In this article, I am going to give you a simple strategy anyone can use to start threat hunting today. Linux, Windows, Mac, desktop, server….I don’t care it works on all of them!
When people think of threat hunting, there are a few hurdles to overcome:
- It’s a profoundly technical space, wrapped up inside another technical space. This means that once you feel like you have figured out your job, threat hunting will knock you down a few pegs.
- The advice that you find online isn’t pragmatic. I mean it’s hard to find advice that you can take and directly apply to your environment or systems.
- Many “threat hunting guides” are white papers created by vendors. They are useful, and they do help, but at the core of the how-to is an advertisement for their tech. This can make it hard for you to take the lessons learned and deploy them.
Finally choosing where to start your threat hunt is the hardest part. That first step can be a doozy. As if it wasn’t already hard enough, you can mess this whole thing up before you begin, if you pick the wrong starting point.
Step one (Learn TTPs)
Fire up your favorite terminal emulator and….no not yet.
The first step is to become familiar with attacker TTPs. TTPs are tactics techniques and procedures, the real attacker thingies they do. You can learn about common TTPs by spending quality time with the MITRE attack framework. In the MITRE ATTACK framework, there are 15 categories, of which only a few need your attention right now. We’ll focus on Execution, Persistence Privilege Escalation & lateral movement.
Why these ones? Because these categories have TTPs in them that are easier to find, through telemetry and log analysis. The other categories are still very valuable, but as a starting point for today, it is hard to beat these four.
Step two (Establish a baseline)
Know what’s normal. A lot of threat hunting is actually just looking for weird things. Threats and risks are usually anomalous activities, and the only way to spot an anomaly is to understand what is normal.
So what does this look like? How do you do this? I will give an example to help guide your imagination, but ultimately you have to take this idea and make it your own. If your organization has an application that runs on several servers you need to get familiar with the behavior of the admins of these servers and the operation of the servers. This can mean talking to the people who maintain it (if it’s not already you) or it can mean regularly reviewing logs to identify normal patterns. I would approach this in the same way if I was told that I was responsible for the operation of those servers and the app. I would be asking questions like “How often do you log into these servers?” “Do you have SUDO properly configured?” “Do you have monitoring?”, “how often are these patched?” When?” Because the answers to these questions are a major component of your baseline! How do you know when you are done baselining? When you feel you understand the technology, you're probably done.
Step three
Now you're ready to rock and roll! Armed with the knowledge of attacker TTPs and a baseline understanding of your systems, the hunt begins! Since I don’t know what technology or security solutions you have in your environment I will try to stay general and give broad advice here. Just know, if you have a SIEM, SOAR, EDR, XDR, blah blah blah consider those tools as fair game, they are in play! Just don’t rely on those tools 100% - they are only as effective as the humans who designed them and they don’t know your environment as you do! Also, don’t make the assumption that A)the logs are getting created as you think, confirm that they and B) don’t assume that your security tooling is picking up and shipping those logs for your analysis. Get on these systems and poke around or employ some scripting skills of your own to remotely gather this data.
Tip
If you're still having a hard time getting started, take a look at a recent report on attacker behaviors.
Crowdstrike’s Overwatch report was released recently, and while it’s filled with all sorts of wonderful info I won’t cover all of it in this video. Let’s just zoom in on one of the key takeaways from the report. Valid accounts & command and scripting interpreters are hot right now. Knowing this, you can start searching your logs for things like Powershell running at odd hours or from users that don’t line up with your baseline.
Wrap up
You now know the three simple steps you can take to begin threat hunting today. 1 They are learning about the TTP you might expect an attacker to use, 2 establishing a baseline of normal so you can spot the weird stuff more easily and 3 hands-on explorations of server & desktop telemetry, security tooling, and other data sources looking for that TTP.
Remember, if you are stuck and don’t feel like you know what to look for take a look at a report like the Crowdstrike Overwatch or the Verizon Databreach report.