A THREAT HUNTING LOOP FOR STRUCTURED HUNTING

  • Security Analysis? Check.
  • Incident Handling? Check.
  • Digital Forensics and Incident Response? Double Check.

Putting a New Spin on an Old(er) Threat Hunting Loop

So to prove an organization’s threat hunting is both consistent and repeatable, and thus more reliable, there should be a cycle. Now, organizations have, in the past, proposed previous threat hunting cycles. They have borne various names including the Threat Hunting Loop and The Threat Hunting Lifecycle. These models have all had various merits, but they all had some shortcomings as well. At Cyborg Security we have tried to address these issues. We have also taken into some considerations specific to structured threat hunting. This has resulted in what we call a threat hunting cycle, or more formally a Threat Hunting Loop for Structured Hunting.

Introducing The Threat Hunting Loop for Structured Hunting

Hypothesis

Like every journey begins with a single step, so too does the threat hunting loop begin with a hypothesis. This step is crucial as it forms the core question the hunt seeks to answer. This step shouldn’t take you back to high school science class as it doesn’t need to be a true hypothesis. Instead, it should be a formal statement for investigation. For structured hunting this could look like

  • frequency analysis, and
  • statistical analysis

Requirements

The next step in the Threat Hunting Loop for Structured Hunting is developing requirements. These requirements are the data needed to prove or disprove the hypothesis. These requirements will be quite obvious in the beginning. For example, to observe user agent strings requires netflow metadata. But as an organization matures in their hunting, their requirements will identify limitations. In this case it could be that:

  • Netflow data is only kept for 2 days across the organizations, or
  • A netflow sensor is improperly placed outside of a network segment.

Plan

Next in The Threat Hunting Loop for Structured Hunting is the Plan phase. For every hunt, hunt teams must develop a formal plan. Hunt teams should write out the Hunt Plan and include all the relevant details, including

  • the technological and operations requirements — from the Requirements phase,
  • support from external teams that the hunters need,
  • what actions hunters will carry out during the hunt,
  • how hunters will confirm their findings,
  • agreed escalation paths for incidents discovered during the hunt,
  • points for improvement taken throughout the hunt, and
  • appropriate sign-offs for privacy and risk managers.

Hunt

With the logistical phases out away, it is time to look to the operational phases. The next phase in the Threat Hunting Loop for Structured Hunting is the Hunt phase. This phase encompasses the actual execution of the hunt.

Enrich

Organizations often face challenges with threat hunting. This is because threat hunting can be often be an uncertain discipline. But, this uncertainty can be offset by ensuring organizations see ongoing benefit from threat hunting. One of the best methods of developing that ongoing benefit is in the Enrichment phase. In this phase of the Threat Hunting Loop for Structured Hunting hunters will analyze their findings.

  • analysis techniques, and
  • suggested remediations
  • false positives

Feedback

The final phase in the Threat Hunting Loop for Structured Hunting is the Feedback phase. This phase is often overlooked in less mature hunt teams. But, the feedback phase is crucial for organizations seeking to mature their threat hunting.

Closing the Threat Hunting Loop for Structured Hunting

The value that threat hunting provides to an organization can be immense. Many people will point to specific tactical successes by their hunt teams as evidence of that. But, the operational and strategic value threat hunting can provide is the ongoing defense it provides. To realize this benefit, it is critical that threat hunting is both rigorous and repeatable. Establishing and adhering to a formalized cycle can help hunt teams ensure that their hunts remain consistent.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

452 Followers

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.