The concept of “Threat Hunting” has taken on a variety of meanings and interpretations in recent years, ranging from very simplistic measures to more complex tactics.
Simplistic measures have included copying a list of atomic indicators and searching for them retroactively across an environment. Using this hunting method misses the mark because data can quickly grow stale, and the method looks back across historical data that is not representative of the current situation.
More complex tactics involve crafting complicated rule sets within a security information and event management (SIEM) technology, or other security tool, thus flagging potentially malicious behavior for further investigation. This leans forward, focusing more on existing activity and leveraging knowledge on actor tactics, techniques, and procedures (TTPs), but inopportunely can exhaust both human and technological resources if not executed properly through an intelligence-led operation.
Intelligence-led hunt missions streamline the “hunt”, focusing on threats that are likely to impact an organization over threats that may seem plausible to occur. This approach solves the problem of creating unnecessary, complex rule sets that, while effective in identifying related threat activity, end up taxing the resources on a SIEM. This approach also frees up development resources so that analysts can spend more time on actual hunt missions.
Consider a scenario where a cyber analyst creates an inbound email rule designed to detect an ongoing phishing campaign via the following signature characteristics:
- Same sender address
- Identical subject line
- A PDF file attachment
- Sent to five or more individuals across the organization
- Occurs within a 15-minute window
This signature, in theory, appears proactive and may be successful in catching potential phishing campaigns. However, consider the cost of such a rule on the system, given all email data that would have to be processed and computations involved to eventually flag on such an activity.
On the other hand, let’s look at an intelligence-led hunt mission. In this hypothetical, the analyst is determined to hunt for phishing campaigns attributed to a specific threat actor group based on 1) recently released intelligence highlighting the group’s activities, and 2) a target profile matching this organization’s concerns. The following TTPs regarding the threat actor’s delivery methods are included in an intelligence report:
- Phishing themes
- Types of file attachments
- Profile of individuals targeted
- Primary motivations and objectives of the group’s operations
The analyst can leverage this intelligence to focus the rule on this type of specific threat. Additionally, the rule can be modified to focus on the following elements:
- Subject lines and content with specific lure details
- Specific attachment file types and names
- Emails sent to specific users, or user profiles that might fit the objectives of the targeting within an organization
An intelligence-led approach elevates efficiencies and reduces system resource by searching only subsets of the entire datasets, as well as setting priorities based on which characteristics trigger an alert – increasing relevance and focus.