Updated: Aug 11, 2022
Focus on what will make it work
It is more TACTICAL than STRATEGIC. The current Threat-hunt community is addressing why “Threat Hunting” should not be relying on high-level theoretical punditry such as…
“Know your IT environment.” -OR-
“Think like a Hunter?”
These strategic points of view only move the “needle” slightly in favor of companies and agencies fighting the daily cyber-assaults on their systems and data. There is a need to begin delving into the details. It is no longer a matter of what needs to be done, and now it is time for the cybersecurity community to define how to do it.
Threat Hunting is NOT purely focused on endpoint detection. The gravest concern is focusing on the threats already “in the wire.” It is too late if the danger has already penetrated your firewalls. The fundamental objective is to integrate homogeneous (internal) audit-log type data and heterogeneous (external) threat intelligence to improve organizations’ odds of pushing back cyber-threats.
It is not “normal” versus “abnormal.” How do you define “normal?” This understating of anomaly detection is overly simplistic. For example, what may appear abnormal to some may be typical activity over the Internet for the seasoned cyber-forensic specialist. This kind of poor consideration fails to provide enough granularity to determine the types and levels of threat to the IT infrastructure. A preferred approach is the Department of Defense’s (DOD) “Precedence Categorization” (see chart below). It provides a suitable means to prioritize potential attacks from a less-than-defined event to an actual incident.
It is not about “magical” intuition on the part of threat hunting activity. The Threat Hunters and supporting operational and intelligence personnel are professionals and are not clairvoyants. This kind of language appears as a less-than repeatable and scientific process. It is not just an educated guess, but experiential expertise created by the teamwork that occurs within a defined threat hunting group.
The OODA loop is REACTIVE, NOT PROACTIVE. Air Force Colonel John Boyd was a maverick of his time and a hero for his insight into the parochial natural of the US Air Force. The small community of Threat Hunting expertise is still fighting with a 20th Century model not designed for an evolving cyber threat. Boyd’s model worked well for pilots in dogfights but has little applicability in cyber-threat hunting. It should be reversed and be proactive on Day 1. It should become the ADOO model for cyber-threat hunting purposes.
ACT—Create an environment that already puts the bad guy on the defense. Use honeypots and security devices that can detect and PREVENT the attack in the first place.
DECIDE—Determine what is working well and what is not. Variability is your greatest asset against an ever-evolving threat.
ORIENT—Identify where efforts have been and will be most successful. Identify common attack vectors and have solutions that can either mitigate or stop the success of the attacks within the IT environment. The longer the threat is “in the wire,” the more damage it can cause.
OBSERVE—Conduct lesson learned sessions after every attack—document what was known. Learn from mistakes, and adjust personnel, resources, and approaches for the next attack.
The worst advice is that Threat Hunting should be Aggressive.
It is NOT “aggressive.” Taking an aggressive stance against cyber-attacks opens the company or agency to the potential total weight of a highly committed and resourced Advanced Persistent Threat (APT) such as China, Russia, or Iran. Threat Hunting should not go beyond its IT security boundaries. This should include cloud environments, backups, and alternate sites. The companies and agencies should never engage in a hack-back. It is never recommended. Cyber-Threat Hunting is an active, assertive activity that must quickly identify and stop the threat. Unless you are a sovereign nation-state with the resourcing and technical capabilities to respond to attacks against your networks, being aggressive is never a good idea.