Threat hunting for advanced adversaries, such as those that modify Windows registry keys to disable or blind endpoint detection and response (EDR) is anything but straightforward. Running an initial query on a security or data aggregation platform can return large and unwieldy results. With this enhancement, threat hunters can weed out noise by trimming large datasets or pursue data to support a hypothesis to quickly neutralize threats.
Hunting with higher confidence is one of the primary drivers that drove the creation of Guided Threat Hunts, a method-driven tool to help your threat hunters craft queries and filters to quickly identify, report and stop undetected threats. Unique in the industry, Guided Threat Hunts offers a library of Pivot Queries for hundreds of hunt packages that enable your threat hunters and analysts to overcome uncertainty and boost productivity. Guided Threat Hunts is a set of packages that assists users modify their result set to decide their next step and filter out noise from extraneous results.
Key Benefits
Pivot Queries frames questions to the user about the initial query to help them quickly find new information or context.
- Expert guidance about pivoting after executing an initial threat hunt query
- Helps hunters pivot on notable artifacts worth investigating further
- Guides users through capturing data inputs to defining subsequent pivot queries
- Adds Pivot Queries to HUNTER package to investigate all notable artifacts
- Creates consistent, repeatable Pivot workflows within HUNTER packages
- Drives standard operating procedures (SOP) throughout the team’s threat hunting methodology
- Use assisted filter queries to modify the initial query with exclusions that reduce noise from initial results
- Decreases onboarding of new personnel, and accelerates their effectiveness to the team
- Reports and visualizes every decision made through the entire hunting workflow
What are Guided Threat Hunts?
Guided Threat Hunts aids threat hunters in deciding what steps to take next, guiding the user towards questions that deliver relevant information and further context.
- The library of Pivot Queries helps users ask additional questions to get more information or context from initial results
- Filter Queries is a utility that assists users cut through the noise of query results, helping them modify the query to refine results and remove extraneous information
The premise of Pivot Queries is that there are often common paths a threat hunter can take after getting a result set from an initial query. If the user is getting results about process details, Guided Threat Hunts can guide them down a path that assists them in asking more questions about the relevant process(es) to track parent process, child processes, or other events related to that initial process.
As part of the Hunt Management Module workbench, Guided Threat Hunts extends threat hunters’ knowledge and accelerates their hunts with speed and confidence.
How does Guided Threat Hunts work?
After an analyst runs the initial query on their security platform, HUNTER uses the results to lead the analyst to relevant Pivot Queries associated with our hunt packages. Guided Threat Hunts helps the user capture data inputs such as hostnames, process names, process IDs and more, that can be used in follow-on Pivot Queries. After specifying capture data, users are provided with suggested Pivot Queries.
Pivot Queries recommendations are tailored to the initial query. For example, if a query returns results about system processes, the tool helps the user ask more questions about the processes they are seeing and helps them investigate its parent or child processes, or other events related to that initial process.
Pivot Queries guidance also aids analysts in navigating paths related to events, network connections, and files created by a potentially malicious process, which helps identify behaviors the hunt package was designed to find. After identifying a pivot query that fits the hunt goal, the user can add the pivot query to the HUNTER package and document outcomes of their hunt, including what worked, what didn’t, and how the hunter optimized the query for their environment.
Pivot Queries and Filter Queries are just the beginning of the HUNTER Guided Threat Hunts. These represent one more step on the threat hunting journey that more organizations rely on HUNTER for as they grow and mature their hunt teams.
Image: Boost efficiency and consistency by adding new Pivot Queries to an existing hunt.
Why Intel 471 Guided Threat Hunts matters?
In short, it’s skills. As more organizations adopt in-house threat hunting as a strategic priority, they need tools to overcome persistent shortages of seasoned threat hunters and to upskill available analysts. Building a threat hunting team can be expensive, but it doesn’t need to be with the CTI-driven hunt content, contextualization, and documentation written by Intel 471’s experts.
HUNTER’s expanding library of intelligence-driven behavioral threat hunt packages helps teams and individuals perform more efficient, accurate, and consistent threat hunts for behaviors on all major EDR/XDR, NDR, SIEM and data platforms. The Hunt Management Module enables teams to measure hunt success metrics and outcomes that demonstrate return on investment.
Guided Threat Hunts on HUNTER also helps threat hunt programs implement SOPs (standard operating procedures) that support their methodology for structured threat hunting, lowering the costs of onboarding new threat hunters while making the team more effective.
Our hunt packages are developed by Intel 471 threat hunters, who do the heavy lifting of researching threat intelligence and writing hypothesis-based behavioral hunts that cover 90 percent of advanced threats.
Guided Threat Hunts furthers Intel 471’s mission to assist threat hunters to perform more accurate, efficient and consistent hunts for advanced threat behaviors that evade traditional detection methods.
