Technical requirements

This chapter assumes the reader had read the previous chapter or that the reader has sufficient knowledge involving Cyber Threat Intelligence.

What is Threat Hunting?

Before getting into a definition of threat hunting, let’s clarify some misconceptions around the concept by stating what threat hunting is not. First of all, threat hunting is not the same as Cyber Threat Intelligence (CTI) or Incident Response (IR), although it can be deeply related to them. CTI can be a good starting point for a hunt. IR could be the next step the organization follows after a successful hunt. Threat hunting also isn’t about the installation of detection tools, although it can be useful to improve their detections. In addition, it is not searching for IoCs in the organization’s environment, precisely; you will be looking for things that bypassed the detection systems fed with IoCs. Threat hunting is not the same as monitoring either, or running queries randomly on monitoring tools. But, most of all, threat hunting is not a task that can be performed only by a selected group of experts. Of course expertise matters, but it does...

The Threat Hunting Maturity Model

The composition of the threat hunting team and the time dedicated to the hunting activity is going to be determined by the size and needs of your organization. When there is no budget for a dedicated team, the time for the hunt is going to come out from the work schedules of other security analyst. In this scenario, the analysts usually are part of the SOC or of the Incident Response team.

So, if the team has limited resources, in order to carry out a successful threat hunting program it is necessary to carefully plan and prepare the hunt, combine process and experiences with a great knowledge on the tools, the techniques and the technology we are using Here is where David Bianco’s Threat Hunting Maturity Model can help us determine where are we standing and what do we need in order to grow the threat hunting team.

The Threat Hunting Process

There are several Security Information and Event Management (SIEM) solutions to choose form and several articles have been written about how they work and how to choose the one that better suit your organization needs. Further ahead in this book we are going to use some open source solutions developed using the Elastic SIEM. You should use this type of solution to centralize all the collected logs from your systems to help you analyze the data. It is important to assure the quality of the data collected. Low quality data would rarely lead to successful hunts.

Another good starting point is to search for published hunting procedures that you could incorporate into your own processes. You can also create new hunting procedures having the needs and concerns of your organization in mind. For example, you can create hunting processes focus on specific threat actors with proven interest on your organization´s industry. Document and automate as much as possible...

Building a Hypothesis

Throughout this chapter, it has been stated that one of the main characteristics about threat hunting is that it is a human-driven activity and that it cannot be fully automated. At the core of this process is the generation of the hunt´s hypothesis, which refers to what are the threats to the organization environment in line with the threat hunter hunches and how to detect them. Hypotheses are partially based in observation, noticing deviations from the baseline and partially on information that could come from experience or from other sources.

The craft of the hypothesis is crucial to produce good hunts. A poorly defined hypothesis would lead to wrong results or conclusions. This most likely will have a negative impact on the organization since defense and visualization gaps are going to be missed and provide a safe passage to the adversary. The lack of adequate visualization is one of the organizations worst enemies, since it generates a false sense of security...

Summary

So, before diving into the hunting activity itself, there are a lot of thinking and processes that must be done. In this chapter we have learned about what is exactly threat hunting and the different approaches that could be taken to implement it. We also learned what the skills a good threat hunter needs are and how to create effective hypothesis, which is the crucial step of the threat hunting process. There are a few concepts we should keep always in mind: first, assume the breach; second, the threat hunting team needs to know the organization´s environment to be able to detect anomalies; and third, after carrying out a successful hunt, automate the process as much as possible. Establish a standardize process, document as much as possible and learn from both the success and the failures.

In the next chapter, we will cover some of the basics concepts any threat hunter should be at least familiar with: how operating systems work, networking basics, which are the windows...