Building Operational Threat Hunting Models

A successful threat hunting program can't be a black box to the organization. The expense of such elite programs demand executives easily comprehend the value to the organization. Of course, as the program develops, executive comprehension alone will not suffice and metrics will be necessary as well, but that's a post for another day.

5 Threat Hunting Models 

I've begun to develop 5 Threat Hunting Models that I hope can be used to frame discussions about a threat hunting program and its objectives. This isn't the first iteration and I highly doubt its the last iteration of the models.

ADVERSARY MODEL

The Adversary Model is for creating hunts that target a specific adversary, for example APT 28Hunters will review an adversary profile, hopefully created by your cyber threat intelligence team, to learn of the attackers behaviors. Using this knowledge, hunters will create a hypothesis on finding those behaviors in our environments. Don't have your own CTI, don't sweat it -- MITRE has your back.
  • Objective: Can we find APT 28 in our environment?
  • Input: MITRE Groups, Custom CTI Adversary Profile
  • Output: Post-Hunt Brief detailing hunt techniques used and the gaps and weaknesses of the environment for detecting APT 28. 

CONTINUOUS MODEL

I expect the Continuous Model to be the most contentious model of the bunch. This model is really a campaign of multiple hunts, on multiple targets, but with one objective.  Let's imagine you want to look for the behavior of lateral movement, which results in noisy alerting. This behavior is something to look for across all the organization's high-value targets (HVTs) given the alerting gap, but doing it one by one presents a scale problem.

To offer scale, the HVTs are grouped by similarity of data sources and hunts are performed for lateral movement on each group in sequence. If you are looking for a good source of lateral movement techniques, yet again MITRE to the rescue.

Note: Don't know your organizations HVT's? It's ok, it happens. I recommend you push for starting a counter intelligence team to create HVT profiles and off load that work from hunter's. If you aren't sure where to start, MITRE has a good Crown Jewels Analysis (CJA) process.
  • Objective: How susceptible is your organization to lateral movement?
  • Input: HVT Profiles, MITRE ATT&CK
  • Output: Post-Hunt Brief for each HVT group hunt and on the completion of the campaign a more strategic report on lateral movement across the organization.

SIMULATION MODEL

The Simulation Model is verification that hunting techniques used would find the attacker behavior you are seeking. It is how a team provides peace-of-mind without finding actual attackers in their environments. This is a chance for some fun collaboration between your hunters and your Red Team, though that isn't necessary to simulate. 
  • Objective: Can we detect pass-the-hash in our environment?
  • Input: Red Team Operation, Blue Team simulation scripts
  • Output: Post-Hunt Brief includes the pre-planned simulation and the hunter's ability to detect the simulated attacker activity.

COMPLEMENTARY MODEL

The Complementary Model is the most visible value add to your organization. While it's the most likely to disrupt a preplanned hunting schedule, this disruption is worth the value provided. Any time there is a critical deficiency in your security posture, hunting can be used to provide an immediate reduction in risk, while the longer term alerting/monitoring is setup. Rushing alerts can result in:
  1. High false positive rates
  2. Poorly trained analysts
  3. Unforeseen load on the SEIM
  • Objective: Protect the newly introduced product or gap discovered by Red Team.
  • Input: Description of gap, Assessment of attacker, Discreet Timeframe
  • Output: Post-Hunt Brief is shorter for this effort, but contains descriptions and findings of hunts. It is highly recommended, that alerting ideas are also part of this brief.

R&D MODEL

The R&D Model is poorly named, so if you have a better idea after reading my description, please share in the comments. This model is simply hunter's researching completely untested hypothesis. For example, I see an interesting AWS attack at BlackHat and want to figure out how a defender would find that attack. Hunting in AWS isn't well documented yet, so really I am hunting on the unknown. This model isn't focused on finding
  • Objective: Create new hunts.
  • Input: Inspiration
  • Output: Small post-hunt brief centered around the viability of the hunting technique. All attempted hunting techniques are cataloged.


As I develop the Post Hunt Brief templates for each hunt I will share them in my Resources section of the site.


Happy Hunting!
~K

Comments

  1. This comment has been removed by the author.

    ReplyDelete
  2. As someone just getting started with threat hunting this has been the most valuable piece I've read and has really helped me figure out a starting point without getting lost in the weeds of possibilities. Thank you!

    ReplyDelete
  3. R&D --> Scientific Method Model or Scientific Model

    ReplyDelete
  4. You could call it the evolving ad-hoc model (or even just the ad-hoc model.)

    ReplyDelete


  5. I enjoyed over read your blog post. Your blog have nice information, I got good ideas from this amazing blog. I am always searching like this type blog post. I hope I will see again.
    tools

    ReplyDelete

Post a Comment

Popular posts from this blog

Applying Detection to the Attacker Lifecycle

Threat Hunting Team Maturity Model