The Threat Hunting Architecture

Written by

As companies need to remain ahead of the latest cybersecurity risks, threat hunting is becoming increasingly important in modern enterprises. Threat hunting is the step-by-step process of looking for signs of malicious activity and are taken proactively without prior knowledge of a threat or specific indications to look for.

To assist in profiling malicious threat actors, samples are taken from various sources, thus enabling researchers to seek out unknown malicious activity in the enterprise network. The techniques threat hunters use involve aggregating all feeds required for hunting, and identifying anomalies based off the input sources.

In addition, they will establish a baseline for each account and enterprise assets. Once this information has been collected, analysis can be carried out to determine how far an attacker penetrated a network. 

Threat hunting has three pillars: logs, packets and process. Logs enable the hunter to identify the actions an attacker performed in the enterprise network, packets record what communicated in a network and how that communication took place, and process operates to provide a record of the effect an attack had on an enterprise. 

Classifying threat hunting: passive and active 
There are two different classifications of threat hunting: passive threat hunting and active threat hunting. 

Passive threat hunting involves using an unstructured feed to analyze logs and packets before they are normalized. It requires a very strong hypothesis that can be used to identify specific indicators of compromise from the feed.

There are various limitations to passive threat hunting, for example, it is challenging to analyze across multiple log sources all at once, so you must begin with extremely strong threat hypothesis and assumptions and it requires more effort to find Indicators of Compromise (IOC). In addition, understanding the impact an attacker had on an enterprise is significantly harder to achieve and oversight of an organization’s entire attack surface is typically limited.

Active threat hunting is the process of analyzing logs, packets and processes, once the unstructured data has been converted to a structured format, this is referred to as normalized data. This process makes it easier to identify what effect a threat had on the organization. This is because active threat hunting allows for the correlation of different sets of log sources back to the IP address, user, and/or machine involved. 

Active threat hunting allows threat hunters to identify complex scenarios of different attacks, such as, phishing, DNS tunneling, APTs, DoS, intrusion detection, lateral movement and user login session hijacking, to name but a few. 

Threat Hunting Models 
The strength of your hypotheses is a determining factor in the effectiveness of all threat hunting models. There are four key threat hunting models, which are the following.

Event-based hunting
Event-based threat hunting focuses on events and analyzing them to understand if a compromise has occurred. This involves looking into specific events, understanding when, how and by who they were performed and then taking that data to understand if they were potentially malicious.

IOC-based hunting
One of the easiest ways to find a specific threat is through IOC-based hunting. An IOC is like a fingerprint for a cyber threat, its data is found in system log transactions or files that identify malicious activity. IOCs are often categorized using the Pyramid of Pain which indicates how much pain an IOC will cause an attacker if you stop their access. 

Entity-based hunting 
Entity threat hunting focuses on high risk users (HRU) and high value assets (HVA), encompassing the need for threat hunters to prioritize, regardless of the level of resources at your disposal. This also involves prioritizing specific areas of an organization, which are more vulnerable or more likely to be attacked. This includes focusing on DMZ servers, application server LAN segments and the systems of senior executives. The focus on these areas is due to attackers often targeting them to access sensitive information or as a base for lateral movement. 

Hybrid threat hunting
Using multiple threat hunting models is known as the hybrid threat hunting model. It requires significant subject expertise and is most suitable for occasions when you do not know how far an attacker has infiltrated the network. 

The organizational data you have and the information you know about potential threat actors will be determining factors in deciding the style or model of threat hunting. 

Ideally threat hunters should try and develop a 360-degree view of an attack, understanding the technologies attackers used, the effectiveness of an attackers’ weaponization of a technology, and how bad actors adapt their attack strategies. Organizations with mature security operation centers should all implement a threat hunting process, particularly as the threat landscape continues to rapidly shift and change. 

What’s hot on Infosecurity Magazine?