Updated: Sep 27
In general, there is often a gap between the activity that an organization is capable of observing on their network and the activity that threat actors are capable of executing. Modern Endpoint Detection and Response (EDR) solutions are undoubtedly helpful, but their effectiveness is limited to detecting only what they are engineered to identify.
Threat hunting augments these standard SOC capabilities through iterative and proactive processes to identify anomalous activity within an environment with the objective of identifying previously unknown and undetected threats. This is achieved through leveraging repeatable, organized hunting procedures and a variety of analysis methods. However, this process does not rely on searching through an environment using atomic indicators of compromise (IOC). Additionally, a hunt does not guarantee positive threat identification.
These opportunities are advantageous for the business, because it helps maximize the return on investment (ROI) from both people and technology, which benefits the organization as a whole. Hunting enables an organization to identify and address potential threats before they become significant issues that could cause significant damage to the business. Additionally, successful threat hunting helps organizations develop a more thorough understanding of their environment, which can be used to drive better-informed security decisions and ultimately support business goals.
Why is Threat Hunting so Important?
Modern adversaries are moving away from the use of traditional malware, because most anti-malware solutions can detect and block these attacks. Instead, they are increasingly leveraging methods such as Living off the Land (LotL), which are extremely difficult to detect using traditional security solutions.
LotL essentially exploits pre-existing resources already present on a target system's IT environment for malicious purposes. For example, a threat actor can steal a user's domain login credentials through a phishing email. They can then utilize these compromised credentials to circumvent access controls on different resources within the network. Thereafter, these credentials may also be utilized for persistent access to
remote systems and externally accessible services, like VPNs, Outlook Web Access, network devices, and remote desktop.
They may choose not to use malware or external tools in combination with the
legitimate access provided by those credentials in order to make it more difficult to detect their presence. Alternatively, they may abuse built-in command and script
interpreters to execute commands, scripts, or native binaries of the operating system. By doing so, they can run malicious code and achieve broader objectives, such as network exploration to encrypt and steal data, which can directly impact business operations.
Since EDR automation cannot detect all activity, human-led threat hunting becomes a critical component to a threat intelligence program to identify and mitigate threats. It enables organizations to proactively stay ahead of modern adversaries by combining insights and expertise into specific threat actor tactics, techniques, and
procedures (TTPs) with corresponding
EDR and SIEM detection analytics.
The Pyramid of Pain: Prioritizing TTPs over IOCs
In cybersecurity, the Pyramid of Pain describes the concept that indicators of compromise (IOCs) are the least valuable form of threat intelligence, while tactics, techniques, and procedures (TTPs) are the most valuable.
IOCs are specific pieces of information that indicate a compromise has occurred, such as IP addresses, file hashes, or URLs. However, these indicators can easily be changed by threat actors, making them less effective in the long term. In the above scenario, the threat actor could very well achieve their operational objectives without being detected by using hash values, domain names, host artifacts, or tools as malicious observables. On the other hand, TTPs represent the behaviors and methods used by threat actors,
which are more difficult to change and can provide valuable insights into how they tend to interact with the system(s) in their target environment. This approach allows organizations to gain a deeper understanding of the techniques employed by threat actors and develop more effective countermeasures.
One of the most common resources for understanding threat actor TTPs is the MITRE
ATT&CK Framework. The most significant benefit of MITRE ATT&CK is that it provides a comprehensive framework that categorizes and describes threat actor TTPs across various stages of an attack. This allows organizations to align their security practices
with real-world threat scenarios and better prepare for potential attacks. Additionally, the MITRE ATT&CK Framework is regularly updated and maintained by a community of cybersecurity experts, ensuring that it remains relevant and effective in the ever- evolving threat landscape.
Learn more about CyberForce|Q.