How CTI Advances Threat Hunting Capabilities and Outcomes

The concept of “Threat Hunting” has taken on a variety of meanings and interpretations in recent years, ranging from very simplistic measures to more complex tactics.

Simplistic measures have included copying a list of atomic indicators and searching for them retroactively across an environment. Using this hunting method misses the mark because data can quickly grow stale, and the method looks back across historical data that is not representative of the current situation.

More complex tactics involve crafting complicated rule sets within a security information and event management (SIEM) technology, or other security tool, thus flagging potentially malicious behavior for further investigation. This leans forward, focusing more on existing activity and leveraging knowledge on actor tactics, techniques, and procedures (TTPs), but inopportunely can exhaust both human and technological resources if not executed properly through an intelligence-led operation.

Intelligence-led hunt missions streamline the “hunt”, focusing on threats that are likely to impact an organization over threats that may seem plausible to occur. This approach solves the problem of creating unnecessary, complex rule sets that, while effective in identifying related threat activity, end up taxing the resources on a SIEM. This approach also frees up development resources so that analysts can spend more time on actual hunt missions.

Consider a scenario where a cyber analyst creates an inbound email rule designed to detect an ongoing phishing campaign via the following signature characteristics:

  1. Same sender address
  2. Identical subject line
  3. A PDF file attachment
  4. Sent to five or more individuals across the organization
  5. Occurs within a 15-minute window

This signature, in theory, appears proactive and may be successful in catching potential phishing campaigns. However, consider the cost of such a rule on the system, given all email data that would have to be processed and computations involved to eventually flag on such an activity.

On the other hand, let’s look at an intelligence-led hunt mission. In this hypothetical, the analyst is determined to hunt for phishing campaigns attributed to a specific threat actor group based on 1) recently released intelligence highlighting the group’s activities, and 2) a target profile matching this organization’s concerns. The following TTPs regarding the threat actor’s delivery methods are included in an intelligence report:

  • Phishing themes
  • Types of file attachments
  • Profile of individuals targeted
  • Primary motivations and objectives of the group’s operations

The analyst can leverage this intelligence to focus the rule on this type of specific threat. Additionally, the rule can be modified to focus on the following elements:

  • Subject lines and content with specific lure details
  • Specific attachment file types and names
  • Emails sent to specific users, or user profiles that might fit the objectives of the targeting within an organization

An intelligence-led approach elevates efficiencies and reduces system resource by searching only subsets of the entire datasets, as well as setting priorities based on which characteristics trigger an alert – increasing relevance and focus.

Building hunt capabilities overview

Figure 1: Building Hunt Capabilities overview

As one of the key operational capabilities for a hunt mission, intelligence can be further leveraged to automate such efforts. By first defining a profile of relevant threats to the organization with specifically named groups of interest, personnel can automate the creation of hunt missions based on new intelligence reporting that is released and linked to the profile. Granted, all hunt missions cannot be automated based on this type of relationship. Even with intelligence, new groups arise with more frequency than a threat profile is refreshed. Still, it does lessen the burden.

So how can organizations strive towards implementing such intelligence-led hunt missions? Let’s examine a company that began to develop a talent pool of security and threat analysts, but lacked the capability to consume and integrate intelligence into their workflows. This team started with the approach to first understand that intelligence-led threat hunting should follow a guided framework. The framework is agile enough to be effective across unique environments, though follows a set of common principles:

  • Designate the mission
  • Acquire relevant data points
  • Validate findings
  • Form assessments
  • Disseminate appropriately

Consequently, the organization could quickly navigate from an ad-hoc and chaotic process of developing hunt missions into an organized and efficient approach that resulted in meaningful outcomes through practice of the aforementioned common principles.

Regardless of an organization’s current state of maturity, enabling intelligence-led hunt missions is an efficient, proactive way to identify potential and existing threat activity against the enterprise. While security technologies aimed at mitigating threats are growing in capability, so is the capability of malicious threat actors to effectively bypass such strong defense measures. An organized and methodical approach to threat hunting that generates actionable outputs can enhance an organization’s ability to protect itself from adversaries who have the sophistication to carry out highly motivated attacks.

Visit our Cyber Threat Intelligence Services homepage for more information on how Mandiant can help your organization improve its threat intelligence and hunting capabilities.