There are few terms in cybersecurity that have as many definitions as “threat hunting.” Most practitioners will agree that threat hunting is essential for analysts and detection, but few can agree on what it actually entails. This leads to confusion in hiring, analysis, and cybersecurity projects and resourcing. There has never been a more vital time for threat hunting, particularly in Operational Technology (OT) environments.
Let’s start with a fundamental fact: computers are good at detecting computers. That’s why antivirus is pretty effective at detecting known malware families and network detection tools are pretty good at detecting command and control (C2) traffic. Unfortunately, a significant portion of successful attacks my team observes against OT environments are human-driven and do not consistently rely on automated tools or persistent malware. This is primarily due to the facts that 1) OT environments are more vulnerable and 2) effective attacks against processes require more adversary adaptation. Conversely, humans are (and will always be) better at seeing patterns in novel, irregular, malicious human activity, particularly the abuse of authorized software. Cybersecurity detection and monitoring tools are absolutely critical in OT but are also something smart human analysts should utilize to make detection and analysis more efficient and reduce repeated tasks.
All of this necessitates humans going beyond purely automated detection in OT to detect novel tactics, abuse of authorized remote access and protocols, and intrusions into legacy and non-standard devices and protocols. Threat hunting requires that trained humans consider potential OT attacks and consequences and then look for signs of compromise. Finally, any of these detections that can be automated should be on a recurring basis.
This is the real concept of threat hunting. Threat hunting isn’t simply detection monitoring or utilizing indicators of compromise. Successful threat hunting can be defined by the following eight criteria:
- Driven by trained cybersecurity analysts.
- Does not duplicate tasks already performed by automated monitoring.
- Covers current necessary gaps in automated monitoring visibility.
- Detects novel and human-driven attacks that any detection platform will have difficulty flagging.
- Based upon hypotheses about actions a malicious party could practically take to cause a consequence of concern in the environment.
- Utilized to go beyond, improve, and tune automated detection.
- Requires a structured, repeatable methodology.
- Be a continual process, both scheduled and ad hoc as appropriate.
There are multiple SANS white papers which aid in developing a healthy threat hunt program and methodology. The first one I recommend is A Practical Model for Conducting Cyber Threat Hunting. This paper provides a six-stage structured lifecycle for performing threat hunts with a focus on operational environments. It starts with understanding a practical purpose for the threat hunt, something often skipped due to the eagerness to “threat hunt” in accordance with to cybersecurity trends as opposed to practical outcomes. It also discusses the importance of practically scoping threat hunts in a realistic way that is not overwhelming to analysts.
The second SANS white paper I highly recommend is Generating Hypotheses for Successful Threat Hunting. As I mentioned previously, successful threat hunting should be based around logical hypotheses. In threat hunting, a hypothesis is a supposition about plausible actions an adversary could make in an environment, most relevantly to cause a consequence of concern. Again, we are not threat hunting for the sake of threat hunting. We are doing it to find novel and hard to detect adversary activity. Therefore, we should hunt for things an adversary might be doing that meet those criteria. This paper discusses best practices for creating successful adversary activity hypotheses. A key element is the viable sources for hypotheses: they can be driven by threat intelligence, but also domain knowledge about adversary tactics or the environment or even situational awareness about changes in an organization’s threat model.
Another important note is that in good investigations, we always try to scientifically disprove (or falsify) our hypotheses. There is no sense in threat hunting if we never feel confident that a possible attack vector has been eliminated. Every hypothesis about what an adversary could reasonably be doing in our environment should be scoped and formed in such a way that we can either confidently falsify it or prove it is happening and initiate incident response.
After a basic level of cybersecurity maturity and architectural understanding is reached in any organization, a threat hunting program is a great step towards more holistic coverage of novel and human-driven attacks. However, threat hunting should always be done to increase detection coverage. It should not be done merely for the sake of threat hunting or in duplication of tasks already performed by automated detection tools. Threat hunting is especially crucial in low-maturity, vulnerable, and consequential OT environments where novel human-operated attacks still post a serious threat.
Check out Lesley’s SANS profile to see when they’re next teaching, and sign up for a demo of ICS515: ICS Visibility, Detection, and Response.
