Hunting cyber threats (especially those never seen previously) is the most expensive and difficult threat intelligence endeavor.  Hunting is a risk because you’re betting that there is something there to find – and that you can find it.  An effective hunter may come up empty most of the time.  Creating an effective threat hunting strategy ensures greater chances for a return on the investment.

An effective strategy includes answering four critical questions and employing the right approach to achieve the goal.  The Diamond Model identifies several “centered-approaches” enabling effective threat hunting.  Tying these approaches together creates the basis for a hunting strategy.  Without a strategy your chances of failure increase dramatically.

Hunting cyber threats is the most expensive and difficult threat intelligence endeavor.

Building a Hunting Strategy with the 4 Hunting Questions

Throwing out “I’m going threat hunting” is akin to saying, “I’m going fishing.”  Both are such vague phrases that they generally require a follow-up question: “For what?”  Some may answer “malware” or “lateral movement” the same as others answer “salmon” or “bass.”  The next question asked, naturally, “where?”  This leads us to the first critical element of a hunting strategy: answering the critical questions.

If you can’t answer these questions well.  You might as well go back to what you were doing because you’ll likely end up just wasting time and resources.  Hunting requires patience and discipline.  These four questions are the core of any hunting strategy.

The 4 Hunting Questions

There are four critical questions necessary to build a hunting strategy, and they’re best answered in this order:

  1. What are you hunting?
    • Hunting is expensive and risky.  You must narrow down exactly for which activity you are hunting.  Is it exploitation?  Is it lateral movement?  It is exfiltration?
  2. Where will you find it?
    • What you are hunting will determine where you will find the activity.  You must next narrow down the sources of telemetry which will provide visibility into the activity AND access to stored telemetry
  3. How will you find it?
    • Once you’ve identified what you’re looking and where you’ll likely find it, next you must identify the tools to hunt.  You don’t catch salmon and bass in the same way – you won’t catch exploitation and lateral movement in the same way.
  4. When will you find it?
    • Have a time bound for your hunting.  A never-ending chase will lead you nowhere.  Allot a specific amount of time necessary to achieve your goal, and if you come up empty at that time – move on to the next target.  If you have to feed your family, and you go out salmon fishing but catch nothing – it’s probably best to instead go after another fish or game before everyone dies of starvation 🙂  Likewise, management may likely lose patience with your hunting if you don’t deliver value.

From Strategy to Approach

Once you’ve answered the four critical hunting questions – you must then design the approach.  The approach not only describes the modes and methods of your hunting but, more importantly, addresses the “why.”  The “why” establishes your hypothesis.

Hunters must build and test many hypotheses at once.  Each failed hypothesis can lead to a failed hunt.  For instance, the hunter hypothesizes that they’re breached.  Why else would they be hunting?  Of course, if they’re not – the hunt fails.  The hunter hypothesizes the adversary leverages identities to move across assets.  So, this hypothesis leads the hunter to examine Active Directory logs.  Of course, if the adversary uses file shares they may not show up in AD – the hunt fails.

This step is critical because hunting is a big risk and cost.  And, establishing not just the “how” but also the “why” will help hunters critically examine their approach and look for other methods possibly overlooked.

When hunting adversaries you must always question your approach and look for more creative and effective methods.

The Diamond Model Centered Approaches

The Diamond Model establishes the event as the most basic element of any malicious activity and composed of four core features: the adversary, the victim, infrastructure, and capability.  All malicious activity contains these features (as established in Axiom 1).  Therefore, any hunting is ultimately based on these features and any hunting approach contains a mix of these “centered approaches.”

However, don’t consider these approaches in isolation.  Instead, a mix of approaches used in concert achieve greater coverage.

The Diamond Model of Intrusion Analysis. An event is shown illustrating the core features of every malicious activity: adversary, victim, capability, and infrastructure. The features are connected based on their underlying relationship.

The Diamond Model of Intrusion Analysis. An event is shown illustrating the core features of every malicious activity: adversary, victim, capability, and infrastructure. The features are connected based on their underlying relationship.

Named for the feature on which they’re based, the approaches are:

The Victim-Centered Approach

The news of several determined adversaries targeting a single human rights activist is an excellent example of the victim-centered approach.  A victim-centric approach uses the victim as the central element for hunting and looks to illuminate the other Diamond-connected features (i.e., capabilities, infrastructure, adversaries).  The victim-centric hunt is equivalent to a “honeypot.”

Network defenders will most likely focus on the victim-centered approach.  It provides the greatest benefit and easiest approach with the highest likelihood of actionable results.  There are many modes and methods provided by this approach.  Chris Gerritz (@gerritzc) details several victim-centered approach modes and methods in his post: Approaches to Threat Hunting.

Advantages: catches many adversaries, many hunting opportunities (e.g., network attacks, malicious email delivery, etc.), easily obtained data (usually)

Disadvantages: possible overwhelming amount of malicious activity, too many hunting opportunities can dilute an undisciplined hunting effort

Tips: focus hunt on a single phase of the kill-chain at a time

See Diamond Model Section 7.1.1

An Example Victim-Centered Hunting Strategy

[Why] We hypothesize that several adversaries target a specific victim.

[Why] We further hypothesize that adversaries deliver their capabilities via email (as most do).

[Why] Our hypothesis is strengthened through data that most attacks are delivered via email and our organization has previously received email-borne delivery attacks.

[What] Our hunting goal: collect intelligence on adversary attacks in the email delivery phase.

[Where & How] Therefore, our victim-centered hunting approach includes gaining visibility into the victim email and apply tools which illuminate likely malicious elements (links, attachments).  Our primary method will involve detonating attachments and hyperlinks.  Our secondary method will involve sender-receiver graph analysis and header inconsistencies.

[When] We will apply this approach and methodology for 2 weeks after achieving access to data.

This hunting strategy reveals:

  • Capabilities: the tools and techniques used by an adversary to compromise and operate against a victim (e.g., in our example: the malicious attachments)
  • Infrastructure: the logical and physical elements necessary to manage capabilities (e.g., in our example: the email source, malicious attachment C2, URLs)

The Infrastructure-Centered Approach

While network defenders will generally take the victim-centered approach.  That’s not the only hunting approach available.  The infrastructure-centered approach enables hunters to identify malicious infrastructure and possibly pivot to identify capabilities, victims, and more infrastructure.  Most importantly, because generally infrastructure must operational before capabilities and victims connect – new infrastructure can provide preemptive defense.

There are several methods to leverage this approach.  Depending on access and visibility some are easier than others.  For instance, one method is to monitor domain name servers known to host malicious domains.  Another may be to monitor all new domain registrations for a known pattern used by an adversary.

Another popular method is SSL certificate chaining.  PassiveTotal has written a post, “Harnessing SSL Certificates Using Infrastructure Chaining” detailing the method.  Mark Parsons (@markpars0ns) has a great presentation on “Hunting Threat Actors with TLS Certificates.”

Lastly, and one of the most difficult is direct observation of malicious infrastructure.  This could be done through a service provider – or via infrastructure take-over (such as a sinkhole).  Through this method, significant intelligence can be gained including: capabilities used through the infrastructure, victims contacting the infrastructure, and potentially other related infrastructure.

Don’t forget about the opportunities to use the Diamond Model to chain multiple approaches together.  For example, after discovering new infrastructure an analyst is able to pivot an ask for additional information about Diamond-connected features, such as capabilities.  This might be through pivoting across a malware zoo like Virus Total for any reference to the infrastructure.

Advantages: Good tools exist to support the approach (PassiveTotal), finding infrastructure prior to operational use provides preemptive defense

Disadvantages: Limited data access, findings not relevant to many organizations

Tips: Data, Data, More Data

See more in the Diamond Model Section 7.1.3

Example Infrastructure-Centered Hunting Strategy

[Why] We hypothesize adversaries establish infrastructure prior to operations

[Why] We hypothesize adversary X continues to structure their domains using the pattern badstuff-<victimname>.com

[Why] We hypothesize adversary X continues to use the name server baddomains.com to host their infrastructure and the same

[What] Our hunting goal: monitoring the name server for new names matching the pattern we may find new names prior to their operations providing proactive defense.  Further, because the adversary uses the victim name in their domain we will likely identify victims.

[Where] The baddomains.com name server

[How] Monitor the baddomains.com name server by querying the server every morning for all domains and identifying the domains not seen the previous day.  Further, looking for any domains on the server with the known pattern.

[When] We will leverage this strategy for 1 month to provide for any dips in adversary activity during that period

The Capability-Centered Approach

Aside from the victim-centered approach employed by most network defenders, the capability-centered approach is the second-most popular.  This is largely due to the broad accessibility of a massive malware zoo – VirusTotal.  If VirusTotal didn’t exist, this approach would likely be limited to only anti-virus vendors and others with potentially large collections of malicious binaries.

The capability-centered approach focuses on discovering intelligence from adversary tools – namely “malware” (but the category is larger than malware and includes legitimate tools used illegitimately).  The most advanced hunters using this approach take advantage of the VirusTotal retrohunt feature enabling analysts to run YARA rules over the VirusTotal zoo looking for lesser known samples.

Advantages: easy access to large malware library (VirusTotal), easily written analytics (YARA)

Disadvantages: without your own malware zoo – limited to VirusTotal features

Tips: take advantage of VirusTotal

See more in the Diamond Model Section 7.1.2

Example Capability-Centered Hunting Strategy

[Why] We hypothesize that network defenders share adversary capabilities via VirusTotal

[Why] We hypothesize that we can identify unique malware via a malware zoo using static analysis

[What] Our hunting goal: find undiscovered malware and its associated command and control (C2) channel to feed host- and network-based detection to enhance protection

[Where] VirusTotal

[How] Author and execute YARA rules over the VirusTotal data and monitor the zoo daily for new samples meeting our criteria

[When] We will author and improve rules for 2 weeks and run them perpetually

The Adversary-Centered Approach

The adversary-centered approach focuses on visibility on the adversary themselves – meaning few organizations have the requisite visibility.  Usually, limited to only service providers and those with extraordinary capabilities.  However, achieving visibility directly on the adversary themselves generally provides tremendous, almost perfect, insight.  This includes infrastructure creation and management, capabilities (sometimes those in development), attribution details, and at times victim information.

However, others may access some methods within this approach.  For instance, knowing an adversary persona may allow an analyst to leverage open source intelligence (OSINT) to track the persona across sites potentially gaining insight into operations.  Further, an analyst may leverage adversary operations security (OPSEC) mistakes to achieve attribution based on their persona.  ThreatConnect’s CameraShy work illustrates the adversary-centered approach to achieve attribution through persona development and tracking.

However, while this approach leads to “newsworthy” items regarding attribution – their direct application to network defense is limited.  Therefore, generally only those with a vested interested in attribution leverage this approach.

Advantages: possible adversary attribution, deeper visibility into

Disadvantages: the most difficult approach requiring significant (and sometimes extraordinary) visibility or adversary mistakes, does not generally result in actionable intelligence, adversary “false flag” mis-attribution may trip up undisciplined analysts

Tips: leverage OSINT and pray for a mistake 🙂

See more in the Diamond Model Section 7.1.4

Example Adversary-Centered Hunting Strategy

[Why] We hypothesize adversaries use personas to register malicious domain names

[Why] We hypothesize that some of these domain registration aliases relate to real people

[Why] We hypothesize that adversaries have mistakenly tied their operational alias to their real personas revealing their personal details

[What] Our hunting goal: uncover the real people behind malicious domains providing attribution

[Where] Domain registration data and other open sources

[How] Take 500 known malicious domains, extract aliases details from their registration, pivot across open sources looking for correlation with real people

[When] Spend 3 days collating known malicious domains, 2 weeks pivoting across open sources