Cyber threat hunting: frameworks & essentials
More than the search for undetected malicious activity, threat hunting helps security analysts track down unknowns and visibility gaps in the systems they monitor.
- Introduction: What is threat hunting?
- What cyber threat hunting is/what cyber threat hunting is not
- Why cyber threat hunting is valuable in modern IT environments
- The essentials of threat hunting
- Threat hunting frameworks and approaches
- Threat hunting: sample use cases
- How Corelight’s Open NDR platform empowers threat hunters
Introduction: What is threat hunting?
Cyber threat hunting is a practice in which security analysts explore their organization’s digital infrastructure and the data it generates for evidence of vulnerabilities, misconfigurations, malicious activity, internal errors or non-compliant behavior.
While it has been a defined practice for years, threat hunting has become critical to security teams tasked with protecting increasingly complex systems and detecting some of the most resourceful and stealthy adversaries. It is not a replacement for automated tools and alerts; rather, threat hunting is a distinct approach that augments and improves detections over time.
Threat hunting assumes that automated security tools will not detect every potential or active threat across the organization’s attack surface. Practitioners also expect that evidence of these threats can be pieced together through a combination of methods, which may include hypothesis testing; frameworks that catalog attackers’ tactics, techniques and procedures (TTPs); and deductive reasoning based on past experience and knowledge of organization’s systems.
Security analysts with experience and skill are the key to productive threat hunts. However, any organization that empowers its security analysts to dig into available telemetry and ask questions alert systems do not answer can benefit from threat hunts. While advanced tools can greatly assist hunters’ efforts, even analysts with modest tool sets can make hunts productive.
Why cyber threat hunting is valuable in modern IT environments
The skills required for threat hunting may at first seem to be reserved for elite defenders who oversee highly specialized environments. While it is true that threat hunters improve their skills over time, there are strong incentives for organizations of all types to invest in this development and encourage analysts to gain experience by doing. Notable examples include:
- Increased complexity of systems and expanding attack surfaces. Cloud deployments, remote working conditions and proliferating endpoints have all contributed to the sprawl of many organizations’ digital infrastructure. Threat hunting increasingly supplies an additional layer of security oversight that can detect vulnerabilities and malicious activity in deployments where security controls are newly applied or not robust. It can also uncover evidence of shadow IT or use of resources that degrade overall performance of the network.
- Well-resourced and persistent adversaries. As security controls improve, bad actors focus their efforts on bypassing established controls and thinking a step ahead of defenders. By assuming that malicious actors have accessed the organization’s systems, or soon will, threat hunters can uncover new evidence of novel, sophisticated threats and reduce adversaries’ dwell time.
The essentials of cyber threat hunting
Cyber threat hunts can take many forms and involve factors that are unique to a particular organization. However, effective hunts typically result from a synthesis of components, including:
- People. Organizations allow analysts to spend dedicated time on threat hunts. Security operations center administrators recognize the value of green lighting motivated analysts who are willing to dedicate time to threat hunts while fulfilling core responsibilities. Analysts themselves are willing to approach security outside the queue and with a more holistic approach to attack surface and system management.
- Tools. Analysts can leverage any tool that generates, stores or indexes data to engage in threat hunts. Tool configurations such as the SOC Visibility Triad provide a strong foundation for threat hunters, although skilled analysts can undertake hunts using a wide variety of tool combinations. In most cases, hunters should have access to three tool categories:
- Endpoint controls (e.g., extended detection and response (XDR), endpoint detection and response (EDR))
- Network analyzers (e.g, Zeek, Suricata, and/or network detection and response (NDR))
- Databases, data analysis, and data aggregation platforms (e.g., Splunk, Syslog, application logs and security information and event management (SIEM)).
- Data. Threat hunts can leverage almost any data that helps analysts improve visibility into their networks or piece together evidence of unauthorized activity. A partial list of sources includes:
- Applications (e.g., Zoom, database servers, web servers s, PowerShell)
- Hosts and security protocols (e.g., WDigest, Kerberos)
- Networking equipment (e.g., routers, firewalls, switches)
- IoT devices
- Network traffic
Threat hunting frameworks and approaches
Even when it is instigated by a new alert or a hunch, threat hunting requires a systematic approach that makes the best use of an analyst’s valuable time. It should increase the possibility of uncovering vulnerabilities within their networks and taking actions with measurable outcomes that improve attack surface management.
There are several established frameworks that can help analysts formulate hypotheses, choose threat hunting methods best suited to the circumstances, and decide what types of threat intelligence to consult and how to implement and document updates and measure hunt effectiveness.
Sqrrl, established in 2015, created one of the first threat hunting frameworks. While many of its principles are still valid, a strong framework will incorporate cutting-edge threat intelligence and be flexible to change as the cybersecurity industry encounters new challenges. Splunk’s PEAK framework is an example of a modern threat hunting approach.
Most frameworks group threat hunts into several broad categories, including:
- Hypothesis-based hunts. An analyst makes an evidence-based guess about what types of tactics, techniques and procedures (TTPs) a malicious actor might deploy in an attempt to compromise an organization or move within its systems. The hypothesis might begin with the detection of anomalous or unexplained activity, or the analyst may review metadata generated by their network in the context of threat intelligence around known attack methods (such as the MITRE ATT&CK framework) and how an attacker might attempt to compromise particular assets or systems.
- Baseline hunts. An analyst may select a data source from within their system, review and classify the data, and establish a pattern of normal behavior against which they can compare anomalous or suspicious activity.
- Machine learning/model assisted hunts. Security teams with data analysis skills may build models that assist in surfacing anomalies that the team may then choose to investigate.
There is no one threat hunting method that will always be the right approach. A critical byproduct of experience is an analyst’s judgment of which indicators may yield important findings and what method will help them investigate thoroughly and rapidly. Whatever the method, human ingenuity is still the driving force behind the hunt. Educated guesses about what might be occurring within the network can be refined by asking the right questions, e.g.:
- How an attacker might perform reconnaissance
- How an attacker might gain initial access
- How an attacker might maintain access or command and control (C2) of a compromised host
- How an attacker might persist and/or move laterally in the environment
- How an attacker could gather credentials and/or escalate privileges
- How an attacker might access and/or exfiltrate critical data
Threat hunting: sample use cases
Threat hunting’s parameters are effectively limitless. Experienced hunters operating on the assumption that an adversary has already breached their system will also assume those attackers are capable of executing novel TTPs. In other cases, hunters must consider factors that may result in anomalous but benign traffic appearing on their networks and avoid casting a net that is either too wide or that interferes with necessary business functions.
(To learn more about how threat hunters approach their craft in real-world environments, please visit Corelight’s dispatches from the BlackHat network operations centers in 2023 and 2024.).
Any threat hunt depends on the collection of quality data and evidence. The better threat hunters understand their networks, the likelier it is they will discover rogue assets or evidence of suspicious activity that can lead to the creation of better detections and more opportunities to improve the network’s overall security.
In part, data quality depends on organization. Threat hunters should focus on data sources that provide sufficient historical context. But they should also centralize and collate the data sources in a few easily accessed locations and deploy tools that expedite the data searches and summarize findings. Threat hunters should also learn from past hunts by noting blind spots and aspects of their reconnaissance that are hardest to execute.
By combining intelligence from sources such as the MITRE ATT&CK framework and their own experience, threat hunts can search for evidence of well-known attack patterns. Examples of the many potential use cases include:
- Credential-access & credential-based attacks:
- The threat. Adversaries may use bots or stolen databases to guess identity credentials and gain access to a targeted network (e.g., brute force attacks). They may conduct spear phishing campaigns to compromise a target’s machine and force it to authenticate a server they already control. They may also target externally accessible interfaces, such as virtual private networks (VPNs) or exposed remote desk protocol (RDP) servers.
- Potential hunting actions. Threat hunters can monitor traffic for an unusual number of login attempts on multiple devices, or investigate whether there have been slowdowns that could be sourced to increased traffic. When they have access to richer network data, such as that provided by the Zeek© monitoring platform, they can search conn logs for anomalous sessions, many attempted sessions in a short period of time or sessions of unusual length. They may review NTLM logs and search for authentications in which a destination IP exists on an external network. They can also check RDP logs if they suspect RDP servers have been compromised, and search for evidence that can establish the legitimacy of a user or the lack of it, including client name, cookie fields, keyboard layout and encryption levels.
- Malicious C2 traffic:
- The threat. Once established in a targeted environment, attackers often establish command and control (C2) channels to connect compromised machines with an external server. They may utilize the domain name system (DNS) as a channel for domain generation algorithm (DGA) techniques that maintain control of the infected machine while simultaneously obscuring the connection. They may also relay commands via unusually long queries or use uncommon record types to maintain control of the compromised machines.
- Potential hunting actions. Defenders can investigate DNS logs to search for unusual queries or recorded IP addresses within selected time periods. They can dig into suspicious queries and seek unique identifiers that can help them distinguish between normal if unusual queries and suspicious ones. They may also look to HTTP logs or other communication channels to look for evidence of a C2 channel being established.
- Data exfiltration:
- The threat. Adversaries have many ways of exporting target datasets out of their target’s environment and onto servers they control. Often, they will exploit the same IT infrastructure necessary to conduct normal business for exfiltration. They may obscure exfiltration in systems that generate a great deal of traffic, such as DNS or HTTP, that also include many rule exceptions to facilitate normal operations. They may also use encrypted protocols like SSH commonly used by developers or C2 channels in which exfiltration can blend in or evade detection.
- Potential hunting actions. Analysts can look at a large set of abnormally long DNS queries and scope down to a smaller set based on timestamps or other metadata. They can review producer/consumer ratios (PCR) of servers to search for evidence that attackers are using a machine to send data to an attacker-controlled server as part of a C2 exfiltration attempt. They also might analyze SSH connections while asking whether there were an unusual number of file downloads or uploads, their timing and size, and other evidence that may validate an exfiltration hypothesis.
How Corelight’s Open NDR platform empowers threat hunters
Threat hunting depends on tools that allow analysts to dig deep into network telemetry and find evidence of latent threats that can’t be identified by endpoint detection and response (EDR) and perimeter defenses. Network detection and response (NDR) platforms are essential to performing the deep dives and hypothesis testing threat hunters undertake to learn the ground truth of their systems and traffic.
Corelight’s Open NDR supports threat hunters who are learning the craft as well as advanced hunters who seek evidence of behaviors that are not reflected in existing threat intelligence. Powered by Zeek and Suricata, Corelight’s platform transforms network traffic into readable, intuitive transaction logs that unpack the busiest and most critical network protocols, such as DNS, HTTP, FTP and SSL, among many others. Importantly, Zeek logs compile data through a security lens, enabling threat hunters to assemble key pieces of evidence that can help resolve anomalous incidents and prove out (or disprove) working hypotheses.
Threat hunters who are still learning their craft can benefit from Corelight’s interactive MITRE ATT&CK navigator and entity collections to leverage best-in-class threat intelligence while gaining unique insights into their own networks’ traffic and usage patterns. Advanced hunters—including Corelight team members who staff the BlackHat Network Operations Center—use the platform to pursue structured and unstructured threat hunts and document the extent and effectiveness of their threat hunts.
Ready to learn more? Download Corelight’s Threat Hunting Guide, our hands-on primer on many relevant threat hunting use cases. To learn more about how Corelight’s Open NDR can complete your organization’s defense strategy, contact an expert today.
Book a demo
We’re proud to protect some of the most sensitive, mission-critical enterprises and government agencies in the world. Learn how Corelight’s Open NDR Platform can help your organization tackle cybersecurity risk.