Hunt Technique Catalog | Playbook | Database


In my first post I went over some threat hunting models. For the R&D hunts, I mentioned that it would require every hunt to be cataloged. Then I started to try to create the outcome document from an R&D Hunt to share it with everyone and ran into a terminology roadblock of my own making.

I couldn't seem to make progress on outlining the expected outcome from R&D Hunts, at least not in a concise way that would be easy for my team and my leadership to comprehend. So, I decided to use writing a post to walk myself through the process and the terminology.

Campaigns & Hunts

Campaign

  • Description: Two or more hunts with a common objective
  • Outcome: A strategic product consolidating the findings from all hunts

Hunt

  • Description: 1 or more hunt techniques with a common objective
  • Outcome: A report containing actionable findings

Hunting Techniques

Hunting Technique

Description: A hypothesis applied to a specific domain, for a specific datasource, using a specific tactic

Outcome: Unit of work for a hunter

For me, the hunting technique is what the hunter does to test the hypothesis and with a favorable outcome it becomes a skill in her toolbox. This differs from what sqrrl calls hunting techniques, but I couldn't come up with a more appropriate word, so as you will see below I switch their terminology to be tactics.

The hunting techniques are what need to be cataloged for a scalable hunt program, so that is why I was getting so stuck trying to come up with the documentation after an R&D Hunt, its documenting the hunting technique itself. 

Now I was able to dive into what type of metadata I wanted to store with each hunting technique.

The Deep Dive



The hunting technique is the way to describe and therefore document what a hunter does. On the right side of the image I have what I consider the main attributes of the technique and over on the left I have additional metadata that, while isn't required, I could see being useful when building out the playbook or catalog.

I have created a spreadsheet that smaller organizations or individual hunters could use to track their work, but larger organizations will likely need a database. I have yet to use the tracker, so I am sure some modifications are needed so please feel free to share ideas or mods you made in the comments, or if the tracker was just a waste of time.

Dashboard View

My DBA days were rooted in relational databases, but this seemed like a good candidate for me to try out a document-oriented database, MongoDB, for the larger organizations. I will create another post specifically about this endeavor because its just going to take me a little longer, but progress will be in my GitHub. If you are interested collaborating on the HT Trackr, let's do it.

Happy Hunting,
~K

September 6, 2017 - Update

 @Cyb3rWard0g gave me a new word that I like better than technique and allows me not to rename what sqrrl has already worked to establish, which I like way better -- Hunting Analytic. So I made some new images and will be using that in the database I'm creating.






Comments

Post a Comment

Popular posts from this blog

Threat Hunting Team Maturity Model

Image
After talking about scaling a hunt team with the concept of " Pack Hunting " in my last post, now I want to approach a topic that has been weighing on my mind as the year comes to a close. How do I build a kickass hunt program? And how would I know if I did? Admittedly, this is on my mind because next year my program will have been around long enough to be audited, which means I need to be able to measure my program in an audit-able way. I am not talking about the outcome of the program here, the hunting itself, but rather the processes and procedures that lead to the outcomes. The outcomes are currently measured using KPIs, but I haven't stress tested those enough to share yet. Developing a Threat Hunting & Research  Team Maturity Model Why a maturity model? As I looked into how to approach this question I came across the idea of using a maturity model. According to the Institute of Internal Auditors ( IIA ), a maturity model describes process components th...
Read more

Building Operational Threat Hunting Models

Image
A successful threat hunting program can't be a black box to the organization. The expense of such elite programs demand executives easily comprehend the value to the organization. Of course, as the program develops, executive comprehension alone will not suffice and metrics will be necessary as well, but that's a post for another day. 5 Threat Hunting Models  I've begun to develop 5 Threat Hunting Models that I hope can be used to frame discussions about a threat hunting program and its objectives. This isn't the first iteration and I highly doubt its the last iteration of the models. ADVERSARY MODEL The Adversary Model is for creating hunts that target a specific adversary, for example APT 28 .  Hunters will review an adversary profile, hopefully created by your cyber threat intelligence team, to learn of the attackers behaviors. Using this knowledge, hunters will create a hypothesis on finding those behaviors in our environments. Don't have your own CTI, do...
Read more

Applying Detection to the Attacker Lifecycle

Image
Thanks everyone for the encouraging comments on my first post and for taking the time to let me know it helped you out!  😁  Now for the next edition. Hunting is a form of detection. It's not monitoring, but it is detection. So let's take a quick look at creating a detection strategy and how it can include your hunt program. Use a Lifecycle for your Story Your detection strategy needs to create a story that your senior leadership can easily understand. The Mandiant Attacker Lifecycle always made more sense to me than the Lockheed Martin Cyber Kill Chain , so I am going to use that as the story for my strategy. Pick whichever lifecycle works for you. There is also the MITRE Attack Lifecycle . Mandiant Attacker Lifecycle For the sake of this post , I am going to say the lifecycle stage, Complete Mission, should be handled by DLP, backups (if mission objective is destructive), and encryption. Alerting You want to alert early in the lifecycle so you catch attacker...
Read more