This is the first post in a new blog series we are calling The Hunter’s Den. Over the last nine months it has been exciting to see the concept of “threat hunting” take off. At the most recent Black Hat conference this past August, it was surprising to see how many companies had begun to adopt threat hunting messaging. This mirrors the increasing interest we have seen around threat hunting, as illustrated by the Google Trends chart below.
On the other hand, the buzz around “threat hunting” can also be confusing. Different vendors are appropriating this term to mean different things. From Sqrrl’s perspective, threat hunting should not be focused on:
- Only Search
- Only IOC matching
- Only automated analytics (i.e., UEBA)
- Only Endpoints
Threat hunting is a hypothesis-driven approach to detect unknown threats, and hunts should leverage diverse types of IT data, including endpoint/network/application data and various enrichment sources (company databases, geolocation, threat intel, etc.) A Threat Hunting Platform combines the analysis of these different datasets into hunting workflows and utilizes various features such as petabyte-scale processing and storage, machine learning/UEBA, link analysis, case files, tagging/annotation, on demand custom analytics, and native extensibility to adapt to new datasets and analytic needs. A Threat Hunting Platform not only lets you detect new incidents, but it also enables you to find new ways of detecting incidents.
Earlier this year Sqrrl published (or in some cases sponsored with the SANS Institute) some of the seminal documents establishing what threat hunting is. These include:
- The Who, What, When, Why of Threat Hunting (with the SANS Institute)
- The Reference Framework for Threat Hunting
- Threat Hunting eBook
- Threat Hunting Platform White Paper
- The First Annual Threat Hunting Survey (with the SANS Institute)
These documents set the stage for this blog series. The goal of this blog series is to take the community understanding of threat hunting to the next level by going beyond framework and theory and digging into practical tips and techniques for threat hunting.
In terms of an organizing framework for this blog series, Sqrrl thinks about hunts in three categories:
- Tactical Hunts. These are quick-turn hunts (i.e., can be completed within a few hours) based on new emergent information, such as new threat intelligence reports that outline new threat actor TTPs. An analyst would use this new information to kick off a simple hunt to assess to what degree these TTPs are present within their organization. This typically goes beyond simple IOC matching (e.g., looking for C2 IP address or malware hash matches), and it is more focused on looking for linked behaviors (e.g., a particular type of Remote Access Trojan combined with a particular type of exfiltration technique), which is a differentiator for Sqrrl’s Behavior Graph approach to hunting.
- Operational Hunts. These are hunts that should be part of a hunter’s daily or weekly routine. One way to organize operational hunts is using the Kill Chain as a construct. Hunters can progress through different kill chain steps on a regular schedule in short sprints, and once complete they can loop back to the beginning of the kill chain to look for new types of TTPs. These kinds of hunts will be a major focus of this blog series.
- Strategic Hunts. These are typically multi-day (sometimes multi-week) “pack hunts” (i.e., often times involving multiple hunters) focused on looking for systemic compromise of groups of users, assets, or resources. In all of these hunts, the high risk/high value users/assets are identified and then hunting hypotheses are developed to look for compromise. Examples of strategic hunts include:
- Crown Jewel Analysis-driven hunts, e.g., looking for systemic compromise around servers, applications, or document stores where mission critical data or trade secrets are housed.
- Critical Infrastructure Analysis-driven hunts, e.g., looking for systemic compromise of critical assets, such as Active Directory servers, whose compromise could significantly enable deeper or more significant penetrations and attacks.
- High Risk User Analysis-driven hunts, e.g., looking for systemic compromise of system administrators, highly privileged users, users that have been flagged as risks for insider threats, and/or users that are likely to be targeted by threat actors (e.g., executives engaged in international negotiations with a state-owned corporation).
Each blog post in this series will cover an example of one of these types of hunts. It will include details on:
- Hunting hypotheses
- Datasets needed to hunt
- Type of analytics and queries to consider
We looking forward to hearing your feedback. To stay informed of new blog posts, please sign up here.
If you are interested in learning more about Sqrrl’s Threat Hunting Platform (the industry leading and purpose-built threat hunting platform), you can request access to our Product Paper here.
Below is a list of hunts that the Hunter's Den series has covered: