Threat hunting involves looking for threats and adversaries in an organization’s digital infrastructure that existing security tools don’t detect. It is proactively looking for threats in the environment by assuming that the adversary is in the process of compromising the environment or has compromised the environment.
Threat hunters can have different goals and mindsets while developing their hunt. For example, they can look for long-term threats in the environment that advanced threat actors can exploit. Or they can look for current trends and threats being exploited by environmental adversaries.
Threat hunting 101
How can we hunt for threats in our environment? Let’s walk through some steps along with examples.
Step 1: Research the threat actors and their tactics. We should always start our hunt by researching ongoing or past tactics and techniques used by threat actors and how they can affect our organization. We should review threat intelligence, review metrics on the security alerts and security incidents, the technology exploited by threat actors, etc.
Step 2: Develop a hypothesis. This hypothesis can be based on the adversary we are hunting, such as the tactics, techniques and procedures (TTPs) they use. Let’s consider an example where we want to search for adversaries utilizing system services as persistence mechanisms.
What can be our hypothesis?
Windows services are being created and launched by threat actors with the aim of running either an executable or a script file for persistence.
If attack group APT41 creates Windows services to establish malware persistence in our environment, we should see the activity in the threat hunting outthink attackers
