Using threat hunting hypotheses to prevent security incidents

From Theory to Practice: Testing Your Threat Hunting Hypotheses

12/19/2024

Threat-Hunting-Hypotheses-Blog-Post-Thumbnail-Image.png

A threat hunting hypothesis refers to the proactive approach of seeking out potential threats within an organization’s network before they manifest into full-blown security incidents. Unlike traditional cybersecurity measures that rely heavily on automated tools and reactive strategies, a threat hunting hypothesis emphasizes the importance of human expertise in identifying subtle signs of malicious activity that automation might miss.

Three Phases of Threat Hunting

For threat hunting in general, we start with a threat model that includes the assets we seek to protect and the adversary tradecraft that will most likely be used to try to obtain them. We then collect data from the environment that we anticipate will identify the use of this tradecraft so that we can prevent it and counter it when it occurs.

We perform this in three phases:

  1. Find patterns: We study and pattern out adversary behaviors, quantify the tradecraft observed, and test the techniques in our environment to build detection content and determine the most effective response actions.
  2. Build high-fidelity detections: These must be both actionable and universal to ensure accurate alerts that are capable of detecting techniques used by adversaries of all skill levels.
  3. Leverage past investigations: Through research and testing, we determine key artifacts (log files, memory dumps, etc.), the most useful context, and the most effective response actions for the analyst working an incident.

This approach provides the analyst with higher quality tools and knowledge so they can make swift, effective responses that have been tested and tuned in our environment. In the event of a detection, we have higher confidence that the threat is a true positive, contains the context and artifacts needed for reporting and response, and allows management to make time-sensitive decisions.

How to Formulate and Test Hypotheses

First, we use local and crowdsourced attack data to provide insight into the tactics, techniques, and procedures (TTPs) that are successfully utilized by malicious actors. We research and simulate the chosen technique to better understand its use and application. We also look at system and component-level documentation, reports, and blogs that explore and detail the different ways the technique can be used by an adversary, as well as emulate and test systems and networks. All of these methods facilitate a greater understanding of the technique and its use in different environments.

Developing Detection Content, Testing, and Tuning

Next, we begin the process of developing detections and determine the most effective actions we can take to reduce the overall impact of incidents involving these techniques. The searches, queries, scripts, and response actions we develop must be tested and verified as the most effective methods to use in our environment. These are developed over days and weeks, not created as the incident unfolds.

Improving the Speed of Incident Response

The purpose of developing context and reference requirements prior to an incident is to help the analyst work faster when there is a true threat. Having the research, scripts, queries, and response actions staged and ready to go means the analyst doesn’t have to waste time researching the technique and then building the same scripts and queries to determine the best response for the technique being used. That work has already been completed, which results in faster incident response times.

More Incident Accuracy

We improve accuracy by ensuring the correctness and completeness of the information provided to the analyst. We also maintain consistency with this method by ensuring that all analysts get the same resources, scripts, queries, and response actions. All technical documentation and OSINT sources should be carefully selected based on their value to an incident responder. When everyone is on the same page using the same resources and analysis techniques, the results stay consistent and are more easily used and understood.

With these improvements in speed and accuracy, an analyst is able to more quickly get a clearer picture of the incident and is immediately equipped with the most effective actions to take that will reduce its overall impact.

Better Knowledge Base

From the insights gathered, it’s important to maintain a knowledge base—an organized, searchable platform containing information on previous threat hunting efforts, search syntax and performance, and references to other internal or external resources that can be used by other members of the team. By adding all previous work to the knowledge base, it prevents duplication of effort and resources. Transferring knowledge of adversary capabilities, infrastructure, motives, goals, and resources to partners, analysts, tools, and processes provides a more focused approach for cyber defense.

Keep Learning and Fine-Tuning

Effective techniques will often become very popular which forces vendors to develop additional or enhanced threat detection mechanisms. This in turn drives actors, as well as security researchers, to identify all the different ways the technique can still be used even when protections are in place. That means we have to revisit techniques regularly to determine if new knowledge exists that would allow bad actors to bypass the detections we’ve designed.

Contact Phoenix Cyber now to learn how we can help you formulate, test, and fine-tune your threat hunting hypotheses.