Threat hunting is perhaps the least mechanical of security activities: according to Joe Slowik’s FIRST presentation (video) the whole point is to find things that made it past our automated defences. But that doesn’t mean it should rely entirely on human intuition. Our hunting will be much more effective if we think first about which threats it will be most beneficial to find and how we are most likely to find them.
Thoughtful threat hunting requires an understanding of likely adversaries; telemetry and data sources; and the ability to search and query them. Rather than randomly searching for signs of intrusion, threat hunting provides most benefit if it concentrates on the kinds of threat that would cause most harm to the particular organisation. Thinking about how those actors are likely to operate, and what their goals might be, should guide us to the services and systems they are most likely to use. Then we can consider what traces they might leave, and what records we might need to find them. If those don’t exist, then we can fill the gaps either by increasing activity logging in specific areas (but not so far that we overload ourselves) or by considering alternative sources that already exist.
For example a frequent blind spot, mentioned in a number of different talks, is network activity within the organization. Perimeter systems such as firewalls should give good visibility of ingress and egress traffic, but multi-stage threats such as ransomware are more easily detected by their unusual lateral movement between organisational systems. But for organisations that identify email fraud as a significant risk, email headers are more likely to be a relevant source.
Even with a focus on specific threats and data sources, threat hunters are likely to have a “needle in the haystack” challenge: data sources are too big for humans alone to analyse. So we need tools to explore individual data sources and, particularly, patterns (or their suspicious absence) across sources. Flexible, exploratory tools are likely to be harder to use effectively than single-purpose searches, so threat hunters need more time to plan and develop their skills. Again, focusing on particular threats can guide this learning to where it will most benefit the organisation.
Finally, when a threat is discovered we should “codify the success”. Having discovered the signs of an successful intrusion, try to update the rules that it bypassed to make the same technique less likely to succeed in future. Repeated hunting for the same threat is frustrating for the hunter and a waste of precious resource for the organisation.