Navigating the Five Stages of Threat Hunting
Part 4 of our Guide to Threat Hunting series takes you through the five stages of threat hunting with tips for each.
Welcome to another installment in our Guide to Threat Hunting series! In my previous posts in this series I have covered the fundamentals of threat hunting, what you should do to prepare to hunt for threats, and the tools and skills you’ll need for threat hunting success. This post will cover the five stages of threat hunting and provide tips for each one.
The Five Stages of Threat Hunting
The day has come! You’ve committed as a security organization to embark on an active threat hunting mission. You’ve laid the groundwork with incident response processes and procedures, built a defensive architecture, and acquired the tools and skills you need for a successful hunt. Now put on your camouflage and grab your ammo!
The threat hunting process can be broken down into the following five stages:
Stage One: Hunt for Known Prey
Hunting the adversaries you know is easy, or at least easier. Known adversaries have become known because they have revealed themselves in a number of ways:
- They match an indicator or signature that has been developed to detect them.
- Your antivirus software vendor is aware and has listed them.
- Maybe you read about the exploit in a blog post or news article.
- Some known attacks are fairly amateur, easy to detect, or not well hidden.
- The best case is that your Level 1 analyst has found the adversary.
Stay alert for any of these signs and you’ll be well on your way to identifying known adversaries targeting your systems.
Stage Two: Watch for Unknown Prey
Hunting for the unknown requires patience, persistence and more effort. This is because unknown threats often tend to be more sophisticated, well-hidden and harder to detect. However, these adversaries leave indicators of their movement around your network. They will try to mimic the normal activity of authorized users to stay under the radar.
If you are vigilant, eventually they will reveal themselves as an outlier – primarily by taking actions that reveal their precise targeting and IT savvy:
- Leveraging new techniques for persistence
- Working through encrypted channels
- Creating command & control infrastructure
- Compiling their own toolset, like malware or a binary
- Pursuing authorized actions that lie outside of baseline activity data
Pro Tip: Watch Your Logs
There’s a wealth of information in your logs! You’d be surprised what can be revealed simply by correlating information. By baselining a particular activity within your environment, and noting how often it occurs, you will start to see things pop up that are worthy of closer scrutiny. Patterns of suspicious behavior will emerge over the course of 30 days or even a couple of weeks. Anything that steps above the baseline is worthy of an alert to investigate. In many cases these early, seemingly benign activities are the reconnaissance or initial setup steps indicative of an impending attack. Here are some examples of what to examine from your event sources.
- Proxy Logs
- Traffic being sent out port 22
- Network connections with same pattern of bytes in and bytes out
- Dynamic DNS visits
- Unique user agent strings
- Base64 encoded strings in URLs
- Executables being downloaded
- Windows Logs
- Explicit logon attempts (4648/552)
- User added to privileged group (4728, 4732, 4756)
- Failed logon attempts via multiple accounts
- Log clearing activity (104, 1102)
- EMET crash logs (1, 2)
- Application crashes and hangs (1000, 1002)
- Windows Defender errors
- Antivirus Logs
- Password dumping programs
- Specific backdoors detected (PlugX, 9002, Derusbi, Nettraveler, Winnti, Pirpi)
- Detections with “dropper” in the name
- Custom detection creation
Get to know all the tools you already have and understand the type of data and reports that they generate. This level of awareness will allow you to start utilizing their outputs to actively start hunting for threats.
Stage Three: Bird Dog the Threats
Every hunter needs a trusty hunting dog. Bird dogs are highly trained and bred specifically for the job at hand. The characteristics of a good bird dog (and how they apply to threat hunting) are:
- Sensory awareness: A bird dog’s five senses are highly tuned and always aware of their surroundings. Cyber threat hunters need to be just as vigilant, to better pick up the “scent” or actions of our adversaries. Be actively looking for specific types of threats on a regular, even daily, basis.
- Quick reflexes: A bird dog reacts to situations in a shorter amount of time than other dogs. As threat hunters “in the field,” we need to continuously improve our processes of incident investigation and response for maximum efficiency.
- Instinct: Bird dogs are bred to heighten specific instincts, such as a pointing and retrieving game. Your entire security team needs to develop new hunting tactics, excel at logistics and operationalize whatever proves most effective.
- Communication: Bird dogs are excellent at communicating with their owners with wags or whimpers. As a security team, meet consistently to share the latest threat intelligence or suspicious indicators within your environment. This will help propel your threat hunting mission forward.
- Intelligence: One of the hallmarks of a great bird dog is its superior intelligence. Superior threat hunters are innovative, analytical and able to hypothesize both meaning and insight from data.
As the security bird dog for your enterprise, you need to understand your environment better than anyone, and coordinate your team to hunt and counter adversaries better over time.
Stage Four: Ready, Aim
So you found something! You have identified malware or something malicious within your environment. Your target has been flushed out of its hiding place and is on the run! Now what do you do? Here’s what comes next, and in what order…
- Gather as much information as you can about what transpired, where, and when.
- Engage forensics experts. Forensics reveals the “how” and sometimes even the “why” of what transpired when the bad actor was on a box or inside your software. It tells the story of what has been compromised and maps out every system to remediate.
- Engage and execute your incident response plan! It’s why you have one.
- Neutralize the bad guys. First contain the threat, and then take all affected machines down at the same time so your adversary doesn’t have an opportunity to come back. Wipe and clean everything.
Stage Five: Prepare for the Next Threat
After the threat passes and you resolve the incident, here are a few recommendations of things you should do to be ready to confront the next threat.
- Learn from the adversary's behaviors by reviewing the incident as a security team.
- Document the adversary’s tactics, techniques and procedures.
- Develop a profile of the adversary, including region of operation, motive, intent and capability.
- Update threat intelligence to incorporate all the threat indicators associated with the adversary's activity – file names, file paths, IP addresses, domains, what commands or control infrastructure was used, etc.
- Store all this information in a central database.
- Disrupt the adversary's future operations in your environment by applying updated threat intelligence.
Pro Tip: Attackers are Creatures of Habit
At my last job, we had profiles on all of the different adversaries who had targeted us. So if there was a successful intrusion, we could tell whether it was this group or that. The first thing that one particular group would do was run the following command “ping -n 3 184.108.40.206”. What they were basically doing was checking for Internet connectivity by pinging Google’s DNS server. As soon as we received an alert for that command being run, I knew an attack was taking place! That’s a technique or tactic that particular adversary would leverage every time, so it was a huge indicator for us that they were in. Even if all of their malware and tools were missed, that one piece of information was something that we were able to detect successfully to start our investigation and response.
I hope you enjoyed this installment of our Guide to Threat Hunting series! Keep an eye out for Part 5 and in the meanwhile check out our eBook for more threat hunting tips.
Read More in our Guide to Threat Hunting Series
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business