Threat

Hunting
Professiona
l
Introduction to
Threat Hunting
S e c t i o n 0 1 | M o d u l e 0 1
© Caendra Inc.
2020
All Rights
Table of
Contents
MODULE 01 | INTRODUCTION TO THREAT
HUNTING

1. Introduction

2. Incident Response

3. Risk Assessments

4. Threat Hunting Teams

THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.2
Learning
Objectives
By the end of this module, you should have a
better understanding of:

 What Threat Hunting is and why it is

important
 Threat Hunting's association with other
practices
 Different Threat Hunting teams
THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.3
 1.
1

Introducti
on

THPv2: Section 01, Module 01 - Caendra Inc. ©

2020 | p.4
1.1
Introduction

Even though businesses continuously put a lot of

money into cybersecurity, the losses caused by
cybercrime are significantly increasing.

For example, according to a recent IC3 report,

business email compromise scams alone have led
to losses of over
$26 billion in the past three years.
https://www. THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.5
1.1
Introduction

Why is that happening, or how is it possible,

you may ask?

Cybercriminals are constantly evolving and

becoming better at bypassing traditional defenses.
While they help, they don't completely prevent a
skilled intruder from entering your network.
Automated detection tools alone are not enough to
detect advanced, stealthy attacks.
THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.6
1.1
Introduction

Based on FireEye's M-Trends 2019 Report, the

average time for an organization to discover that
they have been breached (also known as dwell
time), for the investigations Fireeye were part of,
was 78 days; this means that an intruder could be
in your network for nearly three months before you
know about it.

https://content.fireeye.com/m- THPv2: Section 01, Module 01 - Caendra Inc. ©

trends 2020 | p.7
1.1
Introduction
While there is a significant decrease compared to
2011, 78 days is still a long time.

The report specifically outlines external notification

as a means to identify a compromise, with a dwell
time of 184 days in 2018.
THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.8
1.1
Introduction

The dwell time demonstrates that the traditional

approach to defend the network is no longer
adequate.

It’s time to go hunting!

THPv2: Section 01, Module 01 - Caendra Inc. ©

2020 | p.9
1.1
Introduction
Threat hunting is the human-centric process of
proactively searching data and discovering cyber
threats.

It is a drastic change from the traditional reactive

approach of waiting for an internal system, such as
an IDS, or
law enforcement, to notify them that they have
been breached. The hunter detects threats that
THPv2: Section 01, Module 01 - Caendra Inc. ©
nothing else detected. 2020 | p.10
1.1
Introduction

Threat hunting aims to reduce the dwell time by

identifying threats in a very early stage of the
infection.

By doing so, it may be possible to prevent attackers

from gaining a stronger foothold in the environment
and remove them from the network.
THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.11
1.1
Introduction
The hunting process begins by identifying
potentially targeted systems or data and
categorizing which behavioral techniques the
attackers may use. The hunter attempts to locate
and confirm abnormal activity.

Threat Intelligence is often utilized during the

hunt to develop techniques and carry out
necessary actions to protect systems from
THPv2: Section 01, Module 01 - Caendra Inc. ©
compromise. 2020 | p.12
1.1
Introduction
Hunting:
• Is an offensive-based strategy
• Requires the hunter to think like an attacker
• Requires strong practical understanding of cyber
threats and the cyber-kill chain
• Requires you to know your environment
• Is easier with quality data and resources

THPv2: Section 01, Module 01 - Caendra Inc. ©

2020 | p.13
 1.
2

Incident
Response

THPv2: Section 01, Module 01 - Caendra Inc. ©

2020 | p.14
1.2.1 Incident Response
Process

Even though this course does not go deep into

incident response, we felt it is necessary to
mention what incident response (IR) is and its
association with threat hunting (TH).

NOTE: From this point on, you might see the

abbreviations IR and TH.

THPv2: Section 01, Module 01 - Caendra Inc. ©

2020 | p.15
1.2.1 Incident Response
Process
According to the Computer Security Incident Handling
Guide, Special Publication 800-61 Revision 2,
created by NIST (National Institute of Standards and
Technology), the IR process is defined in 4 steps.

Let’s briefly go over each phase of the incident

response
process defined by NIST. Containment,
Detection and Post-Incident
Preparation Eradication,
Analysis Activity
and Recovery

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r THPv2: Section 01, Module 01 - Caendra Inc. ©

2.pdf 2020 | p.16
1.2.1 Incident Response
Process
Containment,
Detection Post-Incident
Preparation Eradication,
and Analysis Activity
and Recovery

The Preparation phase involves preparing your

organization to handle incidents and involves:
• Outlining everyone’s responsibilities, hardware,
tools,
documentation, etc.
• Taking steps to reduce the probability of an
incident THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.17
1.2.1 Incident Response
Process

According to NIST, an incident, or a computer

security incident, is defined as a violation or
imminent threat of violation of computer
security policies, acceptable use policies, or
standard security practices.

THPv2: Section 01, Module 01 - Caendra Inc. ©

2020 | p.18
1.2.1 Incident Response
Process
Containment,
Detection Post-Incident
Preparation Eradication,
and Analysis Activity
and Recovery

In the Detection and Analysis phase, the IR team

would
confirm if a breach took place.

They would analyze all the symptoms which were

reported and confirm if the situation would be
classified as an incident. THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.19
1.2.1 Incident Response
Process
Containment
Detection Post-Incident
Preparation , Eradication,
and Analysis Activity
and Recovery

The Containment, Eradication, and Recovery

phase is where the IR team would gather intel and
create signatures that will aid them in identifying
each compromised system. With this information,
countermeasures can be put in place to neutralize
the attacker and attempt to restore systems/data
back to normal. THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.20
1.2.1 Incident Response
Process
Containment,
Detection Post-Incident
Preparation Eradication,
and Analysis Activity
and Recovery

The Post-Incident Activity phase is a “lessons

learned”
phase.

In this phase, the goal is to improve the overall

security posture of the organization and to
assure that a similar incident will
THPv2: Section not
2020 | p.21
happen
01, Module 01 - Caendra Inc. ©
1.2.1 Incident Response
Process

Now that you know what IR is, have you realized

how it is connected to threat hunting?

Let's review the brief descriptions for each phase to

see the connection.

THPv2: Section 01, Module 01 - Caendra Inc. ©

2020 | p.22
1.2.2 Incident Response &
Hunting
How does threat hunting correlate to the
Preparation phase
of IR?
Preparation Detection &
A threat hunter or team can’t
(IR) Analysis (IR) operate
Threat without rules of engagement.
Hunting
They need predefined terms on
Containment,
Eradication, Post-Incident how to operate, when to
Recovery (IR) Activity (IR) operate, what to do in a
particular situation, etc.
THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.23
1.2.2 Incident Response &
Hunting

Organizations might include threat hunting in their

IR documents or simply update existing ones to
cover it, as they do not necessarily have to create
separate threat hunting documents.

Note: By documents, we are referring to

policies and procedures.

THPv2: Section 01, Module 01 - Caendra Inc. ©

2020 | p.24
1.2.2 Incident Response &
Hunting
How does threat hunting correlate to the
Detection & Analysis
phase of IR?
Preparation Detection & A hunter is useful in this phase
(IR) Analysis (IR) investigation,
because to will
he/she determine
be ablewhether
to
the indicators
assist in the presented point to an
Threat incident or not.
Hunting

Containment, The hunter can also assist in

Eradication, Post-Incident obtaining further artifacts that
Recovery (IR) Activity (IR) might have been overlooked
because the hunter is able to think
like an attacker.
THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.25
1.2.2 Incident Response &
Hunting
How does threat hunting correlate to the
Post-Incident
Activity phase of IR?
Preparation Detection & In certain corporations, a hunter
(IR) Analysis (IR) the tasks
might covered
already in the
be expected to
Containment, Eradication, and
conduct
Threat Recovery phase, but it is not
Hunting
mandatory. The hunter can pass
Containment,
this task to another member of
Eradication, Post-Incident the IR team; this will be defined in
Recovery (IR) Activity (IR) the documentation outlining the
policies and procedures for the
hunter or hunting team.
THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.26
1.2.2 Incident Response &
Hunting
How does threat hunting correlate to the Containment,
Eradication, and Recovery phase of IR?
Hunters have a vast
Preparation Detection & various IT domains
knowledge of and IT
(IR) Analysis (IR) Security, which allows them to
Threat
assist in this phase of IR. They can
Hunting provide recommendations and
insight on how the organization
Containment,
Eradication, Post-Incident can improve its overall security
Recovery (IR) Activity (IR) posture. That recommendation can
either be a quick implementation
or a future THPv2:
implementation.
Section 01, Module 01 - Caendra Inc. ©
2020 | p.27
1.2.2 Incident Response &
Hunting
These slides were meant to cover the correlation
between incident response and threat hunting. We
are not saying that they need to be intermixed, nor
are we saying they
shouldn’t be. Ultimately, it will be up to the
organization as
to how they will implement threat hunting.

In the next few slides, we’ll look at risk

assessments and THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.28
 1.
3

Risk
Assessments

THPv2: Section 01, Module 01 - Caendra Inc. ©

2020 | p.29
1.3 Risk
Assessments

What is a risk assessment? A risk

assessment is the process of assessing
threats, vulnerabilities, and
their likelihood of occurring to the
organization's assets.

A risk assessment report will list all the vital

systems / processes and the impact to the
organization, if anything wouldTHPv2:
happen to these
Section 01, Module 01 - Caendra Inc. ©
2020 | p.30
1.3 Risk
Assessments

This report provides the hunter with an idea as to

what systems/processes an intruder would most
likely go after. Remember, to be a successful
hunter, you must think like the attacker.

What would he/she go after if they were

infiltrating your network?

THPv2: Section 01, Module 01 - Caendra Inc. ©

2020 | p.31
1.3 Risk
Assessments
With a risk assessment report, a hunter can
determine where his/her focus should be; this
means that no vital systems would be overlooked,
because resources will not be wasted focusing on
a less vital system or process.

There are other documents that might assist the

hunter in determining which systems/processes
require more focus than others. Those documents
would be a threat assessmentTHPv2:
report or
Section 01, a 01
Module business
- Caendra Inc. ©
2020 | p.32
1.3 Risk
Assessments
In large corporations, it is not the job of the hunter to
conduct the risk assessments. In smaller
organizations, the hunter may not be a dedicated
threat hunter, and he/she may be responsible for
multiple roles within the IT Security team. This
means that the hunter might be part of a team, and
because of other responsibilities, he/she might only
be able to hunt one time a week or even one time a
month. On the other days of the week, he/she may
conduct different tasks on theTHPv2:
IT Security team.
Section 01, Module 01 - Caendra Inc. ©
2020 | p.33
 1.
4

Threat
Hunting
Teams
THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.34
1.4 Threat Hunting
Teams
There is no general definition or description of
what a hunting team should be composed of, as
organizations determine this based on their size,
industry, and hunger to hunt.

The three most commonly encountered types are:

• Ad-hoc hunter
• Analyst and hunter
• Dedicated hunting team
THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.35
1.4.1 Ad-hoc
Hunter
The Ad-hoc hunter is usually responsible for
multiple roles in the organization, and therefore the
hunts occur less frequently. The hunts are more
task-oriented, which requires a clear plan of what to
hunt for on a given hunting trip.

This type of hunter is primarily found in

organizations with no formal security team.
THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.36
1.4.2 Analyst and
Hunter
This type of hunter is the most common, in which
SOC analysts also have the responsibility to perform
hunting. These skills are complementary; after all, a
good hunter is a great analyst.

This type of hunter is often found in small

organizations or those with extremely well-developed
detection and baseline capabilities.
THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.37
1.4.3 Dedicated Hunting
Team

This type of hunter is the most specialized one – a

team of a few members whose sole purpose is to
hunt. The members are well experienced and
qualified.

This type of hunter is often found in a large

organization or governmental organizations.
THPv2: Section 01, Module 01 - Caendra Inc. ©
2020 | p.38
Referenc
es

THPv2: Section 01, Module 01 - Caendra Inc. ©

2020 | p.39
 Referenc
es
Business email compromise - the $26 billion
scam
https://www.ic3.gov/media/2019/190910.aspx

Annual M-Trends Report

https://content.fireeye.com/m-trends

NIST Guide
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
61r2.pdf

THPv2: Section 01, Module 01 - Caendra Inc. ©

2020 | p.40