Building Operational Threat Hunting Models
A successful threat hunting program can't be a black box to the organization. The expense of such elite programs demand executives easily comprehend the value to the organization. Of course, as the program develops, executive comprehension alone will not suffice and metrics will be necessary as well, but that's a post for another day.
5 Threat Hunting Models
I've begun to develop 5 Threat Hunting Models that I hope can be used to frame discussions about a threat hunting program and its objectives. This isn't the first iteration and I highly doubt its the last iteration of the models.
The Adversary Model is for creating hunts that target a specific adversary, for example APT 28. Hunters will review an adversary profile, hopefully created by your cyber threat intelligence team, to learn of the attackers behaviors. Using this knowledge, hunters will create a hypothesis on finding those behaviors in our environments. Don't have your own CTI, don't sweat it -- MITRE has your back.
Objective: Can we find APT 28 in our environment?
Input: MITRE Groups, Custom CTI Adversary Profile
Output: Post-Hunt Brief detailing hunt techniques used and the gaps and weaknesses of the environment for detecting APT 28.
I expect the Continuous Model to be the most contentious model of the bunch. This model is really a campaign of multiple hunts, on multiple targets, but with one objective. Let's imagine you want to look for the behavior of lateral movement, which results in noisy alerting. This behavior is something to look for across all the organization's high-value targets (HVTs) given the alerting gap, but doing it one by one presents a scale problem.To offer scale, the HVTs are grouped by similarity of data sources and hunts are performed for lateral movement on each group in sequence. If you are looking for a good source of lateral movement techniques, yet again MITRE to the rescue.Note: Don't know your organizations HVT's? It's ok, it happens. I recommend you push for starting a counter intelligence team to create HVT profiles and off load that work from hunter's. If you aren't sure where to start, MITRE has a good Crown Jewels Analysis (CJA) process.
Objective: How susceptible is your organization to lateral movement?
Input: HVT Profiles, MITRE ATT&CK
Output: Post-Hunt Brief for each HVT group hunt and on the completion of the campaign a more strategic report on lateral movement across the organization.
The Simulation Model is verification that hunting techniques used would find the attacker behavior you are seeking. It is how a team provides peace-of-mind without finding actual attackers in their environments. This is a chance for some fun collaboration between your hunters and your Red Team, though that isn't necessary to simulate.
Objective: Can we detect pass-the-hash in our environment?
Input: Red Team Operation, Blue Team simulation scripts
Output: Post-Hunt Brief includes the pre-planned simulation and the hunter's ability to detect the simulated attacker activity.
The Complementary Model is the most visible value add to your organization. While it's the most likely to disrupt a preplanned hunting schedule, this disruption is worth the value provided. Any time there is a critical deficiency in your security posture, hunting can be used to provide an immediate reduction in risk, while the longer term alerting/monitoring is setup. Rushing alerts can result in:
High false positive rates
Poorly trained analysts
Unforeseen load on the SEIM
Objective: Protect the newly introduced product or gap discovered by Red Team.
Input: Description of gap, Assessment of attacker, Discreet Timeframe
Output: Post-Hunt Brief is shorter for this effort, but contains descriptions and findings of hunts. It is highly recommended, that alerting ideas are also part of this brief.
The R&D Model is poorly named, so if you have a better idea after reading my description, please share in the comments. This model is simply hunter's researching completely untested hypothesis. For example, I see an interesting AWS attack at BlackHat and want to figure out how a defender would find that attack. Hunting in AWS isn't well documented yet, so really I am hunting on the unknown. This model isn't focused on finding
Objective: Create new hunts.
Output: Small post-hunt brief centered around the viability of the hunting technique. All attempted hunting techniques are cataloged.
As I develop the Post Hunt Brief templates for each hunt I will share them in my Resources section of the site.