How to Hunt

As to the how, there are a number of ways to approach a threat hunting exercise.

How to Hunt

Threat Hunting
in Action

Jeff Bollinger manages security investigations
for CSIRT here at Cisco. The following is a
first-hand account of a threat hunting exercise
his team carried out.

“Looking through historical Cisco AMP endpoint data for indicators of compromise, we saw a suspicious binary dropper that had been deleted by the user. We recovered the binary by restoring the single file from the user’s (corporate) backup archive and were able to reverse it and extract additional indicators (C2 hostnames) that we then applied to all our network telemetry. This yielded additional affected hosts that didn’t trigger on the original dropper’s hash.”

As to the how, there are a number of ways to approach a threat hunting exercise. The resources and skills you have available will play into how detailed a threat hunting campaign is carried out.In the following section we start out with simple, basic ways to get started in threat hunting, then work our way up in complexity. The idea here is that, after every threat hunting exercise, you can build upon what you’ve learned. Establishing playbooks, automation, and policy changes where needed gives you a foundation to move on into more advanced techniques.Analyzing the logsSometimes, the simplest threat hunting activities stem from research or reports on newly discovered threats. It’s common practice these days to include indicators of compromise (IoCs) alongside research for others to use. These data points are generally comprised of IP addresses, URLs, domains, file hashes, or other IoCs that comprise a threat.

If you’re the seasoned vet on the team, don’t think you’ve seen it all before. Instead, try to prove that it isn’t a threat. If you can’t do so offhand, then dig deeper.One of the simplest ways to kick off a threat hunting exercise is to check the logs from your systems against IoCs. Command line tools or simple scripts can be enough to get you started. Using a SIEM is another method to quickly compare IoCs to logs. There are also more advanced security products that can help facilitate threat hunting by allowing you to copy and paste IoCs into a dashboard to see if they have been seen in your environment. Once you become comfortable with these activities, it’s time to dive deeper into the logs and start discovering new IoCs that may exist. This is where data analytic skills come into play. Applying statistical models to logs, such as clustering or frequency distribution, can help shed light on anomalies. Ultimately you’re hoping to reach the top of the Pyramid of Pain and identify the TTPs of an attacker.

Testing a theorySome may argue that simply checking the logs against known IoCs isn’t true threat hunting. The reasoning goes that you’re simply matching 1:1. In these cases, to qualify as threat hunting, you have to dig deeper than that. This is where creativity plays a part. You have to come up with a theory about where a threat may reside, the vectors it may have used to get there, or the techniques it exploited. The following are a few ideas of the sort of investigations you might carry out.

Read security news
The latest threat landscape news can be full of material for a threat hunt. For instance, if there was a critical vulnerability in a Windows process recently disclosed, investigate if any odd activity has occurred surrounding that process. Of course, pay particular attention to material that applies to your industry. For example, if you work in aviation, a credit card stealer wouldn’t be a high priority. Conversely, if you work in banking, a threat found attacking an ICS wouldn’t apply.

Look into reports of strange behavior
Investigate unusual reports of activity from staff. Are sleeping systems suddenly waking up during the night? Investigate what is waking them. Has an office reported that they found internal data on an external source? Look for indications of data exfiltration.

Filter the normal to find the abnormal
Unusual activity is a good starting point, but not always easy to spot. Sometimes you have to dig through the tall grass to find it. Look at a particular activity with a malicious goal in mind. For example:

Look for long network connections, which could be a sign of data exfiltration.

Filter out those that are expected and see if any of those that remain are suspicious.

Look at CPU activity spikes and the processes that create them, which could indicate cryptomining or an infostealer logging activity. Filter out those that are well known and examine those that are not.

What sort of files is the BITSAdmin tool downloading? It could be used to pull down

malicious tools, as many threats use local tools to mask their actions. Clear out the regular downloads you’re expecting and focus on the rest.

Look at scheduled tasks. Attackers may add their own tasks to kick off certain malicious activity. Are there any that are not run by system administrators? Investigate any that seem suspicious.

Any cases where the behavior seems out of the ordinary are prime areas to dig deeper and find the root cause. However, it’s important to approach anything found with an edge of caution. Just because something looks weird, doesn’t necessarily mean it’s a bad actor. Be sure to compare your findings against other data sources before reaching any conclusions. At the same time, if you’re the seasoned vet on the team, don’t think you’ve seen it all before. Instead, try to prove that it isn’t a threat. If you can’t do so offhand, then dig deeper.Going after the sourceYou’ve managed to identify a threat within your network, pinpoint what allowed them to get in, and take measures to prevent it from happening again. However, the next time you run a threat hunting exercise, you find the attackers have gotten back in another way. If you’re constantly finding your organization the victim of attacks, it might be worth your while to investigate who is attacking, the infrastructure that they are using to attack, and attempt to get the group shut down.

Leveraging
Threat Hunting

Sean Mason, Director of Incident
Response Services, reflects on how
his teams have leveraged threat hunting.

“I really started to understand and value threat hunting in 2011 on the heels of the RSA hack. I found myself in meeting after meeting discussing how we could detect this type of threat. It really made us think differently. We also realized what sorts of visibility gaps we had. Over the years the various teams I’ve been on have leveraged hunting in many different ways: either proactively following a hunch, responding to an incident, or being diligent after reading the latest security news. I can honestly say that after more than eight years of leveraging threat hunting in various capacities, it’s a no-brainer that I consider it a critical component for every successful security program.”

The best approach to get malicious actors shut down: gather up any IoCs you can uncover, build a profile of the attacker, and turn these details over to the appropriate law enforcement agencies. However, this is not a suggestion to practice offensive hacking. As tempting as it may be, there are a number of problems with going that route. For starters, if you attack a malicious infrastructure, there’s a good chance the attackers will notice and hit back twice as hard. However, their motivation this time may not be to steal info, but rather revenge—disabling or destroying systems as they go. Another reason not to hack back is that in most locations in the world doing so is illegal. Despite the fact that the systems in question are performing illegal activities, offensive hacking is still hacking. The good news is that there is still plenty that can be done. The IoCs of an attack can reveal a lot about the attackers without even having to touch their networks. The best approach to get malicious actors shut down is to gather up any IoCs you can uncover, from hashes all the way to TTPs, build a profile of the attacker, and then turn these details over to the appropriate law enforcement agencies.These authorities are the best method to pursue and shut down an attacker through legal means.Of course, for all but the largest and most targeted organizations, this isn’t always something that can be easily be done in-house. As a result, the lion’s share of organizations can and should rely on external security research teams that have made investigating such attacks their mandate. Threat intelligence organizations, like Talos Intelligence or Cisco’s Incident Response Services, are here to help in such cases.