Threat Hunting with TTPs : Hunting of the Hunter


Image : heimdalsecurity
Threat hunting is a proactive process in cyber security that searches for security risks concealed within an organization’s network, data, and endpoints. It entails diving deeply into the IT environment to identify threat actors and attack vectors. If an external attacker or insider can elude initial network defense systems,  they may remain undetected within the network, performing data collection, stealing passwords, eavesdropping on communications secretly, or using network resources for initiating other attacks. Therefore threat hunting is essential for your defense strategy to stop Advanced Persistent Threats (APTs) from remaining in your network. 

Threat hunting involves three steps.

1. Trigger: 

A trigger alerts the threat hunter when the threat detection system discovers an unusual behavior indicating malicious activity. This causes the threat hunter to intimate further investigation on the event to verify if it's an incident to act upon

2. Investigation: 

The treat hunter investigates the event to assess a system’s vulnerability and malicious activity.  The investigation continues until it is clear that the activity is not harmful or finds malicious behavior and vulnerability. 

3. Resolution: 

The security team reacts to the incident, contains and eradicates the threat, and recovers to cause minimize risks.

Threat hunting focuses on the specific behaviors, attack patterns, and operational techniques used by threat actors. It is a process based on intelligence,  data, and research.  Organizations hire threat hunters who are highly knowledgeable on the current threat landscape. Their role is to take proactive measures to defend the organization from threats.

Each security threat is associated with the behavior of the threat actor, which depends on the Tactics, Techniques, and Procedures (TTP) used. Analyzing TTP is essential to understand the attacker's motive and ultimate goal. 

Tactics:

Tactics are strategies that attackers use to access systems. They describe at a high level how the cyber attack would be carried out from the beginning to the end. For example, hackers might use social engineering to obtain confidential information to attack a website.

Techniques:

Techniques are the tools or intermediate methods used by the hacker to exploit a vulnerability in a system. Phishing via email attachments is a common social engineering technique.

Procedures:

Procedures are detailed descriptions of how the hacker will achieve their purpose. The attacker will target the secretory of the CEO, with spear phishing to send a link by email to download and install a computer speed-up software, which also installs a backdoor to log in to her machine remotely, to access sensitive emails.

A security team can hunt down, identify and neutralize attacks, only if they have adequate knowledge about the TTP used by attackers. Knowing the tactics of a criminal can help security teams to detect cyber attacks at the initial stages as well as help predict future ones. 

TTP follows its own life cycle: 

  • When you identify a potential attack, immediately prioritize its risk level, and determine if there are similar incidents that occurred in past, then focus your investigation on them to identify possible attack vectors.
  • Your threat intelligence gathering can help determine which of your systems is most likely to be the target of the attack. 
  • Use monitoring, mitigation, and neutralization procedures to defend the target. 
  • Understanding the latest TTP ensure better network security and endpoint protection from attackers using Threat Intelligence.

Threat hunters think like threat actors. They engage in creative and analytic thinking; stay informed on the newest threats through open source intelligence methods such as scanning the dark web, newsletters, forums, and joining chatrooms.

MITRE ATT&CK, Common Vulnerabilities and Exposures (CVE), and National Vulnerability Database (NVD) are primary sources for threat hunters.


When you are alerted of a security event, ask yourself:

  • How will a potential hacker attempt to intrude organization's network?
  • What are the attack techniques used by cybercriminals in past incidents?
  • Which endpoints are the most accessible entry point?
  • What are the vulnerabilities that may exist in those endpoints?
  • What would be the final goal of the attack?
  • What motivates the threat actor to attack?
  • What would be the likelihood of an attack?

Threat hunting requires collecting threat data. There are various security tools to build threat models representing the entire organization's attack surface and analyze data to uncover anomalies, in different threat scenarios.

Security Information & Event Management (SIEM) 

SEIM tools provide real-time monitoring and analysis of systems for managing security operations. You can use SIEM logs to create insights on security threats by combining AI and ML to predict potential threats.

Known IOCs to determine IOAs

IOCs (indicators of compromise) provide digital evidence of a data breach. You can use known IOCs in the MITRE ATT&CK framework for threat hunting.

A few common IOCs are:

  • Scanning of network hosts 
  • Irregular network traffic
  • Extensive DNS requests
  • A large number of file requests
  • Unauthorized privilege escalation
  • Unrecognized IP addresses
  • Multiple failed logins
  • The surge in database access
  • Unusual changes to system files

IOCs lead to identifying Indicators Of Attack (IOAs), which are indicators of a potential future attack. IOAs adapt to the incoming data, which is highly important in proactive TTP hunting.

Execute the Security Plan

Threat hunting requires around-the-clock attention. It should constantly update the threat intelligence lifecycle and analyze potential threats to defend the organization's information and systems.

Usually, threat hunting systems encompass tools such as :

  • Anti-virus (AV)
  • Endpoint detection and response (EDR)
  • Extended detection and response (XDR)
  • Security Information and Event Management (SIEM)
  • Intrusion detection systems (IDSs)
  • Intrusion prevention systems (IPSs)
  • Cyber threat intelligence (CTI)

Threat hunting systems look for IOAs or unusual behavior in the systems, network traffic, or log files, to capture the source of data.  Threat hunting is best performed effectively on data collected at a central location. 

Threat hunting processes can be performed by an automated software as well as by humans.

Following are some threat hunting tools.

  • SolarWinds Security Event Manager with a wide range of log management.
  • VMWare Carbon Black Endpoint is based in the cloud.
  • CrowdStrike Falcon is a full security operations center (SOA)
  • Trend Micro Managed XDR A software and human threat hunting.
  • Cynet 360 is An innovative cloud-based cyber defense system.
  • Exabeam Fusion Offered is a cloud SEIM platform.

Threat hunting requires preparation by building knowledge through threat intelligence. Threat Intelligence is focused on the analysis, collection, and prioritization of data to improve your understanding of threats faced by the organization and assess risks. Threat hunting and threat intelligence are important processes in an organization's risk management strategy.

Niranjan Meegammana 

 

Comments

Popular posts from this blog

The 7 Layers of Cyber Security : Attacks on OSI model

Best Practices for secure Software Development

ISO 27001 ISMS in a Nutshell