Threat hunting is a practice that can generate significant benefits for organizations. Yet, many organizations still often ask the simple and pointed question: “How do I hunt?” The answer to that question is as varied as the number of people asking it. This often leaves organizations and teams unsure where to begin, and how to get started. As a result, we have put together a list of the most common threat hunting tactics and techniques. This list will enable organizations to begin their hunts.
[hubspot type=cta portal=7924572 id=ec572148-ebc2-449f-8ccc-0353bc94df5e]
Structured v. Unstructured Hunting We have already covered the topic of structured versus unstructured hunting in depth. At its core though, structured hunting uses a central hypothesis to guide the hunt. Unstructured hunting employs more general statistics- and data-driven approaches to hunting.Threat Hunting Tactics
Threat hunters use a variety of tactics when they are planning a hunt. The tactics describe what is the primary driver for the hunt. Intelligence-Driven Amongst threat hunting tactics, intelligence-driven hunting is heavily used in structured hunts. This type of hunting revolves around threat intelligence reporting often involving active exploitation. Hunters, when alerted to this activity will craft their hypothesis and plan their hunt. Intelligence-driven hunts are not built on indicators, instead, these hunts look for specific behaviours of actors and their tools. Target-Driven Another of the most common threat hunting tactics is target-driven hunting. It is a tactic that acknowledges that hunt teams have limited time and resources. This type of prioritizes hunting based on likely targets by adversaries. This will often include authentication systems, data repositories, and cloud-based infrastructure. This type of hunting allows organizations to most effectively use limited resources. Technique-Driven Technique-driven hunts is another of the most common threat hunting tactics. It is one that focuses on a specific attack technique. These techniques are often — but not only — based on the MITRE ATT&CK framework. The choice of technique will depend on a variety of factors, including the applicability of the technique in the environment. This tactic is quite useful to hunting hidden threats in an environment. But, this tactic can also prove invaluable for organizations learn about their environment.Threat Hunting Techniques
In conducting a hunt, threat hunters also use a variety of techniques to analyze the data they gather. This allows them to quickly identify anomalies which they can then begin to dig into. It is important to note that hunters don’t need any fancy toolsets to do this analysis. Often a command line, a spreadsheet, and free graphing tools are enough to get started. Volumetric Analysis Volumetric analysis looks at… well, volume. This type of hunting looks at the volume of a particular data set. This method is often applied to network analysis to identify outliers. These outliers can either be for most- or least-seen. For instance,- How much data did endpoints send out of the network?
- Which endpoint sent the most data?
- What external IP had the most number of blocked connections?
- Which systems have had the longest sessions?
- What systems have had the most AV alerts?
- Outbound network source – This shows hosts that may be bypassing web content filtering.
- Domain Name Servers – This will reveal hosts that may be using non-standard DNS servers.
- User Agent Strings
- High (ephemeral) port numbers
- Specific file names and their locations
- Installed programs across an organization
- Process names and execution paths across a department
Conclusion
Sometimes organizations can struggle with the practical application of threat hunting. This is often because every hunt team will look at problems in a different light, and apply their own tools. However, understanding some of the common tactics and techniques can allow teams to get started faster. If you enjoyed this topic, dig even deeper into the topic of threat hunting and how to follow up on threat hunting findings.[hubspot type=cta portal=7924572 id=ae832f8f-83db-4b26-8f4d-f37f258623e2]
Share this article
All Resources