Threat hunting is a proactive, behaviorally-based approach that empowers you to stay ahead of potential adversaries by focusing on their tactics, techniques, and patterns. By moving away from the traditional indicator of compromise (IOC) mindset, you'll be able to uncover hidden threats that may have been flying under the radar. In this blog, we'll walk you through the process of crafting the perfect threat hunting hypothesis list that will set you on the path to becoming a successful and confident threat hunter. So, let's dive in and start hunting!
In creating an effective threat hunting hypothesis list, it's essential to consider several key components that will guide your proactive search for adversaries.
By incorporating these components, you'll create a solid foundation for your threat hunting hypothesis list, helping you stay focused and efficient as you work to uncover and neutralize hidden threats.
As you begin your journey into the world of threat hunting, it's important to start with a strong foundation. Simple threat hunting hypotheses offer a manageable starting point for those just dipping their toes into the field. These hypotheses are concise, single-sentence statements that focus on a specific aspect of the threat landscape. They provide a clear direction for your investigation, while still offering valuable insight into potential threats. To help you get started, we've compiled a few examples of simple threat hunting hypotheses that you can use as inspiration. As you gain experience and confidence, you'll be able to build upon these foundations and craft even more sophisticated hypotheses tailored to your organization's unique needs and challenges.
As your threat hunting capabilities evolve, you may want to consider honing in on specific adversaries and their associated tactics or techniques. Targeted hypotheses enable you to focus on well-known threat groups, providing a more in-depth and tailored approach to uncovering potential cyber threats. These hypotheses require a deeper understanding of the adversaries' behaviors, making them more complex than simple hypotheses but still accessible for teams with growing hunting expertise.
The example provided below highlights a targeted hypothesis involving the notorious APT28 (Fancy Bear) group, outlining their known behavioral tactics and the steps needed to validate the hypothesis using EDR, NDR, and XDR solutions. By crafting targeted hypotheses like this, you'll be better equipped to identify and neutralize threats specific to certain adversaries, enhancing your organization's overall security posture.
Hypothesis: We suspect that the well-known adversary group APT28 (Fancy Bear) is attempting to gain unauthorized access to our organization's sensitive data and infrastructure by exploiting our systems and leveraging their known behavioral tactics.
To validate this hypothesis, we will focus on the following APT28-associated behaviors that are detectable using EDR (Endpoint Detection and Response), NDR (Network Detection and Response), and XDR (Extended Detection and Response) solutions:
Lateral Movement: APT28 is known to use tools like Mimikatz for credential dumping and lateral movement within the target network. Monitor for any unusual activity involving privileged accounts, such as multiple failed login attempts or unexpected remote connections.
Persistence: APT28 often establishes persistence through the use of tools like PowerDuke, which creates backdoors in the compromised systems. Look for unusual patterns of PowerShell usage or suspicious registry modifications.
Command and Control (C2) Communication: APT28 has been observed using HTTP(S) and DNS tunneling for C2 communication. Monitor for unusual network traffic patterns, such as high volumes of DNS requests to uncommon domains or encrypted HTTP(S) traffic to suspicious IP addresses.
Data Exfiltration: APT28 may attempt to exfiltrate data using custom tools or protocols, such as encrypted archives sent over FTP or HTTP(S). Detect anomalies in outbound network traffic, like sudden spikes in data transfer or connections to uncommon external IP addresses.
System and Process Tampering: APT28 is known to modify system processes or inject malicious code into running processes to evade detection. Monitor for unexpected process modifications, as well as the presence of untrusted or unsigned code in memory.
Another effective approach to threat hunting involves centering your hypothesis around a specific tool or toolset commonly employed by one or more threat actors. By focusing on the tactics and techniques associated with a particular tool, you'll be able to uncover threats that might otherwise be missed by concentrating solely on threat groups. Tool-focused hypotheses allow you to capitalize on your knowledge of how these tools operate, helping you detect unusual or malicious activity that may signify a breach in your organization's security.
In the example provided below, we explore a hypothesis centered on the well-known toolset Cobalt Strike. This hypothesis outlines the key behaviors associated with Cobalt Strike's use and describes how to validate the hypothesis using EDR, NDR, and XDR solutions. By creating tool-focused hypotheses like this one, you'll enhance your ability to identify and neutralize a broader range of cyber threats, ultimately strengthening your organization's security posture.
Hypothesis: We suspect that adversaries might be using the well-known toolset Cobalt Strike in an attempt to gain unauthorized access to our organization's sensitive data and infrastructure by exploiting our systems and leveraging the known capabilities of the toolset.
To validate this hypothesis, we will focus on the following Cobalt Strike-associated behaviors that are detectable using EDR (Endpoint Detection and Response), NDR (Network Detection and Response), and XDR (Extended Detection and Response) solutions:
Beaconing: Cobalt Strike utilizes a feature called "beaconing" to maintain command and control (C2) communication with compromised systems. Monitor for unusual patterns of network traffic, such as periodic HTTP(S) requests or DNS queries, which may indicate the presence of a beacon.
Lateral Movement: Cobalt Strike offers several capabilities for lateral movement within a target network, including pass-the-hash and pass-the-ticket attacks. Detect anomalies in privileged account usage, such as unexpected remote connections or login attempts using stolen credentials.
Persistence: Adversaries using Cobalt Strike may establish persistence by creating scheduled tasks, modifying registry keys, or leveraging other techniques. Look for suspicious modifications to system settings or the creation of new, unexpected tasks.
Process Injection: Cobalt Strike can inject its payload into running processes to evade detection. Monitor for unexpected process behavior, as well as the presence of untrusted or unsigned code in memory.
Data Exfiltration: Cobalt Strike provides tools for data exfiltration, such as file transfers over HTTP(S) or custom protocols. Detect anomalies in outbound network traffic, like sudden spikes in data transfer or connections to uncommon external IP addresses.
Now let’s move on to more complex examples.
Threat hunting hypotheses can be operational, like the examples above, or tactical and strategic. Seasoned Threat Hunters can formulate broader hypotheses that can nevertheless result in finely targeted tests. To do that, they need to include:
Domain expertise – having experience, sharing knowledge
Situational awareness – knowing internal infrastructure, vulnerabilities, core assets
Intelligence – pulling threat intelligence data like IOCs and TTPs
Apply all of the above to formulate a deeply analytical hypothesis about what systems attackers will target and what they will try to achieve.
For example, a Threat Hunter Bob has been researching some IOCs obtained through a threat intel feed. Having done a Crown Jewels Analysis (CJA), he knows that their company’s jewel in the crown is the place where they store proprietary algorithms. His experience with previous hunts and a talk with a fellow researcher Alice allow suggesting the most likely adversary behavior in a given situation. So he formulates a hypothesis.
Introducing advanced threat hunting hypotheses: As your threat hunting team matures and gains experience, you may wish to explore more sophisticated hypotheses that leverage advanced intelligence collection and a deeper understanding of adversary tactics, techniques, and procedures (TTPs). Advanced threat hunting hypotheses delve into the nuances of specific threat groups and their modus operandi, providing a comprehensive and highly focused approach to detecting and neutralizing cyber threats.
The two examples provided below showcase advanced hypotheses targeting the well-known adversary groups APT33 (Elfin) and APT10 (Stone Panda), illustrating the detailed examination of their associated behaviors, objectives, and TTPs. These advanced hypotheses enable mature hunt teams to validate suspicions and uncover hidden threats through the use of EDR, NDR, and XDR solutions. By employing such intricate hypotheses, your organization will be better equipped to proactively combat the ever-evolving landscape of cyber threats.
Hypothesis: We suspect that the well-known adversary group APT33 (Elfin) is attempting to compromise our organization's critical infrastructure and intellectual property by exploiting vulnerabilities in our systems, deploying custom malware, and utilizing social engineering tactics.
APT33, primarily associated with Iran, has been known to target organizations in the aerospace, defense, and petrochemical industries. Their objectives include cyber espionage and disruption of critical systems.
To validate this hypothesis, we will focus on the following APT33-associated behaviors that are detectable using EDR (Endpoint Detection and Response), NDR (Network Detection and Response), and XDR (Extended Detection and Response) solutions:
Credential Harvesting: APT33 is known to use spear-phishing and social engineering tactics to obtain user credentials. Monitor for any unusual or suspicious communication attempts directed at employees, especially those with privileged access to sensitive systems and data.
Malware Deployment: APT33 has been known to use custom malware families, such as DROPSHOT and TURNEDUP. Detect anomalies in process behavior, such as new or unexpected processes, and look for signs of malware execution, like the presence of untrusted or unsigned code in memory.
Lateral Movement: APT33 often attempts to move laterally within a target network using tools like PowerShell and Windows Management Instrumentation (WMI). Monitor for unusual patterns of PowerShell or WMI usage, as well as unexpected remote connections between systems.
Command and Control (C2) Communication: APT33 has been observed using HTTP(S) and DNS for C2 communication. Look for unusual network traffic patterns, such as a high volume of DNS requests to uncommon domains or encrypted HTTP(S) traffic to suspicious IP addresses.
Data Exfiltration: APT33 may attempt to exfiltrate data using custom protocols or other methods like FTP. Detect anomalies in outbound network traffic, like sudden spikes in data transfer or connections to uncommon external IP addresses.
Hypothesis: We suspect that the well-known adversary group APT10 (Stone Panda) is attempting to infiltrate our organization's networks and exfiltrate sensitive information by exploiting software vulnerabilities, deploying custom malware, and leveraging legitimate tools for stealthy operations.
APT10, primarily associated with China, has been known to target organizations in various industries such as aerospace, healthcare, telecommunications, and manufacturing, with an emphasis on intellectual property theft and cyber espionage.
To validate this hypothesis, we will focus on the following APT10-associated behaviors that are detectable using EDR (Endpoint Detection and Response), NDR (Network Detection and Response), and XDR (Extended Detection and Response) solutions:
Exploit Delivery: APT10 often uses spear-phishing emails containing malicious attachments to deliver exploits targeting software vulnerabilities. Monitor for any unusual or suspicious communication attempts directed at employees, particularly those with access to sensitive systems and data.
Malware Deployment: APT10 is known to utilize custom malware families, such as PlugX and RedLeaves. Detect anomalies in process behavior, including the presence of new or unexpected processes, and look for indications of malware execution, like the presence of untrusted or unsigned code in memory.
Living off the Land: APT10 leverages legitimate tools, such as PowerShell, PsExec, and Windows Management Instrumentation (WMI), for stealthy operations. Monitor for unusual patterns of usage of these tools or unexpected remote connections between systems.
Command and Control (C2) Communication: APT10 has been observed using HTTP(S) and custom protocols for C2 communication. Look for unusual network traffic patterns, such as encrypted HTTP(S) traffic to suspicious IP addresses or domains.
Data Exfiltration: APT10 may attempt to exfiltrate data using custom tools or protocols, such as encrypted archives sent over HTTP(S) or FTP. Detect anomalies in outbound network traffic, like sudden spikes in data transfer or connections to uncommon external IP addresses.
We've explored various types of hypotheses in our comprehensive threat hunting hypothesis list, ranging from simple, single-sentence statements to more advanced, behaviorally-based hypotheses focused on specific adversaries or toolsets. By understanding the different components that make up a good hypothesis and utilizing these approaches, you can significantly enhance your threat hunting capabilities and stay ahead of emerging cyber threats.
To further support your threat hunting efforts and arm you with the most effective tools and strategies, we invite you to access Cyborg Security's cutting-edge threat hunting platform, HUNTER. By signing up for free access, you'll gain access to dozens of pre-built, behaviorally-based hunt packages that can be seamlessly deployed in SIEM, EDR, NDR, and XDR platforms. These hunt packages are designed to provide you with the intelligence and tactics you need to proactively defend your organization against even the most advanced adversaries.
Don't miss this opportunity to elevate your threat hunting game and take advantage of the free resources provided by Cyborg Security's HUNTER platform. Sign up today and discover how you can stay one step ahead of the evolving cyber threat landscape by building a robust threat hunting hypothesis list.
Guided Threat Hunts offers a library of Pivot Queries for hundreds of hunt packages that enable your threat hunters and analysts to overcome uncertainty and boost productivity. Guided Threat Hunts is a set of packages that assists users modify their result set to decide their next step and filter out noise from extraneous results.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
After compromising a system, attackers seek ways to maintain persistence. Here's how to threat hunt for a common persistence method used by attackers including DragonForce.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.