2. Agenda
● What is Threat Hunting?
● Becoming the Threat Hunter
● Hypothesis Generation
● Useful Frameworks
● Example Hunts
● Free and Open Source Tools to Assist in Hunts
● Further Learning Resources
3. The Rise of Yet Another Buzzword
2016-2017ish - Threat Hunting
started making buzz
https://www.outlookmarketingsrv.com/the-buzzword-epidemic-is-your-content-infected/
4. What is Threat Hunting?
Human Led (and assisted by tools) practice of searching
iteratively through data to detect advanced threats that
evade traditional security controls
(Sqrrl and Me)
5. What is Threat Hunting?
● Hypothesis-led approach
● Determine gaps in the ability to detect and respond to threats
● It is a way to assess your security (people, process, and technology)
against threats while extending your automation footprint to better be
prepared in the future - Rob M Lee
● Incident Response without an actual incident done with a purpose -
Rob M Lee
6. Threat Detection vs Hunting
Detection: Automated with machines such as
IDS/IPS, AV, etc.; Focussed on known attacks,
IOCs, etc.
Hunting: Humans find bad stuffs with the help
of machines; Hunting will lead to identifying
detection gaps and creation of new detections
7. Becoming the Threat Hunter
● The Threat Hunter role sits between the common offensive and
defensive roles
● The role needs strong offensive knowledge and defensive skills
● Skills - Analytical Mindset, OS and Network Architecture, Offensive
Skills (attack methods, TTPs, etc.), Host Analysis, Network Analysis,
Malware Analysis, Memory Analysis, Data Analysis (SIEM, Logs, PCAP,
Netflow, etc.), Hunting Tools
8. Hypothesis
● This is what makes Threat Hunting a Human Led activity
● Reasonable assumption about adversaries and techniques they might
be using to attack or persist in an environment
○ Example - Attackers will leverage signed windows binaries to
perform malicious activities, which will not be flagged by existing
security tools/controls
Ref: https://pages.endgame.com/rs/627-YBU-612/images/The%20Endgame%20Guide%20to%20Threat%20Hunting%20-%20ebook.pdf
11. Useful Frameworks
Alerting and Detection Strategies (ADS) Framework
https://github.com/palantir/alerting-detection-strategy-framework
Hunting Maturity Model (HMM)
http://detect-respond.blogspot.com/2015/10/a-simple-hunting-
maturity-model.html
Pyramid of Pain
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
12. Finally, What does a Threat Hunter has ?
To Develop Hunts:
● Collected Data
● Blogs
● Twitter
● MITRE ATT&CK
● APT Reports
● CTI
● Mailing List
● Red Teaming
● Adversary Simulation
● and many more ...
13. Example Hunts
● Hypothesis - Attackers are still using dyndns hostnames for C2
○ Take the List - https://gist.github.com/neu5ron/8dd695d4cb26b6dcd997
and compare with DNS queries in your environment
● Hypothesis - Attackers maintaining persistence using Runkeys
○ Collect RunKeys from your environment (using EDR tool or just using
powershell)
○ Group executables in Run Keys, Group Executable Paths, Command Line
arguments, etc.
http://pwndizzle.blogspot.com/2014/01/powershell-retrieve-run-keys-start-menu.htm
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492713638.pdfl
14. Free and Open Source Tools to Assist in Hunts
● Endpoint
○ GRR - https://github.com/google/grr
○ Sysmon - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
○ OSQuery - https://osquery.io
● Network
○ Bro - https://www.bro.org/download/index.html
○ Suricata - https://suricata-ids.org/
15. Free and Open Source Tools to Assist in Hunts
● Storage & Analytics
○ Elastic Stack - https://www.elastic.co/elk-stack
○ Logs - WinBeat, File Beat
○ HELK - https://github.com/Cyb3rWard0g/HELK
● Infrastructure
○ Puppet, Chef, Ansible, Docker, etc.
16. Useful Blogs
● Blogs:
○ David Bianco's Blog
○ sqrrl Hunting Blog
○ DFIR and Threat Hunting Blog
○ CyberWardog's Blog
○ Chris Sanders' Blog
○ Kolide Blog
○ Endgame Blog
○ Robert M Lee’s Blog
○ and many others whom I may have missed