Book Image

The Foundations of Threat Hunting

By : Chad Maurice, Jeremy Thompson, William Copeland
Book Image

The Foundations of Threat Hunting

By: Chad Maurice, Jeremy Thompson, William Copeland

Overview of this book

Threat hunting is a concept that takes traditional cyber defense and spins it onto its head. It moves the bar for network defenses beyond looking at the known threats and allows a team to pursue adversaries that are attacking in novel ways that have not previously been seen. To successfully track down and remove these advanced attackers, a solid understanding of the foundational concepts and requirements of the threat hunting framework is needed. Moreover, to confidently employ threat hunting in a business landscape, the same team will need to be able to customize that framework to fit a customer’s particular use case. This book breaks down the fundamental pieces of a threat hunting team, the stages of a hunt, and the process that needs to be followed through planning, execution, and recovery. It will take you through the process of threat hunting, starting from understanding cybersecurity basics through to the in-depth requirements of building a mature hunting capability. This is provided through written instructions as well as multiple story-driven scenarios that show the correct (and incorrect) way to effectively conduct a threat hunt. By the end of this cyber threat hunting book, you’ll be able to identify the processes of handicapping an immature cyber threat hunt team and systematically progress the hunting capabilities to maturity.

Related Content you might be interested in

Current Title:

Small book image
The Foundations of Threat Hunting
Chad Maurice | Jeremy Thompson | William Copeland
Jun, 2022 | 246 pages
Small book image
Operationalizing Threat Intelligence
Joseph Opacki | Kyle Wilhoit
Jun, 2022 | 460 pages
Small book image
Digital Forensics and Incident Response.
Gerard Johansen
Dec, 2022 | 532 pages
Small book image
Practical Threat Intelligence and Data-Driven Threat Hunting
Valentina CostaGazcoacuten
Feb, 2021 | 398 pages
Table of Contents (19 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Part 1: Preparation – Why and How to Start the Hunting Process
Part 1: Preparation – Why and How to Start the Hunting Process
Free Chapter
2
Chapter 1: An Introduction to Threat Hunting
Chapter 1: An Introduction to Threat Hunting
Incident response life cycle (hunting as proactive detection)
Why is threat hunting important?
Application of detection levels
Book layout
Summary
Review questions
Review answers
3
Chapter 2: Requirements and Motivations
Chapter 2: Requirements and Motivations
Regulatory requirements, legalities, and best practices – where to start…
Why do you want to conduct threat hunts?
Internal versus external teams
What is needed to conduct a successful threat hunt?
Types of threat hunts
Scopes of threat hunts
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
4
Chapter 3: Team Construct
Chapter 3: Team Construct
Roles performed within a team
Training requirements
Ways to organize a team
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
5
Chapter 4: Communication Breakdown
Chapter 4: Communication Breakdown
Internal team communication
Communicating with stakeholders
Communicating with other administrators
Communicating with the adversary
Positive and negative non-verbal language
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
6
Chapter 5: Methodologies
Chapter 5: Methodologies
The hunting cycle
The adversary methodology
The MITRE ATT&CK Matrix
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
7
Chapter 6: Threat Intelligence
Chapter 6: Threat Intelligence
Types of intelligence
Why intel matters
Visualization model
Threat intelligence feeds
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
8
Chapter 7: Planning
Chapter 7: Planning
Restraints and constraints
Defining the scope
Defining "bad"
Assumptions
Success factors
Planned triggers
Identifying the resources required
Communication contracts
Reviewing and stress testing the plan
Approving the plan
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
9
Part 2: Execution – Conducting a Hunt
Part 2: Execution – Conducting a Hunt
10
Chapter 8: Defending the Defenders
Chapter 8: Defending the Defenders
Protecting the data
Protecting the team's equipment
Protecting the team
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
11
Chapter 9: Hardware and Toolsets
Chapter 9: Hardware and Toolsets
Hunting on IT networks versus OT networks versus cloud networks
Questions that drive requirements
In-band versus out-of-band
Hardware
Software tools
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
12
Chapter 10: Data Analysis
Chapter 10: Data Analysis
Data collection mindsets
Direct analysis versus secondary correlation
Host logs versus network logs
Automating everything
Getting everyone on the same page
Finding everything or nothing
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
13
Chapter 11: Documentation
Chapter 11: Documentation
Processes and procedures
MOA
SOW
Authorities
Pre-approved actions
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
14
Part 3: Recovery – Post-Hunt Activity
Part 3: Recovery – Post-Hunt Activity
15
Chapter 12: Deliverables
Chapter 12: Deliverables
What to say and what not to say
Confidence levels
Know your audience
Products for local defenders
Types of reports
Reporting timelines
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
16
Chapter 13: Post-Hunt Activity and Maturing a Team
Chapter 13: Post-Hunt Activity and Maturing a Team
Setting the stage for feedback
Feedback rules of engagement
Timeline reconstruction and where to concentrate
Feedback on the good and the bad
Fixing and updating documentation
Scenario A – internal threat hunt
Scenario B – external threat hunt
Summary
Review questions
Review answers
17
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Appendix
Acronyms
Definitions
Why subscribe?

Why is threat hunting important?

Reactive detection methods, such as utilizing signatures of known malicious files (hashes) or monitoring for behaviors synonymous with an attack (heuristics), can fail for a number of reasons. Detection based on known hashes can easily fail as it is simple to change a known malicious file just enough to bypass standard and even advanced antivirus solutions. Any free hex editor can be used to modify a file with a single bit and bypass this defense. Heuristics can also fail as they rely on known bad behaviors while attempting to account for expected administration behavior on the network. This does little for the unknown bad behaviors that are evolving in the threat actors' environments.

Taking the opposite approach and whitelisting known good behavior and applications is a method that an enterprise can take to create a zero-trust environment. The truth behind this concept is that very few organizations can and should fully implement this type of construct. This method is extremely resource-intensive to deploy across an enterprise while keeping services up to date as software and people change. Even then, someone who is masquerading as a legit user following that user's normal behavior could operate under the defense's thresholds.

A proactive detection method such as threat hunting doesn't wait for an alert and doesn't require the administrative overhead to whitelist all approved actions. Threat hunting takes into account the current vulnerabilities, environment, and processes to apply human expertise against the evidence. Threat hunting allows an organization to apply a force multiplier to their cybersecurity processes by augmenting the automated and administrated defenses.

Another reason why threat hunting is important is that it provides a focus for cybersecurity that is from an entirely different point of view (POV) than is normally found in a Security Operations Center (SOC). This different POV eschews the alarms and tools associated with them. Threat hunting wants to look directly at the evidence on the endpoints to determine whether there was some activity that was missed or the SOC tools haven't been updated to detect.

While there are many different methods of detecting adversarial behavior on a network, they can all be put into one of two categories – reactive or proactive. Think of reactive detection like a building alarm that is triggered when a window is opened. Once triggered, security will go and investigate what happened and why that window was opened. Proactive detection, of which threat hunting is one method of detection, does not wait for an alarm to go off. Using the same analogy, this would be a security guard who patrols the building looking for unlocked windows even though no alarms have gone off.

The following is a real-world example:

  • Location: High-security facility.
  • Reaction detection methods: Alarms on doors and windows; each door is automatically secured with a locking mechanism; entry is protected by a radio frequency identification (RFID) badging in/out system; motion detectors for after business hours or in restricted/unoccupied spaces.
  • Behavior (heuristics) tracking methods: Each individual is issued an RFID picture badge to scan into the facility and enter restricted spaces. Members have unique accounts to log in to systems that track what system or resource was accessed at a specific time.
  • Proactive detection methods: Security guards will patrol the building and review access/personnel for abnormal or malicious activity and stop random individuals for security checks of bags and accesses. If anything appears out of the ordinary, the security guards have the authority to intervene and review the facts around the particular event before allowing it to continue further.

Without this proactive detection method employed across the building, any activity that mimics an insider or unknown threat would be almost impossible to detect.

Definition

True positive: An alert that is triggered by reactive defenses that is valid, in that it meets the intent of the signature or heuristics for which it triggered, for example, an antivirus signature alert of a trojan that was downloaded.

True negative: The lack of a trigger by reactive defenses during the analysis of normal and expected system behavior or communications.

False positive: An alert that is triggered by reactive defenses that is invalid, meaning that it does not meet the intent of the signature or heuristics for which it triggered, for example, an intrusion prevention system firing on someone searching the internet for testmyids.com.

False negative: The lack of a trigger by reactive defenses on abnormal or malicious system behavior or communications during analysis, for example, an adversary emulating an administrator in order to successfully exfiltrate data from the network.

Previous Section
End of Section 3
Next Section