The threat hunting model
An effective threat hunt generally involves seven sequential stages:
- Defining the purpose
- Establishing the scope
- Collecting and analyzing the data
- Reviewing the plan
- Executing the plan
- Concluding the hunt
- Analyzing the feedback
Now, let's go through each of the stages.
Defining the purpose
The first step in planning an effective threat hunt is to define the purpose. This will focus on the goals that the threat hunt aims to accomplish for the organization.
The purpose of the threat hunt should address these questions:
- Why should the threat hunt be executed?
- What is the desired outcome of the hunt?
Answering these questions will guide you in developing your threat hunting process.
Establishing the scope
The second step is to establish the scope of the hunt.
This step includes identifying and defining the following:
- The specific systems and networks that will be explored in the hunt.
- The hypothesis or analytical questions to be answered.
The first statement aims to define the systems involved in the hunt. Hunters need to define the networks that will be explored, the subnet or subnets that need to be scrutinized within the network, and the host data which will support the hunt. Threat hunters must ensure that the defined scope of analysis is in line with the overall purpose of the hunt. A common mistake made while defining the scope of the hunt is to make the scope too narrow at the expense of missing the attacker's presence in the environment. For example, defining a specific portion of the network that the adversary might not have reached yet. Phased expansion of the scope can help reveal new information without overloading the analyst with too much data.
Defining the hypothesis or analytical questions to answer helps to refine the direction of the threat hunt further. An example of a hypothesis for an organization hunting for a ransomware attack would be, "If Ryuk (ransomware) uses its file encryption technique (attack signature), a subset of activities consistent with the behavior of the WannaCry ransomware can be observed." Threat intelligence plays a significant role in this step as it provides threat hunters with a context to create a hypothesis targeted at the TTPs of a particular attack or attacker. If you are conducting a threat hunt with a strong focus on a particular type of attack or attacker, it will require a greater data set of threat intelligence.
Collecting and analyzing the data
The data collection and analysis stage involves the development of a thorough plan.
This stage includes the following data collection and analysis phases:
- Identification of data sources
- Selection of analytical approaches
The identification of data sources involves mapping data sources for the threat hunt in the system defined in the scope. This phase involves evaluating the potential data sources and deciding if a given source is relevant for the hunt. The selection of analytical approaches helps prove the hypothesis that was defined during the scope stage.
Reviewing the plan
The plan review stage is a checkpoint to ensure that the planned threat hunt meets every defined requirement and objective. This stage also includes the evaluation and allocation of any additional resources required to execute the threat hunt. If the threat hunting team does not have all the required resources to conduct the hunt, the plan review stage should identify the shortcomings and implement the appropriate remedies.
These remedies might include hiring external resources, acquiring new tools, or redefining the earlier stages of the threat hunt. This stage should estimate the time that the threat hunt will consume, and should also ensure there is an appropriate time range and data collection coverage for the hunt before it is executed.
Executing the plan
The plan is ready for execution after multiple rounds of data collection and analysis have been completed and approved. The threat hunting team should gather the information identified in the scope stage, and use analysis techniques to answer the analytical questions defined in the scope. If needed, the team should use other available datasets and employ additional analysis techniques.
Concluding the hunt
After completing the execution stage, the threat hunters should summarize their findings and document any events and observations that might impact the integrity of the overall hunt. Then, this team should develop their report by evaluating the hunt results and answering the analytical questions defined in the scope. This hunt report should contain any analytic techniques, additional data sources, and other notable events or findings obtained during the hunt.
Analyzing the feedback
The final stage involves analyzing the feedback from the threat hunt. Several questions are asked at each stage to refine the threat hunting process for the future.
Here are a few typical questions:
- Was the range of the scope correct?
- Were the defined analytical questions useful in finding threats?
- Was the threat intelligence data set useful?
Data collection and analysis:
- Were the identified data sources relevant?
- Was the outcome successfully achieved?
The answers to these questions will help the organization refine the threat hunting process and manage future threat hunts with higher efficiency.
This threat hunting model provides a comprehensive approach for exposing adversary TTPs within your organization's environment. You can tailor these methods to your organization's needs to develop a solid threat hunt report and process that helps you successfully thwart threat actors.