#088: Cybersecurity Series – Threat Hunting

#088: Cybersecurity Series – Threat Hunting

As discussed on our last podcast on Threat Hunting, CTI is an intrinsic piece of threat hunting. In today’s podcast, we’ll go into more detail about CTI.

Preface: Many cybersecurity conversations typically focus on the identify, protection, and recovery functions of the NIST cybersecurit y framework.
Two functions that don’t get as much focus are detect and respond. Today’s topic of Threat Hunting fits squarely into the detect function a nd is the practice of searching through the network for cyber threats.

Why is Threat Hunting Important?

• All attacks aren’t the same and vary depending upon the threat actor and their ultimate goal. In some cases, the attacker will try to exfiltrate
  data, obtain login credentials, or look for sensitive data once they’ve gained initial access to the network. These threat actors are known as
  advanced persistent threats. Having the ability to detect lateral movement, scanning, or other traffic initiated by these adversaries, could help an organization limit the damage caused.
• Security tools that operate in the protection functions of the NIST framework can be bypassed, so detection of an APT is critical.

A Key Distinction

• Threat Hunting and Cyber Threat Intelligence (CTI) – while they sound similar and are intrinsically connected, these aren’t the same. CTI is
  actionable information developed using a lifecycle (Planning, Collection, Processing, Analysis, Dissemination, and Feedback), while threat
  Hunting is the act of searching for signs of potential cyber threats. The two are related in that CTI can be used to guide Threat Hunting.
• Note: Implementing a CTI program isn’t something that an organization can just do on a whim. Typically only very mature organizations will have their own CTI program. Most will outsource threat intelligence.

Sounds Great! How Do I Get Started?

• Analysts – A lot of technologies boast the ability to automate and lessen the need for analysts and while there is some truth to that, the need
  to have talented analysts to look at the data is still a must
• Data – Without ample data, you can have the best analysts in the world, but they won’t have anything to look at. (Endpoint protection logs,
  firewall logs, system event logs, etc.)
• A means to synthesize the data – SIEM (Security Information and Event Management) is a good example of a tool that can be used to pull in
  data and allow an analyst powerful search capabilities.
• Threat Intelligence – This can be gathered from within (CTI – Cyber Threat Intelligence), procured from outside (MDRs, OSINT, etc.), or both!

Tools and Data Sources for Threat Intelligence

• MITRE ATT&CK Framework – Documented TTPs (tactics, techniques, and procedures) of TAs (threat actors) https://attack.mitre.org/
• VirusTotal
• Suspicious and compromised domain lists
• OSINT tools – Ex: Shodan (Fantastic book on OSINT: Open Source Intelligence Techniques 9th • edition, by Michael Bazzell)

Additional Notes:
— Useful Terms:

• IoC – Indicators of compromise
• IoA – Indicators of attack
• Intel – Intelligence feeds from 3rd party networks… SANS, etc.
• VA – Vulnerability assessments
• Vulnerability Scans – Usually scanning from the outside of an organization
• Threat Hunting – Assumes the “Bad guys” are ready in an organization—and IT needs to location, prevent, fix security problems. — “Think like a hacker” — Don’t broadly hunt—- build a hypothesis and limit the systems to a few at a time.

— Types of Threat Hunting:

Structured Threat Hunting

• Hunter’s approach is based on his research.
• Using MITRE or Any Enterprise Framework

Unstructured Threat Hunting

• Initiated based on a trigger
• Looking for pre- and post-detection patterns
• Previously associated offenses allowed
• The hunter’s approach is based on this research