As organizations explore the use of threat hunting techniques, one important concept they can benefit from learning about is structured hunting (sometimes referred to as hypothesis-based threat hunting). This type of hunting is still very underutilized by most organizations today, but maturing programs can reap some of the biggest gains from their efforts when they incorporate structured threat hunting into their threat hunting programs.
UNSTRUCTURED VS. STRUCTURED THREAT HUNTS
Structured threat hunting stands in contrast to the more prevailing method of unstructured (referred to variously as adhoc or data-driven hunting) threat hunting.
Unstructured threat hunts tend to be free-flowing ad hoc affairs that are primarily data-driven from internal log sources. Hunters dig through logs opportunistically and leverage simple data manipulation techniques like searching with pivot tables or other methods by analysts, and it often relies primarily on investigative methodologies such as the principle of least seen in order to pick out anomalies in the data.
These hunts are perfectly valid, but because they are ad hoc in nature, they’re very one-dimensional and opportunistic, relying mostly on the luck of the hunter to identify malicious activities. Unstructured threat hunts by their very nature cannot be consistently fruitful and rarely find the most advanced threats lurking in an environment. While unstructured threat hunting is still more proactive than traditional protection mechanisms — like relying on reactive technologies such as antivirus — the category tends to foster some of the least proactive threat hunting techniques employed by organizations.
Meanwhile, on the other side of the coin, structured threat hunts are more formal searches for tactics used by attackers, specifically by looking at the specific techniques and behavioral patterns they employ. They’re called structured threat hunts because each one is built around a central hypothesis about specific attackers and their associated tactics, techniques, and procedures (TTPs). This theorem usually takes the form of a falsifiable, formalized statement that’s driven by an organization’s external threat intelligence sources.
CREATING A THREAT HUNTING HYPOTHESIS
When an organization creates a threat hunting hypothesis around which a hunt will be structured, they utilize threat intelligence capabilities to uncover actors or threats that are likely to target the organization, their industry, their geography, or even specific elements of their critical IT infrastructure. By prioritizing these potential threats and using threat intelligence to break down how the threats are known to operate and what TTPs they use, then a threat hunting team can create testable and scientific hypothesis.
One example could be if threat hunters see that threat intelligence shows that a specific threat actor is targeting organizations in the same vertical and geography as theirs. If that threat actor is known to be actively targeting specific vulnerable infrastructure (such as VPN entry points) in order to establish a beachhead, and the threat hunters’ organization is also known to use that particular vulnerable technology, the hypothesis could then be that this actor may well have targeted the threat hunters’ organization by exploiting a vulnerability in their VPN technologies to establish a beachhead, and stage their tools. This hypothesis would then form the basis for a structured hunt.
DEVELOPING A HUNT PLAN
Establishing a hypothesis is just the first step in beginning a structured threat hunt. To get this type of hypothesis-based threat hunting right, a team will also need what’s called a hunt plan. The hunt plan sets a course for the threat hunting techniques and methodologies the team will use to prove, or disprove, the hypothesis. The plan should be a formal document that will often include:
- the hypothesis,
- the log sources required (or the blind spots and alternative log courses),
- approvals from all of the relevant stakeholders,
- points of escalation and contingencies in the event of either breaking something in the process or discovering a security incident,
- points of handoff in the event that threat hunters need to hand off discoveries to incident handlers, responders, or other relevant authorities in an organization,
- findings from the hunt, and
- points for improvement from any feedback sessions or after-action reviews.
The hunt plan is a living document, and at the end of the day it will also contain the threat hunt findings for future learning across the entire security organization.
As organizations continue to mature their threat hunting programs, it is vital that they move away from relying exclusively on ad hoc unstructured hunting, and instead incorporate structured threat hunting so as to improve their ability to detect threats, as well as more consistently identify advanced actors and techniques.
Read more on what it takes to mature threat hunting programs: You Can Only Hunt What You Can See: Best Network Log Sources for Threat Hunting.