Chapter 1 : Intro to Threat Emulation
Threat Hunting Week! — THM
By 𝓞𝓟 𝓚𝓮𝓿𝓲𝓷 ッ | 25 / 09 / 2023
THM { Threat Hunting Week! — THM }
TASK1
Learning Objectives
1. Understanding Threat Hunting
What is Threat Hunting?: We’ll grasp the essence of Threat Hunting and distinguish it from Incident Response. It’s about being the hunter, not just the gatherer of cybersecurity data.
Role in Security: We’ll explore how Threat Hunting plays a pivotal role in fortifying an organization’s security posture.
2. Differentiating Goals
Diverse Goals: We’ll dive into the various objectives of Threat Hunting and understand how these goals contribute to an organization’s security resilience.
Security Posture: We’ll connect the dots between Threat Hunting goals and the development of a robust security posture.
3. Practical Application
What to Look For: We’ll gain insights into what Threat Hunters seek, how they hunt, and the art of recognizing subtle signs of malevolence.
Effective Decision-Making: We’ll learn when it’s time to move on from a hunt, ensuring efficiency and focus.
4. Intelligence-Driven Approach
The Power of Intelligence: We’ll delve into the concept of an Intelligence-driven approach to Threat Hunting and its significance in staying ahead of cyber adversaries.
By the end of this journey, you’ll have a solid foundation on Threat Hunting, be equipped with practical knowledge, and understand the critical role it plays in modern cybersecurity.
Room Prerequisites and Expectations
Threat Intelligence Basics: A basic understanding of Threat Intelligence and its role in cybersecurity will be beneficial.
Incident Response Knowledge: Familiarity with Incident Response concepts will help you draw parallels and distinctions.
SOC Operations Insight: Knowing how Security Operations Centers (SOCs) operate will provide context.
Security Posture Awareness: Understanding the fundamentals of building an organization’s security posture will enhance your comprehension of the discussed concepts.
Task 2 :
Threat Hunting in a Nutshell
Proactive Pursuit: Threat hunting is like the cybersecurity detective agency actively seeking out potential adversaries. It’s not waiting for trouble; it’s actively looking for it.
Guided by Intelligence: Instead of waiting for alerts, threat hunting is guided by Threat Intelligence, which provides insights into potential threats and vulnerabilities.
The Unknown Threat: It operates under the premise that “there might be a threat that we don’t know yet.” It’s the search for hidden dangers lurking within the digital shadows.
Incident Response: The Reactive Counterpart
Triggered Response: Incident response, on the other hand, is reactive by nature. It springs into action when an initial notification or alert is received, indicating suspicious activity.
Triage and Analysis: IR involves triaging the incident, analyzing the evidence, and determining if it indeed constitutes a security incident that requires action.
Dealing with the Known Threat: IR’s mantra is “There’s a threat that needs to be dealt with now.” It’s all about containing and mitigating the known threat swiftly.
Bridging the Gap
These two approaches may seem at odds, but they complement each other beautifully:
Building on IR: Organizations typically start threat hunting after establishing an IR process and detection mechanisms. It addresses the concern that incidents aren’t being detected early enough.
Strengthening Detection: Threat hunting’s core mission is to add and enhance current detection mechanisms. It seeks to automate the detection of similar threats in the future.
A Symbiotic Relationship: Threat hunting findings trigger the IR team’s mobilization. In return, IR findings may guide threat hunters to uncover further malicious activities.
Answer the questions below
What do you call the approach to finding cyber security threats where there’s an active effort done to look for signs of malicious activity?
Correct Answer
In this task, what are we contrasting threat hunting with?
Correct Answer
Incident response is innately reactive. What is done first thing when an initial notification or alert is received? (It is _______.)
Correct Answer
Threat hunting is innately proactive. What is it guided by?
Correct Answer
Threat Hunting and Incident Response are two different approaches that aim to ensure one specific goal is met. It is to strengthen the organisation’s what?
Correct Answer
Task 3 :
Threat Intelligence
Understanding the Adversary: Threat intelligence provides us with critical information about the threats we may encounter. It’s like knowing our enemy’s playbook, allowing us to anticipate their moves within our environment.
Narrowing the Focus: This intelligence helps us narrow down our search. We can identify specific data points that adversaries might be after, or even pinpoint which threat groups or APTs are likely to target us.
Unique Threat Intelligence
Internal Insights: Developing internal threat intelligence is a valuable asset. Not every organization has the intrusion experience needed to create actionable intelligence, making this unique to your organization.
Indicators of Compromise (IOCs): Documented IOCs from past intrusions are a prime example. These IOCs serve as tangible traces of an adversary, aiding both threat hunters and detection mechanisms.
Threat Intelligence Feeds
Learning from Others: Many organizations can’t produce their own threat intelligence due to limited experience or resources. Here, threat intelligence feeds come to the rescue.
Public Resources: Open-source platforms like MISP provide access to threat intelligence. MISP is like a treasure trove of insights into threats and tactics.
Paid Services: For those willing to invest, paid services like Recorded Future and ReliaQuest offer tailored threat intelligence. While costly, they provide unparalleled insights when wielded by a skilled threat intelligence analyst.
Practical Examples
Unique Threat Intelligence: Think of it as having a personal archive of past intrusions, complete with IOCs. This serves as a goldmine for your threat hunters and detection mechanisms.
Threat Intelligence Feeds: Platforms like MISP, which are readily available, offer a wealth of knowledge about various threats. They’re like libraries where you can learn from the experiences of others.
Paid Services: Consider Recorded Future and ReliaQuest as premium mentors in the world of threat intelligence. They provide tailored insights, but this expertise comes at a price.
What is the most obvious and straightforward example of a Unique Threat Intelligence?
Correct Answer
Task 4 :
How to Hunt: A Tactical Approach
Now that we’ve pinpointed our hunt objectives, the question arises: “How do we actually hunt for them?” Let’s delve into the tactical approaches and strategies that fuel effective threat hunting.
Attack Signatures and IOCs
Characterizing the Target: Upon identifying the subject of our hunt, it’s crucial to condense the details into specific and actionable identifiers. This is where Attack Signatures and Indicators of Compromise (IOCs) shine.
Immediate Recognition: These signatures and IOCs serve as immediate recognition markers. They help us identify relevant malware, attack residues, or signs of known vulnerabilities within our historical data.
Logical Queries
Precision in Action: Some hunting projects lend themselves well to logical queries. For example, hunting for assets with known vulnerabilities can be streamlined using specific identifiers like application versions.
Low-Hanging Fruits: Crafting logical queries to filter for these identifiers gives us low-hanging fruits. These are easy wins that directly bolster the organization’s security posture.
Patterns of Activity
Understanding Behavior: Once we’ve honed in on the specific threat actors or entities, it’s time to characterize their behavior through patterns of activity. This is where the MITRE ATT&CK Matrix takes center stage.
MITRE ATT&CK Matrix: It’s a comprehensive resource that maps out tactics, techniques, and procedures (TTPs) used by threat actors. It’s like a playbook of adversary behavior.
Strategic Insights: By aligning our hunt with the MITRE ATT&CK Matrix, we gain strategic insights into how adversaries may operate within our environment. This guides our hunt in a structured and methodical manner.
The Art of Query Crafting
Crafting effective queries, whether they’re based on IOCs, Attack Signatures, or patterns of activity, is an art form. It requires a deep understanding of the organization’s environment and how it generates logs and data.
The Power of Automation
In large-scale environments, automation becomes essential. Threat hunting platforms and tools can automate the execution of queries, making it more efficient to sift through vast amounts of data.
Human Expertise
While automation is valuable, the human element is irreplaceable. Skilled threat hunters possess the ability to analyze nuanced data, spot anomalies, and connect the dots that might elude automated systems.
Constant Iteration
Threat hunting is an ongoing process. It involves continuous refinement of queries, adaptation to evolving threats, and learning from each hunt to enhance future efforts.
Collaboration
Collaboration is key. Threat hunters often work closely with other teams, such as Incident Response, to swiftly address any threats detected during the hunt.
Malwares are constantly being used in the toolkits of threat actors. What is the live malware repository that we touched upon above?
Correct Answer
Knowing what is normal in your environment and separating them from what’s not is a skill all threat hunters should have.
What example of Threat Intelligence blends well with environmental noise?
Correct Answer
Threat actors are quite creative in finding vulnerabilities and misconfigurations.
What should the organisation be extra vigilant in monitoring for announcements of?
Submit
Characterisation of the subject of the hunt into specific and actionable identifiers is imperative for the hunt’s success.
How is it done most effectively?
Submit
Task 5 Practical Application
Visualizing Threats: MITRE ATT&CK Navigator
The MITRE ATT&CK Navigator is a powerful tool that helps us visualize threat actors, their techniques, and their impact on our organization’s security. Let’s walk through how to use it effectively:
1. Create New Layers
- Click on “Create New Layer” and select “Enterprise.”
- Use the magnifier glass under “Selection Controls” to search for a specific threat, such as “WannaCry.”
- Click “Select” next to the result to add it to your layer.
2. Customize Your Layer
- Enhance visibility by choosing a background color under “Technique Controls.”
- Assign an arbitrary score (e.g., 1) to this layer under “Technique Controls.”
- Provide a name for this layer under “Layer Controls.”
3. Repeat for Other Threats
- Repeat the above steps for two more threats, like “Stuxnet” and “Conficker.”
- Assign different scores (e.g., 2 for Stuxnet and 4 for Conficker) to each layer.
- Ensure that each threat has a unique color for visual clarity.
4. Combine Layers
- Click on the “+” button and choose “Create Layer from other layers.”
- Select “Enterprise ATT&CK v13” under “Domain.”
- In the “Score Expression” field, enter “a+b+c” to aggregate scores.
- Click “Create” to generate a new layer that combines the three threat layers.
5. Visualize the Combined Layer
- By default, the combined layer will show different colors for shared techniques.
- Deep red indicates techniques common to all threats, while lighter colors represent combinations of two threats.
This visual representation helps identify patterns of activity shared among these relevant threats. The differing scores and colors can reflect the relevance of each technique to your organization’s context.
When to Move On
Knowing when to move on from a threat hunting operation is a challenge. Unlike a Capture the Flag (CTF) challenge where success is rewarded with a flag, threat hunting may not always yield immediate results.
- Follow Your Process: Stick to your threat hunting plan, especially if it’s intelligence-driven. Trust the process you’ve defined.
- Be Persistent: Understand that not finding immediate threats doesn’t mean you’ve failed. Threat hunting is about diligence and thoroughness.
- Continuous Improvement: Treat each hunt as an opportunity to learn and improve. Document your findings and insights for future reference.
- Internal Doubt: It’s normal to doubt yourself during threat hunting, but confidence comes with experience. As long as you follow your process and adapt to new information, you’re on the right track.
Answer the questions below
Which tactic has the most techniques highlighted?
Submit
Which technique does the three threats have in common?
Submit
What technique does WannaCry and Conficker have in common?
Submit
What’s the score of techniques that Stuxnet and Conficker have in common?
Submit
Task 6 Goals
The Why of Threat Hunting
Threat hunting is not just a concept; it’s a proactive and vital approach to cybersecurity. Let’s explore the “whys” behind threat hunting through a comic panel narrative:
Comic Panel 1: Proactive Approach to Finding Bad
Caption: “Threats are constant in the world of security.”
Threat actors, ranging from script kiddies to advanced persistent threats, are always lurking. To protect your organization effectively, you must find and identify them before they can carry out their malicious intentions. It’s about staying one step ahead in the cybersecurity game.
Comic Panel 2: Discover Pre-existing Bad
Caption: “Some activities slip through detection mechanisms.”
Sophisticated attacks or even sheer luck can lead to some malicious activities going unnoticed by traditional detection systems. These activities may be undetectable, but they are not invisible. Threat hunting allows you to uncover these hidden activities and trigger an incident response. It’s about shining a light on the invisible threats.
Comic Panel 3: Minimize the Dwell Time of Attackers
Caption: “Minimize a threat actor’s dwell time.”
Undetected threat actor activity provides them with a “free pass” to explore your environment further. The longer they have access, the more damage they can do. Threat hunting’s primary goal is to minimize the time threat actors spend within your environment. It’s about reducing the window of opportunity for attackers.
Comic Panel 4: Develop Additional Detection Methods
Caption: “Translate findings into detection mechanisms.”
Threat hunting not only uncovers threats but also serves as a feedback loop for continuous improvement. As you profile previously undetectable threats, the goal is to translate these profiles into new detection mechanisms. This way, future similar threats can be detected immediately. It’s about enhancing your organization’s ability to identify and respond to evolving threats.
Answer the questions below
What is the primary goal of Threat Hunting?
Correct Answer
Feedback is important to keep the organisation secure.
Upon profiling threats through our Threat Hunting efforts, what should these profiles be translated to?
Correct Answer
Task 7 Conclusion
In the world of cybersecurity, staying one step ahead of malicious actors is not just a goal; it’s a necessity. Threat hunting, as we’ve explored in this comprehensive journey, embodies this proactive approach to security. It’s not a mere concept; it’s a mindset, a practice, and a strategic imperative for organizations.
In our exploration, we’ve delved into the “whats” of threat hunting, understanding that it’s about actively seeking out cyber threats rather than waiting for them to trigger alarms. We’ve explored the “hows,” from characterizing threats into actionable identifiers to visualizing threat landscapes with tools like the MITRE ATT&CK Navigator. And we’ve discussed the “whens,” recognizing that threat hunting is an ongoing, iterative process.
But perhaps most importantly, we’ve uncovered the “whys” of threat hunting. It’s about being proactive in finding and mitigating threats, understanding that threats are a constant in the security landscape. It’s about shining a light on activities that evade traditional detection methods, minimizing the time threat actors have within your environment, and translating findings into enhanced detection mechanisms.
In conclusion, threat hunting is not just a cybersecurity practice; it’s a strategic pillar for organizations aiming to safeguard their assets, data, and reputation. It’s about taking control of your organization’s security destiny, proactively seeking out threats, and continuously improving your defenses. As the threat landscape evolves, threat hunting remains an indispensable tool in the arsenal of modern cybersecurity. Embrace it, refine it, and stay one step ahead.
