Threat Hunting Basics - Part 2

By Kunal Patil, Senior Threat Hunter

Threat Hunting Maturity Models

Before moving forward in describing the threat hunting maturity models, First, we need to understand what is threat hunting and its basic terminologies. The aim of this article is to learn how organizations can count their organization maturity level and what advancements are required to boost their security posture. The maturity level measures the capabilities of the organizations, which determined to what extent these organizations are capable of hunting and responding to threats.

The threat hunting maturity model is defined by the quantity and quality of data the organization collects from its IT environment. Threat Factors to judge an organization's hunting ability: 
  1. Quality and Quantity of the data they collect for hunting
  2. Tools provided to access & analyze the data
  3. Skills of the analyst who actually use the data & tools to find the security incident.
The Hunting Maturity Model, developed by Sqrrl's security architect and hunter David Bianco, describes five levels of organizational hunting capability, ranging from HMM0 (the least capable) to HMM4 (the most).  Let's examine each level in detail: 
Threat Hunting Maturity Model

HMM Level 0: Initial

At HMM0, organizations generally use Automated alerting systems like IDS, IPS, NetFlow, SIEM, WAF, Firewall, or antivirus to identify harmful behavior. These companies use open-source services for threat feeds. These indicators mostly correspond to the lower levels of the Pyramid of Pain, trivial data that is unlikely to be reused (domains, hashes, URLs, IP addresses).
 These organizations likely have little or no visibility in their environments. HMM0 organizations tend to lack actual threat intelligence capabilityHMM0 companies do not gather much data from their systems, which greatly restricts their capacity to discover threats proactively. As a result, there is little to no visibility of the environment for these organizations. All this makes HMM0 organizations incapable of threat hunting.

HMM Level 1: Minimal

Like HMM0, organizations still depend heavily on automated alerting to perform their incident response process. But unlike HMM0, where a routine collection of IT data is minimal if at all. organizations have increased their visibility in their environment. These organizations will often rely on the same controls identified in HMM0 for reactive detection. 
Organizations at HMM1 will still leverage a SIEM platform for analysis. But, organizations at this maturity will start to expand their SIEM content beyond simple correlations. HMM1 will also start to focus on greater network visibility, especially NetFlow data. This visibility allows organizations to be able to visualize and analyze network metadata. When new threats approach a company’s network, analysts are advised to extract key indicators from threat-related reports and look for historical data to find out if they have been identified in the short run. 
Despite its minimal nature, any type of hunting can occur at the HMM1 level due to its search capability. HMM1 organizations will be able to consume more complex indicators. These indicators will likely align with tool-based artifacts found in the NetFlow metadata. These could include:
  • User Agent Strings
  • Blank or missing fields in HTTP traffic
  • Encoded data in the HTTP header

HMM1 organizations are capable of Basic operational hunting. An organization at HMM1 will conduct threat hunting, but only on an ad hoc basis.

HMM Level 2: Procedural

There are several great hunting procedures developed by others and you can find them easily on the internet. These procedures are used to integrate a particular analysis technique with an expected type of input data to identify a single type of malicious activity. 
Organizations at HMM2 in our threat hunting maturity model will have all the same security controls from previous levels. They will also have addressed the lack of visibility at the endpoint level in the environment. HTM2 organizations will deploy tools to log endpoint activity. These tools are likely to be some form of endpoint detection and response (EDR) platform. Other platforms such as extended detection and response (XDR) and endpoint protection platforms (EPP) may also work
Organizations at HMM2 will begin to look for more complex threat detection content for their platforms. This content will look for known malicious behaviours for threats. They will likely rely on free content available from untrusted third parties. HTM2 organizations are also capable of adapting free content for their environment. 
Organizations at HMM2 will have to add threat data, information, and intelligence because they failed to generate their own threat intelligence data. This data can be from commercial platforms. This threat intelligence reporting will cover all levels (tactical, operational, and strategic). This threat intelligence may contribute to some limited hunting.
HMM2 organizations will be able to conduct routine threat hunting. Hunting activities are limited to unstructured hunting and more basic analysis methodologies. Organizations at HTM2 will still rely on unstructured (or data-driven) threat hunting. But, these organizations may also try limited hypothesis-based hunting.

HMM Level 3: Innovative

Unlike the HMM2 level, which relies on procedures developed by others, the organizations at level HMM3 create and publish their own data analysis procedures and collect a high or very high level of routine data. With this data, they will have a broad spectrum of choices in where they can pivot and know what to hunt. Organizations at HMM3 in our threat hunting maturity model will have good visibility into their environment at both the network and endpoint levels.

This type of organization may also being to put in place automation platforms like SOAR. These tools will automate manual processes for security analysis and hunting.HMM3 organizations will likely have moved away from traditional SIEM tools. Instead, these organizations are very likely to have data like platforms in place. These platforms rely on hunting and detection content. HMM3 organizations will likely develop their own threat hunting content. This content originates from their knowledge and experience. 

Another major difference with HMM3 organizations is their analysis methodologies. Threat intelligence in HMM3 organizations will be organization-specific. This allows organizations to produce targeted intelligence-driven hunts. These hunts will focus on tools, techniques, as well as actors and threats targeting their organization or vertical. Organizations will continue to ingest threat feeds, but will be very selective on the feeds used. These feeds should provide mapping to specific industry frameworks.

Organizations that achieve HMM3 often find that their team consists of only a handful of hunters. As a result, those teams are may experience challenges when resources move on. Large organizations will often be incapable of sustainable, repeatable, and rigorous threat hunting. This is due to time constraints presented by primary hunting activities. Teams won’t have time to focus on tasks such as threat detection content creation and playbook development. HMM3 organizations are able to focus on sustainable threat hunting of high complexity.

Several advanced analysis disciplines are incorporated at this level including machine learning, data analysis, and data visualization. More importantly, HMM3 companies must have highly-skilled hunters who completely understand data analysis techniques and apply them to detect malicious activities.

HMM Level 4: Leading

The HMM4 level is similar to level 3, but the main difference between them is the aspect of automation. At this level, analysts operationalize any successful hunting process in order to turn it into automated detection. 

An organization that has developed to HMM4 in our threat hunting maturity model has addressed its resource issues. This means that the organization is able to maintain ongoing threat hunting operations.
These organizations are able to focus on secondary tasks such as tool and content development. The results of this development are published to the broader community. HMM1 and HMM2 organizations are likely to consume this content.

Doing so release the analysts from the burden of carrying out the same processes again and again. In this way, they can focus on creating new processes or improving existing ones, which results in a constant enhancement to the detection mechanism as a whole.

Threat Hunting Loop

As we saw above, hunting maturity is based on a number of criteria that determine how effectively an organization can get through the hunting process. But what is involved in the actual process of hunting? if the goal of an organization is automated hunting then what could be the steps involved for threat Hunting?

It is important for your team to implement a formal cyber threat hunting process. Sqrrl has developed a Threat Hunting Loop consisting of four stages that define an effective hunting approach. 
The goal of a hunt team should be to get through the hunting process as quickly and effectively as possible. The more efficiently you can iterate, the more you can automate new processes and move on to find new threats.

Sqrrl Threat Hunting Loop


There are 4 stages involved in Cyber Threat hunting Loop as follows: 
  1. Create Hypothesis
  2. Investigate Via Tools and Techniques
  3. Uncover New Patterns & TTP's
  4. Inform and Enrich Analytics
A hunt starts with creating a hypothesis, or an educated guess, about some type of activity that might be going on in your IT environment. An example of a hypothesis could be that users who have recently traveled abroad are at elevated risk of being targeted by state-sponsored threat actors, so you might begin your hunt by planning to look for signs of new malware on their laptops or assuming that their accounts are being misused around your network. Hypotheses are typically formulated by analysts based on any number of factors, including friendly and threat intelligence. There are various ways that a hunter might form a hypothesis. Often this involves laying out attack models and the possible tactics a threat might use, determining what would already be covered by automated alerting systems, and then formulating a hunting investigation of what else might be happening.

Hypotheses are investigated via various tools and techniques, including Linked Data Search and visualization. Effective tools will leverage both raw and linked data analysis techniques such as visualization, statistical analysis or machine learning to fuse disparate cybersecurity datasets. Linked Data Analysis is particularly effective at laying out the data necessary to address the hypotheses in an understandable way, and so is a critical component for a hunting platform. Linked data can even add weights and directionality to visualizations, making it easier to search large data sets and use more powerful analytics. Many other complementary techniques exist, including row-oriented techniques such as stack counting and datapoint clustering. Analysts can use these techniques to easily discover new malicious patterns in their data and reconstruct complex attack paths to reveal an attacker’s Tactics, Techniques, and Procedures (TTPs).

Tools and techniques uncover new malicious patterns of behavior and adversary TTPs. This is a critical part of the hunting cycle. An example of this process could be that a previous investigation revealed that a user account has been behaving anomalously, with the account sending an unusually high amount of outbound traffic. After conducting a Linked Data investigation, it is discovered that the user’s account was initially compromised via an exploit targeting a third party service provider of the organization. New hypotheses and analytics are developed to specifically discover other user accounts affiliated with similar third party service providers.

Finally, successful hunts form the basis for informing and enriching automated analytics. Don’t waste your team’s time doing the same hunts over and over. Once you find a technique that works to bring threats to light, automate it so that your team can continue to focus on the next new hunt. Information from these hunts can also be used to improve existing detection mechanisms. For example, you may uncover information that leads to new threat intelligence or indicators of compromise. You might even create some friendly intelligence, that is, information about your own environment and how it is meant to operate, such as network maps, software inventories, lists of authorized web servers, etc. The more you know about your own network, the better you can defend it, so it makes sense to try to record and leverage new findings as you encounter them on your hunts.

The hunting loop is a simple but effective step-by-step process that can radically enhance an organization’s control over its own network defense. As noted above, hunting is most effective when it is used together with other more traditional security systems, complementing the detection efforts and perimeter security that most organizations already have in place.

This post originally appeared on Sqrrl’s Blog.

The above blog covers the Threat Hunting Maturity Models and Threat Hunting Loop/process defined by Sqrrl, Next blog will be more on Hypothesis where insights include how to generate a hypothesis, what is the starting point, hypothesis examples, and multiple ways to create a hypothesis.

Click here to read Part 1 of the Threat hunting series!!!

Stay Tuned...
I am a security researcher where my expertize includes domains like incident response and investigation, Malware Analysis, Threat Hunting, deception Technology, Brand protection, SIEM configuration, Digital Forensics, Cyber Threat Intelligence, EDR, Network Security, Content Filtering, etc While working I had completed my Masters(2021) in Information security where I published a thesis on “Malware Analysis using machine Learning Ensemble” My goal is to share the knowledge with everyone with technologies, upcoming trends, various platforms and mainly Lock it down, protect it up, and block the hackers.

Comments

Post a Comment

Popular posts from this blog

RTR using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Real Time Response Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below. In the Falcon UI, navigate to Activity > Detections. Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action. You can also connect to a host from Hosts > Host Management. Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.
Read more

Top Commands Mostly Used By System Administrator.

By Kunal Patil, Senior Threat Hunter
Image
Top Commands Mostly Used By System Administrator. 1) IPconfig IPCONFIG Simply entering ipconfig at the command line will return basic addressing information for your system, including the adapter name, IP address, subnet mask, and default gateway. 2) IPconfig /all IPCONFIG/ALL Shows all networking information for the system, including host name, node type, adapter names, MAC addresses, DHCP lease information, etc. 3) Ping PING Ping command to verify that a host can be reached over the network. This command is useful for diagnosing host and network connectivity problems. The device sends a series of ICMP echo (ping) requests to a specified host and receives ICMP echo responses. 4) Ping "Website-name" PING TO WEBSITE   This above command used to find the IP address associated with The Specific Website. eg: 10.24.126.25 is the IP address for Website Intranet.indusind.com 5) Tracert "IP address" TRACE COMMAND Tracert comm
Read more

Damn Vulnerable Web Application - Part 1

By Kunal Patil, Senior Threat Hunter
Image
The Damn Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn vulnerable whose goal of being an intentionally vulnerable system for practice/teaching purposes in regard to Information Security.There are many Methods for Installing DVWA on Platforms Like Windows and Linux, In this blog i will show the easiest Walk-through for Beginners to Learn and Exploit Web Application. So let us Start with Installation and Implementation of DVWA. Step By Step Installation 1) Requirement :  Windows system for Managing VM Virtual Box ( Link ) or VMware ( Link ) should be installed on system Kali-ISO ( Link ) DVWA ISO ( Link ) 2) Switch-ON Kali and DVWA virtual machines Both must be in HOST only Adapter (we can change using VM Network setting).  3) After the Installation of Kali and DVWA in VM, find the IP address of DWVA using the Command ifconfig and Check Connectivity between them using ping command. 4) Run Kali machine and DVWA machine Par
Read more

SECURITY OPERATION CENTRE

By Kunal Patil, Senior Threat Hunter
Image
What is SOC?                    Security operations centers monitor and analyze activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported. SOC works with collaboration with People, Process and Technology.  SOC Architecture PEOPLE:                  The best way to think of a SOC is as a centralized team of people who provide threat monitoring, investigation, and response.  Larger SOCs employ a three-level analyst structure for handling security alerts generated by a security system or SIEM.  Level 1 analysts are responsible for real-time monitoring of security alerts, doing triage on them, and deciding whether an alert is serious enough to be escalated to a Level 2 analyst.  Level 1 analysts se
Read more

Cyber Threat Intelligence

By Kunal Patil, Senior Threat Hunter
Image
Gartner Definition:   Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.  To understand this term easily lets split the words and bring out meaning to it :  Cyber :  relating to or characteristic of the culture of computers, information technology, and virtual reality. Threat :  thing likely to cause damage or danger. Intelligence :  the ability to acquire and apply knowledge and skills.                 Cyber Threat intelligence helps Organisation to understands the risk of most common External threats. T hreat intelligence includes in-depth information about specific threats to help an organization protect itself from the types of attacks that could do them the most damage.  One of the proven methods to stay on top of attacks is to detect and
Read more

Collective Intelligence Framework v3 - Part 1

By Kunal Patil, Senior Threat Hunter
Image
Basic About CTI Cyber Threat intelligence(CTI) is a Technology which helps an Organization to collect and Analyze threat data received from multiple resources. Cyber threat intelligence is an automation process where it accumulate data from various external resources (such as FEEDS) and recognize the threats suitable for the Organization. By importing the Data from CTI, the next step is to exporting the CTI data into Existing Security systems. Collective intelligence Framework is an underlying Structure of CTI which helps any organization to gather all Threat Data at one place. In this blog we are discussing how to Install Collective Intelligence Framework v3 (Bearded Avenger) into security structure. Details Information About CIF you will found at : csirtgadgets Basic Requirements for Bearded Avenger CIF v3 : OS: Ubuntu 16 LTS,  x64 RAM: 16GB Cores: 4 (As Sqlite, ElasticSearch, CIF-Router among other apps would be running on same instance) HDD Capacity: 100GB
Read more

Top 20 Subdomains Search Engines

By Kunal Patil, Senior Threat Hunter
Image
Whats is Domain?  An organization shares a common suffix as Domain names which is controlled by that Organization or individual. What is Subdomains? Basically Subdomains are subdivisions of Domain. Why it is required? Subdomains are second website, which have its own unique content and makes hosting manageable and easy to organize.         Every second Organization Consists of various Subdomains as per their Requirements, I listed few Subdomains Search Engines, list is below :  Google Search - Online Search Censys - Online Search Pentest-Tools - Online Search DNS Dumpster - Online Search Netcraft - Online Search CloudPiercer - Online Search Detectify - Online Search VirusTotal - Online Search Pkey - Online Search Crt.sh - Online Search Sublist3r - GitHub repository DNScan - GitHub Repository Knock - GitHub Repository SubBrute - GitHub Repository Nmap - GitHub Repository Gobuster - GitHub Repository Fierce - Bydefault in Kali DNS
Read more

Collective Intelligence Framework v3 - Part 2

By Kunal Patil, Senior Threat Hunter
Image
In Previous blog we learned how to setup CIFv3, in this section we will discuss how to integrate data and filter the Resulted Data by-passing different parameters to it. We might have question that what happens exactly after hitting cif command or how cifv3 fetches feeds from external resources. well in this blog i will cover every details of CIFv3 but before that lets study few terminologies to understands the implementation of this Project. CIFv3 uses few Terminologies like : 1) TLP TLP stands for Traffic Light Protocol originally created by UK government for the Purpose of sharing of sensitive data. There are four colors in TLP (same like traffic lights) : RED - Not for disclosure, restricted to participants only AMBER - Limited disclosure, restricted within own organisation and clients or customers. GREEN -  Limited disclosure, restricted to the community but not via public channels WHITE - Disclosure is not limited 2) Timestamps CIF supports three Times
Read more

Security Architecture for Startup

By Kunal Patil, Senior Threat Hunter
Image
           Security Architecture is the design artifacts that describes how the security controls are positioned and how they relate to the overall systems architecture. These controls serve the Purpose to maintain the system's quality attributes such as confidentiality, integrity and availability. Following is the 10 steps plan required to build Security Architecture For Startup :   Pick Your battle  Establish a security culture  Pick security platform  Upgrade your software  Physical security  Control the internal network  Secure coding  Protect devices against malware  Perform security audits  BYOD Policies Pick Your Battle You can't secure everything, Quantify the monetory damage, likelyhood and mitigation cost of each threat to prioritize time and resource. Below are the list of threats which can taken into consideration as per Goal of the Industry (Budget + Risks). Establish a Security Culture Show Your team that Security is Important Factor
Read more

TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Use Case  Falcon OverWatch has identified probable TrickBot malware on host NAOUXXXX. A renamed copy of Vhd2disk was executed on the host, likely from a successful phish. This in turn wrote and executed a malicious file, likely TrickBot malware, and established persistence for it with a registry key. Introduction  Emotet Often referred to as a banking trojan or worm. It is a very advanced threat that is updated multiple times a day by the cybercrooks controlling it. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. TrickBot TrickBot is most commonly installed by the Emotet Trojan, which is spread through phishing em
Read more