Threat hunting has continued to grow as a hot topic in the security community. Despite the volume of discussion, I often still see a few fundamental mistakes that lead to less than successful threat hunts. This week I will cover five mistake areas I commonly see in threat hunting programs that lead to less than effective results. In coming weeks I will dissect each area and walk through each item in depth and show how to avoid common mistakes.
Your Plan Was Not Comprehensive Enough
A good threat hunt starts with a solid plan and a defined end goal. While random hunting in your environment might eventually find an adversary, the odds of uncovering an attacker in your environment improve with a plan. A plan ensures that you both collect the right data and use the proper analytic techniques for reaching the defined end goal. Hypothesis serves as the analytic questions that guide your analysis to reach the overall objective of the hunt. At a minimum, your threat hunt plan should include the threat actor TTP or part of the environment you are looking for, where you are looking and what you hope to achieve with the hunt. These three areas of the overall plan define the subset of data you need to collect and the hunt TTP you need to use to analyze that data. At the end of a hunt, you should review the effectiveness of both your data collection sources and hunt TTP.
You Did Not Collect the Right Data
The end goal of your hunt and the hypotheses you develop to support that end goal depend on collecting the right data. However, how do you know what data is “right?” If you are hunting for ELECTRUM, the activity group responsible for the 2016 CRASHOVERRIDE Ukranian Power outages, the info you will need to test your hypotheses will be different than if you were hunting COVELLITE, the activity group that targeted North American electric grid operators in 2017. While you might have some overlap if adversaries share a tool or use open source tools, the TTP of the two activity groups is different. Visibility is another major factor that you need to consider when collecting the “right” data.
Central to a threat hunt is understanding what the attacker TTP is that you are looking for and what data in your network supports the discovery of the attacker TTP. Threat intelligence and internal research of attacker TTP fill this void. If you do not know what your attacker looks like on your network, your hunt will not be as successful. Understanding adversary TTP is crucial to know what data is “right” for the threat hunt.
You Did Not Collect Enough Data
Time travel, unfortunately, hasn’t been invented just yet. While it is always possible to schedule a new collection for missing data, you might not have the opportunity to see the same activity again. As an attacker progresses in the ICS kill chain, there are ICS kill chain steps that occur for much shorter durations than others. Consider a very well-timed packet capture that happens to catch the attacker pivot from the IT network into the OT network. The exploit and install/modify stages might only occur at one point in time. If your original data collection was not comprehensive enough to collect all relevant data, subsequent data collection might just see command and control behavior. You can always pare collected data down, but you can never travel into the past to recollect data you missed.
You Did Not Use the Right Hunt TTP
Collecting data is often the easier part of a threat hunt. What you do with the information you gather is equally essential. Hunt TTP are the analytic techniques used to process data and should focus on using the collected data to uncover the adversary TTP defined in your hunt plan. Applying the wrong hunt TTP to a dataset means your data analysis potentially won’t be as effective or targeted concerning your end goal.
I’m a big fan of threat hunting playbooks. A hunting playbook might be targeted at a particular activity group TTP or to more generic hacking TTP. The advantage of using playbooks when you hunt is that playbooks ensure the rigor of your hunt and make the hunting process repeatable. Playbooks allow you to plan your hunt techniques out before the hunt and ensure that often result in more comprehensive hunts. Playbooks should not constrain an analyst from exploring a dataset, however, analysts should complete all playbook actions at a minimum to ensure the hunt is comprehensive.
Your Hunt Plan Was Not Vendor Neutral
There are a lot of excellent threat hunting tools out there. Hunting tools allow you to automate parts of both collection and analysis to cover more extensive portions of your network and more massive datasets. I am not saying that you should not use threat hunting tools, however that you should understand what these threat hunting tools do. If you rely only on a threat hunting tool without understanding the hunting TTP that the tool uses, you risk the tool not being relevant to the attack TTP you hope to uncover. When considering a threat hunting tool, make sure to understand what the tool does and what options you have for adding TTP. Understand both if and how often the vendor is willing to share what TTP the threat hunting tool uses. A threat hunting tool is only an extension of your TTP, and if the tool does what you are already doing without an efficiency boost or the tool does not add value, you should think twice about if you need to buy the tool. Your overall hunting plan should be vendor agnostic and focused on what hunting TTP you are using to discover the targeted attacker TTP.
If you consider these five areas, your hunting efforts will improve immensely. As mentioned at the beginning of this post, each area will be covered in upcoming posts over the next few weeks. Planning a comprehensive threat hunt does not have to be a laborious process but should be structured to ensure you meet your defined end goals, collect the right data and apply the correct hunting TTP to uncover the targeted adversary TTP.
If you have any questions or want to chat sooner, feel free to reach out to me on twitter @dan_gunter, Linkedin or via email using the contact information on the contact page.