Part 2: Defining Threat Hunting
In this four-part series, we’ll be looking at Team Cymru’s Threat Hunting Maturity Model. Its purpose is to define each step of the journey that organizations take to hire, empower and gain value from elite threat hunters.
If you missed Part 1, please find it here.
Cyber threat intelligence (CTI) is described by Forrester [download here] as ‘immature’, our purpose with these blogs is to enable organizations to accelerate through the process of leveraging threat intelligence to learn about threats, increasing the value of existing people within security operations centers (SOC) and incident response (IR) teams to become proactive threat hunters, and then elevate them by building and maintaining an elite threat hunting team to deliver longer lasting defensive strategies.
For Part 2 in this series, we’ll be introducing Team Cymru’s Threat Hunting Cyber Kill Chain. The purpose of creating this is to have a simple model, based on Lockheed Martin’s original version, with focus on threat hunting. The intention is to enable leadership to establish where they are in terms of maturity, and for analysts to clearly define the methods they are using today.
Let’s tackle the evolution of threat hunting specifically, for even that has experienced a revolution as organizational needs, analysts tactics and even the threats themselves have changed over the years.
Reactive Threat Hunting
Organizations and the cyber security teams responsible for protecting them, realized long ago that cyber security technologies are porous. There was, and still is, a need to block and detect threats based on what is known to be malicious, i.e. malware signatures, and this will always be a limiting factor to achieving robust cyber defenses.
The reactive threat hunting method requires that a breach occurs, tripwires triggered, and the hunt commences for whatever threat is now lurking within the network. This paper published by the SANS Institute in May 2020 explains this approach.
“Traditionally within Security Operations Centers (SOC), the detection of a threat to an organization is usually reactive. A rule is configured within the Security Information Event Management (SIEM) System to detect a malicious action on a network, and the SOC Analyst waits for an alert to trigger to identify that there may be something malicious present.”*
This continues to be widely accepted as the only form of threat hunting, and according to our recent Ponemon Survey 70% align with this definition. In reality it is the baseline, as we’ll explore on the journey through the various stages.
As you can infer from the above definition, you need to be compromised, know what rules to configure that detect malicious activity, a SOC analyst needs to be on standby for alerts, a significant ‘something malicious’ may or may not be discovered. One of the challenges facing SOC analysts in this scenario is that a high proportion of security-related alerts are false positives. Also, as highlighted in the report, that means the same amount of downtime closing off low or no value alerts as actual attacks. – an unfortunate and significant drain on human resources that allows genuine threats to remain overlooked and undetected.
Where Reactive Threat Hunting features within the Team Cymru Threat Hunting Kill Chain Model
This is where traditional threat hunting features on the Team Cymru Threat Hunting Cyber Kill Chain.
What becomes clear using our visual guide is whilst traditional threat hunting is the first step towards maturity, yet is the last step of the Cyber Kill Chain. This emphasizes that the Team Cymru Threat Hunting Maturity Model is a journey, the organization needs to learn, adapt and improve to then accelerate towards the next phase.
Areas of improvement for any team wishing to defeat attackers within the network are creating and defining tight lines of communication between SOC and Incident Responders, ensuring these are scribed out in process and procedures and then regularly reviewed for their effectiveness.
Proactive Threat Hunting
Microsoft acknowledges in their Security Blog that threat hunting should increasingly lean towards proactively searching for threats with the mindset of finding an as yet discovered breach, hence Proactive Threat Hunting.
In the blog, they state about threat hunters that it is “Their job is to outthink the attacker.”
Whilst the goal of reactive threat hunting is similar, proactive threat hunting has the advantage of increasing the chance of detecting indicators of compromise (IoCs) that lead to discoveries of in-progress attacks, or evidence of historical ones.
This distinct advantage enables the proactive threat hunters to act as a much earlier warning system for incident responders to begin triage. A team searching internally for IoCs based on research across social media, cyber threat related posts and, if accessible, darkweb boards for emerging threats will gain success. They will help reduce the impact of any in-progress attacks they may discover occurring within their networks.
Referring again to the Team Cymru Threat Hunting Cyber Kill Chain, we can clearly see that both methods are focused within the network perimeter.
Where Reactive Threat Hunting features within the Team Cymru Threat Hunting Kill Chain Model
Proactive threat hunter activity on the Team Cymru Threat Hunting Cyber Kill Chain arcs across Deliver, Installation and Command & Control (C2) phases of an attack. Making discoveries at these critical points has been proven to minimize business disruption and financial impact at preventing cyber attackers achieve their objectives. But it still means dealing with the enemy once they are behind your lines and inside your network.
Using a more sophisticated model, such as MITRE ATT&CK, enables proactive threat hunters to build and make various hypotheses about potential attacker techniques, tactics and procedures (TTPs), test their theory, and then play this out until conclusion.
We will be expanding on MITRE ATT&CK and how it relates to threat hunting in future posts, but in principle, it is a more sophisticated and granular model, the general workflow and processes are as below;
MITRE ATT&CK Key Phases
Gather information they can use to plan future operations.
Establish resources they can use to support operations
Get into your network
Deploy and run their malicious code
Maintain their foothold
Gain higher-level permissions
Steal account names and passwords
Figure out and map your environment
Move through your environment
Gather data of interest for their main goal
Command and Control
Remotely control compromised systems
Manipulate, interrupt, or destroy systems and data
Proactive threat hunting is less reliant on automation and translating third-party sources of Threat Intelligence. It involves more varied skills and intuition to discover and make attempts to outthink attackers.
CTI teams using proactive threat hunting will adapt processes and procedures, improve communications and coordination between analysts and incident response teams to achieve greater successes than those relying on the Reactive method. Yet as they mature and evolve, they will always reach a ceiling and a limit to their visibility that reaches barely beyond their own firewall. Hitting this barrier and having the desire, necessity, management buy-in and funding to break through it now means the team is ready to evolve to the next level.
External Threat Hunting
We are now in the realm of the elite threat hunters, their job is to outsmart attackers.
External threat hunting is the uppermost tier on the Team Cymru Threat Hunting Cyber Kill Chain model. The goal is to enable organizations to remain one step ahead of their most advanced persistent threats, improve visibility of third-party risks, and even deal with the day-to-day cyber challenges like phishing and ransomware.
Here’s where the external method features within the Team Cymru Threat Hunting Cyber Kill Chain model;
Where External Threat Hunting features within the Team Cymru Threat Hunting Kill Chain Model
When displayed using this model, it is clear exactly where external threat hunting takes place; far beyond and outside the network perimeter.
This explained why there is a lot less reliance on automation when compared with Reactive and proactive threat hunting. External threat hunting is an almost entirely human-driven endeavor. Data and tools have to be combined with the experience, wit, determination and knowledge of a seasoned and professional analyst, an elite threat hunter.
Whilst these attributes don’t make external threat hunting out of reach for any maturing and experienced threat intelligence team, we have learned from our customers it does take appropriate levels of focus, the right tools, resources, and critically funding, in order to maximize its value.
As the Team Cymru Threat Hunting Cyber Kill Chain highlights, external threat hunting starts with the organization doing the reconnaissance, and not as a victim. This is a key strategic advantage of this method. Unlike reactive and proactive methods, threat actors themselves are tracked, traced and monitored as they shift infrastructure and claim victims. IOCs typically used to inform of a breach become signals intelligence beyond the network perimeter.
Become the hunter, not the hunted.
Elite threat hunters will latch onto their adversaries, watch their moves, observing how other victims are being exploited, and use this self-made threat intelligence to inform precisely what defensive measures need to be taken by their organization to block an attack before it starts. Tactics, techniques and procedures (TTPs) are often unique to specific threat actors, enabling external threat hunters to practically watermark an adversary, allowing them to research OSINT and leverage other threat intelligence sources to much better effect.
Know thy enemy, especially their IP addresses.
Use cases for external threat hunting include but are by no means limited to the following, as we focus on this specific method.
If you wish to research further using a real-world supply chain attack, this webinar will inform you of the advantages of enriching data.
RECONNAISSANCE OF THREAT ACTORS
Identify, map and trace threat actor infrastructure using threat intelligence ‘seeds’.
Threat intelligence derived seeds are often the starting point for analysts for each external threat hunt. These can be IP addresses, DNS servers, or any combination of internet related telemetry. Using a tool such as Recon, users are able to expand their visibility of threat actor infrastructure. We liken this to gaining visibility of internet traffic at the same level of granularity as your internal network logs. To gain insights into what mapping threat actor infrastructure looks like, we recommend reading this blog from our talented team of analysts.
OUTBOUND MALICIOUS COMMUNICATIONS
Illuminate if and when your organization is compromised.
As is known good discipline, work on the basis of already being breached. In practice, this typically leads to more hunting inside the network for non-elite threat hunters. Once you are aware of threat actor infrastructure, associated signals intelligence can be combined with knowledge of your own internet facing infrastructure. It then becomes clear if your networks are communicating with known command and control (C2) infrastructure. Knowing those outbound connections are taking place to known C2 infrastructure is another key strategic advantage gained from elevating threat hunting capabilities to look beyond the network perimeter.
As one of the highest profile attacks during 2021, the impact of ransomware on Colonial Pipeline was just one-half of the story. The external perspective gained from Recon showed that a data theft had occurred simultaneously, as discussed in this Dragos blog.
We hope this blog has served its purpose of differentiating between reactive, proactive and external threat hunting, and informed where incident response, threat detection and threat reconnaissance all have their role.
In our next blog, we’ll focus the gains for individuals, teams and leadership when they empower and leverage elite threat hunters. It’ll be an in-depth look at the various values of threat reconnaissance, the next step in our journey takes us far beyond the network perimeter.