Left of Bang is a military strategy for analyzing and addressing risk indicators. On a timeline of the events surrounding an attack, there are three parts:
- Left of Bang - everything leading up to the attack intended to either mitigate or avoid it
- Bang - the attack itself
- Right of Bang - the response to the attack
When cybersecurity teams are primarily oriented toward responding to attacks – a "right of bang" approach – they have an inherently limited scope. A security team that prioritizes remediation and containment assumes the inevitability of security breaches.
This is why the idea of incorporating cyber threat hunting into your cybersecurity program is growing in popularity… it takes a "right of bang" approach and shifts it to something more proactive… something that is more "left of bang".
WHAT IS THREAT HUNTING?
Cyber threat hunting is a proactive cybersecurity strategy that searches through networks to detect and isolate advanced threats before they present themselves. Threat hunters do not simply search for active threats – they are in search of hacker tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), indicators of attack (IoAs), and threats such as Advanced Persistent Threats (APTs) evading your existing security system. Although cyber threat hunters have a variety of strategies at their disposal, the best strategy is often determined by the type of threat they are hunting.
Related Resource: Understanding Cybersecurity Best Practices
Threat Hunting vs. Threat Detection
At its core, threat hunting is more than just detection and response. While threat detection focuses on identifying evidence of an attack such as correlated events or signature-based detection, threat hunting takes a more proactive approach to cybersecurity. Proactive threat hunting is intended to counteract an adversary that is in the organization’s environment but has not yet shown any indicators of compromise (IoC).
Threat detection relies on indicators of compromise because:
- IoCs are predictable
- IoCs are logical + quantifiable
- IoCs are static + NOT permutable
- IoCs are visible + discoverable
In comparison, threat hunting uses threat indicators as a starting point or hypothesis for a quest. Virtual fingerprints left by malware or an attacker, a weird IP address, phishing emails, or other unexpected network traffic are all threat signs. In other words, threat hunting does not wait for IoCs to appear before seeking out security breaches.
Threat hunting is more focused on indicators of attack (IoA):
- IoAs focus on detecting intent
- IoAs are patterns of behavior that often precede an attack
Both threat detection and threat hunting are complementary approaches to identifying and responding to security threats and are most effective when used in tandem. While threat detection provides vital defensive measures, threat hunting is the offensive playbook for outmaneuvering an enemy before they have the chance to act.
Applied to a non-security setting, think about it this way: An effective criminal does research before staging a robbery. A bank that relies solely on threat detection is only alerted once IoCs are flagged when the criminal has already accessed the vault. A bank that also threat hunts would be continuously on alert for IoAs that would allow their security team to respond to suspicious activity before any plan is executed. A plotting bank robber would likely investigate security systems, walk around the premises, and note the layout of the bank and the location of the vault prior to returning to perform a heist. None of these IoAs may individually signal an imminent threat, but they give reason to monitor the individual when viewed together in context.
Related Resource: Rising Ransomware Attacks, the Advent of XDR, & What it Means for the Future of Threat Detection and Response
WHY IS THREAT HUNTING RISING AS A MUST-HAVE TOOL AND MINDSET?
As cybersecurity technology continues to innovate and evolve, adversarial tactics become more sophisticated as well. Threat hunting is an essential strategy because it offers a solution to this dilemma, taking a more proactive approach to cybersecurity threats and using a human element instead of technology. This is important for fending off threats before they become a problem because:
- There are hundreds of millions of potential IoCs – so to avoid a high quantity of false alarms, it is important to understand the context surrounding the IoC
- Threats can remain undetected for months before showing any IoCs
- IoC-based detection approach falls short when facing malware-free intrusions and zero-day exploits
Technology, Methodologies, and Frameworks for Threat Hunting
Effective threat hunters hypothesize the most likely tactics and attack chains by thinking like their enemies. That said, there is no one-size-fits-all tactical approach to threat hunting. Instead, effective threat hunters rely on an arsenal of effective tools, frameworks, and methodologies for hunting threats.
Threat Hunting Technology + Tips
- Using SIEM Technology Alongside MITRE ATT&CK: *So how do you stop a threat when you are not sure it even exists? You hunt for it.
To be a successful threat hunter, you need to stay one step ahead of your adversaries, understand their perspective, form a hypothesis about the existence of a threat, theorize how to detect it, and then stop it. The MITRE ATT&CK framework is a great starting point for understanding attackers. It provides a catalog of real-world adversarial tactics and techniques.
Using the MITRE ATT&CK framework to inform your SIEM configuration, you can streamline threat hunting via:
- An end-to-end threat hunting workflow that enables you to rapidly spot leading and active indicators of attack.
- Custom and pre-built dashboards that visualize data to identify known adversarial techniques and tactics.
- Out-of-the-box content that saves you precious time and streamlines work into a single user interface.
With the partnership of Avertium and LogRhythm, and the MITRE ATT&CK framework, you will be armed with all the tools and information you need to conduct a fruitful threat hunting exercise. Learn more about Avertium’s LogRhythm capabilities.
*A contribution from LogRhythm's perspective on Threat Hunting.
- Machine Learning / Artificial Intelligence: *The complexity and volume of cyberthreats are evolving at a dangerously rapid pace. With the shortage of qualified security analysts, inefficient manual processes, and the growing cost of securing a business, organizations of all sizes are exposed to countless risks.
Both Avertium's Cyber Fusion Centers (CFCs) and LogRhythm’s SOC analysts leverage artificial intelligence (AI) and machine learning (ML) to stay ahead. Their solution is to incorporate security technology that can automate tasks associated with threat detection, incident response, and administration with AI.
CloudAI provides unparalleled accuracy by using AI and ML to detect signature-less and hidden threats. AI learns from and evolves in your environment. It combines supervised and unsupervised learning for continuous, automated tuning without requiring manual intervention. As a result, your security grows smarter over time.
*A contribution from LogRhythm's perspective on the LogRhythm CloudAI.
- Threat Intelligence: Cyber threat intelligence (CTI) is a body of information regarding attempted or successful breaches that are gathered and evaluated by automated security systems that use machine learning and artificial intelligence. When used to your advantage, threat intelligence can help you hunt down your threats, shifting your security from a state of reactivity to prevention.
Basically, threat hunting begins where threat intelligence ends. Therefore, CTI plays an essential role in keeping your OpSec staff up to date on active threat actors and the latest TTPs likely to be used against your company.
A proper threat hunt takes advantage of CTI to conduct a comprehensive, system-wide search for threat actors.
Ariel Ropek, Avertium's Director of Cyber Threat Intelligence, provides an example of a concrete case where the value of threat intelligence might look like this:
The Conti and Ryuk ransomware kill chains both begin with TrickBot malware as the initial infection. Conti progresses to the PowerShell Empire toolset for persistence and command and control (C2), while Ryuk typically uses Cobalt Strike for C2 operations. If a threat hunter observed IoCs related to TrickBot malware in an environment, they could use this intelligence to expand their hunt to both PS Empire and Cobalt Strike IoCs. The result of those searches would indicate whether Conti or Ryuk was the likely adversary and inform incident response teams of appropriate next steps.
Intelligence-driven threat hunting links malicious activity to known entities and gives threat hunters additional context about how far the kill chain has progressed as well as what the adversary is likely to do next.
Related Resource: How WhisperGate Affects the US and Ukraine
- MDR: Managed detection and response (MDR) is an outsourced managed security service that provides organizations with threat hunting services and responds to threats once they are discovered. It is yet another tool in the toolbox but is not all-inclusive.
- EDR: Endpoint detection and response (EDR) is an automated and continuous system of monitoring user data for suspicious activity. It alerts security teams of anomalous user behavior to help identify and contain threats to their endpoint.
Additional tools that could be used within your threat hunting program:
- YARA is a program that aids malware researchers in identifying and classifying malware samples, among other things. You may use YARA to construct descriptions of malware families (or anything else) based on textual or binary patterns. Each rule, or description, is made up of a set of strings and a boolean expression that determines the logic of the rule. It is utilized by a who’s who list of cybersecurity companies in our industry.
- DNSTWIST is a domain name permutation engine for detecting homograph phishing attacks, typosquatting, and brand impersonation. It can find lookalike domains that adversaries can use to attack your business.
- Phishing Catcher identifies possible phishing domains in near real-time. It scans the CertStream API for suspicious TLS certificate issuances that have been reported to the Certificate Transparency Log (CTL).
Related Resource: Using MITRE ATT&CK Framework for Beyond-Checkbox Cybersecurity
Threat Hunting Methodologies
Depending on the approach, threat hunting methodologies are separated into two types: structured and unstructured hunting.
Structured threat hunting is based on indicators of attack (IoA) and tactics, techniques, and procedures (TTPs) of an attacker. It leverages MITRE Adversary Tactics Techniques and Procedures and Common Knowledge (ATT&CK) framework using both PRE-ATT&CK and enterprise frameworks.
Unstructured hunting is based on a trigger. It uses available data to follow the path of any detected IoC.
- Types of Structured Threat Hunts
- Hypothesis-Based Hunting leverages global detection frameworks to understand the TTPs of attackers and IoAs. By applying known frameworks of predictable attacker behavior to one’s own environment, it can stop attackers before they ever manage to attack the environment. There are three generally recognized hypothesis-based types: Awareness, Intelligence, and Analytics.
- Awareness - Identifying the most critical hazards to target throughout the hunt using situational awareness and current environmental knowledge.
- Intelligence - Based on typical threat actor "tactics, techniques, and procedures," an intelligence-driven hypothesis is developed (TTP). The hunters test this hypothesis by observing and inspecting the network and systems to see whether certain TTP behaviors are present in the environment. 'Indicators of compromise' (IoCs) or 'indicators of attack' (IoAs) can also be used to support intelligence-based hypotheses.
- Analytics - Based on the utilization of current structured frameworks and models, as well as information produced from machine learning and artificial intelligence, an analytics-driven hypothesis is developed.
- Types of Unstructured Threat Hunts
- Data-Driven Hunting is a hunter who is just going through accessible data looking for abnormalities might uncover questionable activity. This sort of danger hunting is unstructured since it does not begin with a hypothesis and does not follow a preset path.
- Intelligence-Based Hunting or Intel-Based Hunting is driven by threat intelligence to search for attack patterns related to specific threat actors, malware variants, or campaigns. Security analysts have developed detailed profiles of threat actors which inform hunters of which course of action, or kill chain, an adversary is likely to take. These threat actor kill chains are closely aligned with the MITRE ATT&CK framework and define specific TTPs that an attacker would likely use at each stage of the attack.
For example, if a hunter detected an IoC related to reconnaissance by a known threat actor group, threat intelligence could tell the threat hunter what attack patterns to anticipate.
Threat Hunting Frameworks
Threat hunting frameworks offer structured strategies for combing through data points for IoAs based on tactics often employed by hackers.
- Targeted Hunting Integrating Threat Intelligence Framework: Threat hunting based on assumptions is known as structured threat hunting. You develop a hypothesis, scope a hunting activity, and then carry out the hunt. Targeted hunting is a kind of hunting that comprises multiple phases and a clear understanding of what the hunters are searching for before beginning any hunting activity.
- MITRE PRE-ATT&CK and ATT&CK frameworks: This is an open-source framework and knowledge base of adversarial tactics and techniques based on real-world observations. It provides a structured method to help you in threat hunting activities. It is a powerful framework for classifying and understanding adversarial techniques and their intent. You can use it to enhance, analyze, and test your threat hunting and detection efforts.
Integrating the Art + Science of Threat Hunting into Your Cybersecurity Strategy
Underneath the methodologies, tools, and frameworks, implementing threat hunting in your cybersecurity requires a significant paradigm shift.
Below is a scenario from Avertium’s Sr. Cybersecurity Analysts, Lee Tibbals who has years of real-world experience with threat hunting to keep our clients safe.
“I may take a different approach to threat hunting compared to other cybersecurity professionals (hence the art and science) when using a SIEM/EDR solution. In my experience, it starts with having a knowledge of the client’s environment, such as what logs I can parse through (in addition to other vital information). Having a good knowledge of the client’s environment is the foundation to a successful threat hunt, along with the understanding of the threat indicators that make up a malicious campaign one might find when going through the logs.
One thing to note is that not all of the threat hunts I’ve worked on have been reported, but most do – two, in particular, being the SolarWinds and Log4j activity.
To start a threat hunt from scratch, I begin by finding out what is available in the client’s environment. Then, I proceed with that information and conduct research for exploits/malicious activity that may apply to that client’s infrastructure. As theories are developed involving the malicious activity I am searching for, I come to find that sometimes those theories will not pan out… but, it can lead us to something else.
For instance, I started with a DNS threat hunt once looking for C2 traffic and malicious domains that may lead to other campaigns only to find traffic that was not malicious. It was simply a configuration issue that the clients did not know about. While the hunt did not provide any malicious activity, it helped them fix a configuration issue they did not know about.”
Putting the Context of Threat Hunting into Action
The tactics, techniques, and procedures of bad actors are always evolving. Adaptive enemies call for adaptive security. Avertium’s holistic, risk-based approach to cybersecurity layers services, technology capabilities, and tried-and-true security frameworks like MITRE ATT&CK with strategy and client collaboration to deliver a more resilient security posture.
Avertium puts the context of threat hunting into action. Attacks are highly orchestrated sequences of events. Learning how to “see them” requires the broadest view of data – not just from security tools. By combining our robust threat hunting tools and advanced threat intelligence with a heat map of your existing environment, Avertium gives you the broadest possible coverage across your network, your assets, and your people. After all, you are not fighting technology; you are fighting humans behind the technology. It is essential to understand your own systems’ vulnerabilities (Know Thyself) and how they may be susceptible to exploitation from your continuously adapting adversaries (Know Thy Enemy).
NIST CSF: Using proven frameworks like NIST CSF alongside our in-depth onboarding diagnostic, we get to know your business, your attack surface, your protocols, and your areas of greatest weakness + strength.
Know Thy Enemy
Threat Hunting, MITRE ATT&CK: Leveraging our cyber threat intelligence (CTI) alongside the MITRE ATT&CK framework, we then understand current and most likely future attack scenarios.
Related Resource: Cybersecurity Begins in the C-Suite