Jump to content

Cyber threat hunting: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
m Reverted 1 edit by Ashley.Renner (talk) to last revision by WikiCleanerBot
add definition by Carhart
 
(26 intermediate revisions by 23 users not shown)
Line 1: Line 1:
{{short description|Proactive cyber defense activity}}
{{short description|Proactive cyber defense activity}}


'''Cyber threat hunting''' is an active cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions."<ref>{{Cite web|url=http://www.techrepublic.com/article/cyber-threat-hunting-why-this-active-strategy-gives-analysts-an-edge/|title=Cyber threat hunting: How this vulnerability detection strategy gives analysts an edge - TechRepublic|website=TechRepublic|access-date=2016-06-07}}</ref> This is in contrast to traditional threat management measures, such as [[Firewall (computing)|firewalls]], [[intrusion detection system]]s (IDS), malware [[sandbox (computer security)]] and [[Security information and event management|SIEM]] systems, which typically involve an investigation of evidence-based data ''after'' there has been a warning of a potential threat.<ref>{{Cite web|url=https://www.techworm.net/2018/06/threat-intelligence-platform-on-war-against-cybercriminals.html |title=Threat Intelligence Platform on War Against Cybercriminals |access-date=2019-02-17}}</ref>
'''Cyber threat hunting''' is a [[Proactive cyber defence|proactive cyber defence activity]]. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions."<ref>{{Cite web|url=http://www.techrepublic.com/article/cyber-threat-hunting-why-this-active-strategy-gives-analysts-an-edge/|title=Cyber threat hunting: How this vulnerability detection strategy gives analysts an edge - TechRepublic|website=TechRepublic|access-date=2016-06-07}}</ref> This is in contrast to traditional threat management measures, such as [[Firewall (computing)|firewalls]], [[intrusion detection system]]s (IDS), malware [[sandbox (computer security)]] and [[Security information and event management|SIEM]] systems, which typically involve an investigation of evidence-based data ''after'' there has been a warning of a potential threat.<ref>{{Cite web|url=http://techtalk.comodo.com/2020/08/27/comodo-mitre-kill-chain/ |title= MITRE Kill Chain|access-date=2020-08-27}}</ref><ref>{{Cite web|url=https://www.techworm.net/2018/06/threat-intelligence-platform-on-war-against-cybercriminals.html |title=Threat Intelligence Platform on War Against Cybercriminals |access-date=2019-02-17}}</ref> Threat analyst [[Lesley Carhart]] stated that there is no consensus amongst practitioners what threat hunting actually entails.<ref>{{Cite web |last=Carhart |first=Lesley |author-link=Lesley Carhart |title=OT Threat Hunting: More Critical Than Ever |url=https://www.sans.org/blog/ot-threat-hunting-more-critical-than-ever/ |access-date=2024-11-22 |website=[[SANS Institute]]}}</ref>


== Methodologies ==
== Methodologies ==
Threat hunting has traditionally been a manual process, in which a security analyst sifts through various data information using their own knowledge and familiarity with the network to create hypotheses about potential threats, such as, but not limited to, [[Network Lateral Movement|Lateral Movement]] by [[Threat actor|Threat Actors]]. To be even more effective and efficient, however, threat hunting can be partially automated, or machine-assisted, as well. In this case, the analyst uses software that leverages [[machine learning]] and [[User behavior analytics|user and entity behavior analytics]] (UEBA) to inform the analyst of potential risks. The analyst then investigates these potential risks, tracking suspicious behavior in the network. Thus hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis.


=== Overview ===
* '''Analytics-Driven:''' "Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses"
Recently, the world has seen a rise in the number and severity of cyber attacks, data breaches, malware infections, and online fraud incidents. According to cyber security and ai company SonicWall, the number of ransomware attacks grew by 105% globally. Major corporations around the world have fallen victim to high-profile data breaches, with the average cost of a data breach now estimated at $4.24 million, according to [[IBM]].<ref>{{Cite web |title=The Future of Cyber Security and AI: Protecting Your Digital World |url=https://bluebigdata.com/cyber-security/cyber-security-and-ai/ |access-date=October 13, 2023 |website=Blue Big Data}}</ref>
* '''Situational-Awareness Driven:''' "Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends"
* '''Intelligence-Driven:''' "Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans"
The analyst researches their hypothesis by going through vast amounts of data about the network. The results are then stored so that they can be used to improve the automated portion of the detection system and to serve as a foundation for future hypotheses.


=== Cyber threat hunting Methodologies ===
The Detection Maturity Level (DML) model <ref>{{Cite web|url=http://ryanstillions.blogspot.no/2014/04/the-dml-model_21.html|title=The DML Model|last=Stillions|first=Ryan|date=2014|website=Ryan Stillions security blog|publisher=Ryan Stillions|access-date=}}</ref> expresses threat indicators can be detected at different semantic levels. High semantic indicators such as goal and strategy, or tactics, techniques and procedure (TTP) are more valuable to identify than low semantic indicators such as network artifacts and atomic indicators such as IP addresses. [[Security information and event management|SIEM]] tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.<ref>{{Cite web|url=http://folk.uio.no/josang/papers/BJE2016-STIDS.pdf|title=Semantic Cyberthreat Modelling|last=Bromander|first=Siri|date=2016|website=|publisher=Semantic Technology for Intelligence, Defense and Security (STIDS 2016)|access-date=}}</ref>
Threat hunting has traditionally been a manual process, in which a security analyst sifts through various data information using their own knowledge and familiarity with the network to create hypotheses about potential threats, such as, but not limited to, [[Network Lateral Movement|lateral movement]] by [[threat actor]]s.<ref>{{Cite web|url=https://medium.com/swlh/cyber-threat-intelligence-cti-in-a-nutshell-1-71a03916fd92 |title= Cyber Threat Intelligence (CTI) in a Nutshell|website=Medium.com|access-date=2020-07-27}}</ref> To be even more effective and efficient, however, threat hunting can be partially automated, or machine-assisted, as well. In this case, the analyst uses software that leverages [[machine learning]] and [[User behavior analytics|user and entity behavior analytics]] (UEBA) to inform the analyst of potential risks. The analyst then investigates these potential risks, tracking suspicious behavior in the network. Thus, hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis.

* Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses"
* Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends"
* Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans"
The analysts research their hypothesis by going through vast amounts of data about the network. The results are then stored so that they can be used to improve the automated portion of the detection system and to serve as a foundation for future hypotheses.

The Detection Maturity Level (DML) model <ref>{{Cite web|url=http://ryanstillions.blogspot.no/2014/04/the-dml-model_21.html|title=The DML Model|last=Stillions|first=Ryan|date=2014|website=Ryan Stillions security blog|access-date=}}</ref> expresses threat indicators can be detected at different semantic levels. High semantic indicators such as goal and strategy or [[Terrorist Tactics, Techniques, and Procedures|tactics, techniques and procedures]] (TTPs) are more valuable to identify than low semantic indicators such as network artifacts and atomic indicators such as IP addresses.<ref>{{Cite web|url=http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html?m=1|title=The Pyramid of Pain|last=Bianco|first=David|date=2014-01-17|website=detect-respond.blogspot.com|access-date=2023-07-01}}</ref><ref>{{Cite web|title=The Pyramid of Pain|last=Bianco|first=David|url=https://www.sans.org/tools/the-pyramid-of-pain/|publisher=SANS Institute|access-date=2023-07-01}}</ref> SIEM tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.<ref>{{Cite web|url=http://folk.uio.no/josang/papers/BJE2016-STIDS.pdf|title=Semantic Cyberthreat Modelling|last=Bromander|first=Siri|date=2016|publisher=Semantic Technology for Intelligence, Defense and Security (STIDS 2016)|access-date=}}</ref>


== Indicators ==
== Indicators ==
There are two types of indicators:
There are two types of indicators:


# [[Indicator of compromise]] - An indicator of compromise (IOC) tells you that an action has happened and you are in a reactive mode. This type of IOC is done by looking inward at your own data from transaction logs and or SIEM data. Examples of IOC include unusual network traffic, unusual privileged user account activity, login anomalies, increases in database read volumes, suspicious registry or system file changes, unusual DNS requests and Web traffic showing non-human behavior. These types of unusual activities allow security administration teams to spot malicious actors earlier in the [[cyberattack]] process.
# [[Indicator of compromise]] - An indicator of compromise (IOC) tells you that an action has happened and you are in a reactive mode. This type of IOC is done by looking inward at your own data from transaction logs and or SIEM data. Examples of IOC include unusual network traffic, unusual privileged user account activity, login anomalies, increases in database read volumes, suspicious registry or system file changes, unusual DNS requests and Web traffic showing non-human behavior. These types of unusual activities allow security administration teams to spot malicious actors earlier in the [[cyberattack]] process.
Line 20: Line 25:


== Tactics, Techniques and Procedures (TTPs) ==
== Tactics, Techniques and Procedures (TTPs) ==
The SANS Institute identifies a threat hunting maturity model as follows:<ref>{{cite web|last1=Lee|first1=Robert|title=The Who, What, Where, When and How of Effective Threat Hunting|url=https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785|website=SANS Institute|publisher=SANS Institute|accessdate=29 May 2018}}</ref>


The SANS Institute identifies a threat hunting maturity model as follows:<ref>{{cite web|last1=Lee|first1=Robert|title=The Who, What, Where, When and How of Effective Threat Hunting|url=https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785|website=SANS Institute|accessdate=29 May 2018}}</ref>
* Initial - At Level 0 maturity, an organization relies primarily on automated reporting and does little or no routine data collection.

* Initial - At Level 0 maturity, an organization relies primarily on automated reporting and does little or no routine [[data collection]].
* Minimal - At Level 1 maturity, an organization incorporates threat intelligence indicator searches. It has a moderate or high level of routine data collection.
* Minimal - At Level 1 maturity, an organization incorporates threat intelligence indicator searches. It has a moderate or high level of routine data collection.
* Procedural - At Level 2 maturity, an organization follows analysis procedures created by others. It has a high or very high level of routine data collection.
* Procedural - At Level 2 maturity, an organization follows analysis procedures created by others. It has a high or very high level of routine data collection.
Line 31: Line 36:
== Dwell Time ==
== Dwell Time ==


The dwell time either indicates the entire span of a security incident ([[Computer security#Vulnerabilities and attacks|initial compromise]] until [[Computer security incident management|detection and full cleanup]]) or the 'mean time to detect' (from initial compromise until detection). According to the 2022 [[Mandiant]] M-Trends Report, cyberattackers operate undetected for an average of 21 days (a 79% reduction, compared to 2016), but this varies greatly by region.<ref name="Mandiant M-Trends Report">{{cite web |orig-date=2022-04-19 |title=Mandian M-Trends 2022 |url=https://www.mandiant.com/media/15671 |url-status=live |archive-url=https://web.archive.org/web/20220513065702/https://www.mandiant.com/media/15671 |archive-date=2022-05-13 |access-date=2022-05-16 |publisher=[[Mandiant]] |pages=7, 9, 12, 16 |format=PDF}}</ref> Per Mandiant, the dwell time<ref>In the Mandiant M-Trends report, dwell time ''"is calculated as the number of days an attacker is present in a victim environment before they are detected"'', which corresponds to the 'mean time to detect'.</ref> can be as low as 17 days (in the [[Americas]]) or as high as 48 days (in [[Europe, the Middle East and Africa|EMEA]]).<ref name="Mandiant M-Trends Report" /> The study also showed that 47% of attacks are discovered only after notification from an external party.
Cyberattackers operate undetected for an average of 99 days, but obtain administrator credentials in less than three days, according to the Mandiant M-Trends Report.<ref name="Mandiant M-Trends Report">{{cite web|url=https://www.fireeye.com/current-threats/annual-threat-report/mtrends/rpt-m-trends-2017.html|website=Mandiant|title=M-Trends Report|accessdate=2018-05-28}}</ref> The study also showed that 53% of attacks are discovered only after notification from an external party.

== Mean Time to Detection ==

In 2016, it took the average company 170 days to detect an advanced threat, 39 days to mitigate, and 43 days to recover, according to the Ponemon Institute.<ref>{{cite web|title=State of Malware Detection and Prevention|url=https://www.ponemon.org/blog/new-ponemon-study-on-malware-detection-prevention-released|website=Ponemon Institute|publisher=Ponemon Institute|accessdate=29 May 2018}}</ref>


== Example Reports ==
== Example Reports ==
* [https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms]
* [https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-espionage-group Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms]


== Example Threat Hunting ==
== Example Threat Hunting ==
* [https://blog.redteam.pl/2019/08/threat-hunting-dns-firewall.html Threat hunting using DNS firewalls and data enrichment]
* [https://blog.redteam.pl/2019/08/threat-hunting-dns-firewall.html Threat hunting using DNS firewalls and data enrichment]

== Threat Hunting Methodologies ==

'''Inside the Network Perimeter'''
* Reactive Threat Hunting - This method is triggered by a malicious event, typically after a data breach or theft is discovered. Efforts are typically focused on forensics and remediation.
* Proactive Threat Hunting - This method actively seeks out ongoing malicious events and activities inside the network, the goal is to detect an in progress cyber attack. Efforts are typically focused on detection and remediation.

'''Outside the Network Perimeter'''
* External Threat Hunting - This method proactively seeks out malicious threat actor infrastructure to map and predict where cyber attacks are likely to emerge to prepare defensive strategies. Efforts are typically focused on Cyber Threat Reconnaissance, Threat Surface Mapping and monitoring of third-party risks.


== See also ==
== See also ==
* [[Bug bounty program]]
* [[Bug bounty program]]
* [[Cyber campaign]]
* [[Proactive cyber defense]]
* [[Proactive cyber defense]]



Latest revision as of 14:15, 22 November 2024

Cyber threat hunting is a proactive cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions."[1] This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox (computer security) and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.[2][3] Threat analyst Lesley Carhart stated that there is no consensus amongst practitioners what threat hunting actually entails.[4]

Methodologies

[edit]

Overview

[edit]

Recently, the world has seen a rise in the number and severity of cyber attacks, data breaches, malware infections, and online fraud incidents. According to cyber security and ai company SonicWall, the number of ransomware attacks grew by 105% globally. Major corporations around the world have fallen victim to high-profile data breaches, with the average cost of a data breach now estimated at $4.24 million, according to IBM.[5]

Cyber threat hunting Methodologies

[edit]

Threat hunting has traditionally been a manual process, in which a security analyst sifts through various data information using their own knowledge and familiarity with the network to create hypotheses about potential threats, such as, but not limited to, lateral movement by threat actors.[6] To be even more effective and efficient, however, threat hunting can be partially automated, or machine-assisted, as well. In this case, the analyst uses software that leverages machine learning and user and entity behavior analytics (UEBA) to inform the analyst of potential risks. The analyst then investigates these potential risks, tracking suspicious behavior in the network. Thus, hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis.

  • Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses"
  • Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends"
  • Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans"

The analysts research their hypothesis by going through vast amounts of data about the network. The results are then stored so that they can be used to improve the automated portion of the detection system and to serve as a foundation for future hypotheses.

The Detection Maturity Level (DML) model [7] expresses threat indicators can be detected at different semantic levels. High semantic indicators such as goal and strategy or tactics, techniques and procedures (TTPs) are more valuable to identify than low semantic indicators such as network artifacts and atomic indicators such as IP addresses.[8][9] SIEM tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.[10]

Indicators

[edit]

There are two types of indicators:

  1. Indicator of compromise - An indicator of compromise (IOC) tells you that an action has happened and you are in a reactive mode. This type of IOC is done by looking inward at your own data from transaction logs and or SIEM data. Examples of IOC include unusual network traffic, unusual privileged user account activity, login anomalies, increases in database read volumes, suspicious registry or system file changes, unusual DNS requests and Web traffic showing non-human behavior. These types of unusual activities allow security administration teams to spot malicious actors earlier in the cyberattack process.
  2. Indicator of Concern - Using Open-source intelligence (OSINT), data can be collected from publicly available sources to be used for cyberattack detection and threat hunting.

Tactics, Techniques and Procedures (TTPs)

[edit]

The SANS Institute identifies a threat hunting maturity model as follows:[11]

  • Initial - At Level 0 maturity, an organization relies primarily on automated reporting and does little or no routine data collection.
  • Minimal - At Level 1 maturity, an organization incorporates threat intelligence indicator searches. It has a moderate or high level of routine data collection.
  • Procedural - At Level 2 maturity, an organization follows analysis procedures created by others. It has a high or very high level of routine data collection.
  • Innovative - At Level 3 maturity, an organization creates new data analysis procedures. It has a high or very high level of routine data collection.
  • Leading - At Level 4 maturity, automates the majority of successful data analysis procedures. It has a high or very high level of routine data collection.

Dwell Time

[edit]

The dwell time either indicates the entire span of a security incident (initial compromise until detection and full cleanup) or the 'mean time to detect' (from initial compromise until detection). According to the 2022 Mandiant M-Trends Report, cyberattackers operate undetected for an average of 21 days (a 79% reduction, compared to 2016), but this varies greatly by region.[12] Per Mandiant, the dwell time[13] can be as low as 17 days (in the Americas) or as high as 48 days (in EMEA).[12] The study also showed that 47% of attacks are discovered only after notification from an external party.

Example Reports

[edit]

Example Threat Hunting

[edit]

Threat Hunting Methodologies

[edit]

Inside the Network Perimeter

  • Reactive Threat Hunting - This method is triggered by a malicious event, typically after a data breach or theft is discovered. Efforts are typically focused on forensics and remediation.
  • Proactive Threat Hunting - This method actively seeks out ongoing malicious events and activities inside the network, the goal is to detect an in progress cyber attack. Efforts are typically focused on detection and remediation.

Outside the Network Perimeter

  • External Threat Hunting - This method proactively seeks out malicious threat actor infrastructure to map and predict where cyber attacks are likely to emerge to prepare defensive strategies. Efforts are typically focused on Cyber Threat Reconnaissance, Threat Surface Mapping and monitoring of third-party risks.

See also

[edit]

References

[edit]
  1. ^ "Cyber threat hunting: How this vulnerability detection strategy gives analysts an edge - TechRepublic". TechRepublic. Retrieved 2016-06-07.
  2. ^ "MITRE Kill Chain". Retrieved 2020-08-27.
  3. ^ "Threat Intelligence Platform on War Against Cybercriminals". Retrieved 2019-02-17.
  4. ^ Carhart, Lesley. "OT Threat Hunting: More Critical Than Ever". SANS Institute. Retrieved 2024-11-22.
  5. ^ "The Future of Cyber Security and AI: Protecting Your Digital World". Blue Big Data. Retrieved October 13, 2023.
  6. ^ "Cyber Threat Intelligence (CTI) in a Nutshell". Medium.com. Retrieved 2020-07-27.
  7. ^ Stillions, Ryan (2014). "The DML Model". Ryan Stillions security blog.
  8. ^ Bianco, David (2014-01-17). "The Pyramid of Pain". detect-respond.blogspot.com. Retrieved 2023-07-01.
  9. ^ Bianco, David. "The Pyramid of Pain". SANS Institute. Retrieved 2023-07-01.
  10. ^ Bromander, Siri (2016). "Semantic Cyberthreat Modelling" (PDF). Semantic Technology for Intelligence, Defense and Security (STIDS 2016).
  11. ^ Lee, Robert. "The Who, What, Where, When and How of Effective Threat Hunting". SANS Institute. Retrieved 29 May 2018.
  12. ^ In the Mandiant M-Trends report, dwell time "is calculated as the number of days an attacker is present in a victim environment before they are detected", which corresponds to the 'mean time to detect'.