While discussing threat hunting with a colleague, we got into an interesting conversation about whether some tools can assist with Threat hunting from Operational or from an Strategic perspective and which can be more effective.
Of course there are tools that can help with each of these parts of a threat hunt. Some tools will assist with both. Now let’s dive into this topic.
Quickly, before we get into the weeds of this maze, what is threat hunting?
Regarding the actual term origin:
The term “threat hunting” originated with the US Air Force in the mid2000’s, when they began to use teams of security analysts to conduct “friendly force projection on their networks.
source: Bejtlich, Richard, “Become a Hunter: Fend off Modern Computer Attacks by Turning your Incident Response Team into Counter Threat Operations,” Information Security, 2011
As for the actual act of Threat Hunting — I want to explore it this way:
- Discuss what it is not
- What it is
- How to
- Applying it
First off, it’s different than Pentesting. Although both activities share at least one goal: to report findings to Operational and Management teams in order to improve the overall Security Posture.
Pentesting is performed by Red teams, trying to break into an environment utilizing multiple hacking tools. A professional of this area should be familiar with the Cyber Kill chain framework — a very popular attack framework:
Threat hunting is performed by Blue teams. It is the act of looking through Event logs for signs or evidences of malicious activities.
It’s part of an Incident Response Plan.
NIST defines Incident Response in four activities:
- 1. Preparation
- 2. Detection and Analysis
- 3. Containment Eradication and Recovery