential C2 activity utilizing dynamic DNS (DDNS) that
could avoid possible detection.
• Datasets Required:
1. DNS query logs (outbound traffic)
2. Proxy logs (outbound traffic)
3. A list of dynamic DNS provider domain names (e.g. malwaredomains.com)
• Analysis Technique Used:
• Searching
• Stack Counting
19. • What should you look for?
1. List down the list of domains hosted on dynamic DNS (DDNS) providers (e.g.
no-ip.*; ddns.*; etc.)
2. Utilize a lookup or feed of known dynamic DNS (DDNS) domains to query
against data in a SIEM or log aggregator.
• In DNS query Logs:
1. Trace the DNS query back to the source machine inside your network
2. Determine which host made the original DNS query
• In Proxy Logs:
1. Determine the IP address that the dynamic DNS hostname resolves to
2. Determine ports/protocols communicated over
3. Determine the bytes in and bytes out
4. Determine the frequency and interval
If the results are found to be suspicious in nature:
SWITCH ON – INCIDENT RESPONSE MODE
Case Study I: Potential C2 Activity
20. Case Study II: Suspicious email notification
from employee which is a MalSpam
• Goal: Identify if any of the user / system in your environment has fallen
prey to Malspam
• Datasets Required:
1. Firewall logs (outbound traffic)
2. Proxy logs (outbound traffic)
3. Sandbox logs
4. Email Gateway and server logs
5. EDR Logs
• Analysis Technique Used:
• Searching
• Grouping
21. Case Study II: Suspicious email notification
from employee which is a MalSpam
• In Email Gateway and server logs
1. Check for all the recipients of this Malspam.
2. Check how many of them got it successfully delivered.
• In Sandbox Logs
1. Check if the email contains malicious Domains / URLs link.
2. Check for the Hash Value of the file downloaded.
3. Check the IP Address the Domain / URL resolves to.
• In Proxy Logs
1. Check if any of the user has clicked on the Domains / URLs identified.
2. Check if the payload was downloaded on user’s machine.
22. Case Study II: Suspicious email notification
from employee which is a MalSpam
• In EDR Logs
1. Check if the payload was successfully executed user’s machine.
• In Firewall Logs
1. Check if there was communication to any suspicious IP.
2. Check byte in and byte out to verify if there was any data exfiltration
attempt.
At any of the stage mentioned if the results confirm successful infection then immediately:
SWITCH ON – INCIDENT RESPONSE MODE