Threat Hunting, yes another set of buzzwords. The world of Information Security is a smorgasbord of buzzwords. Still, threat hunting. It sound glamorous, worthwhile, fun and interesting. The question is, just what is it?
I admit it, I am taken in by the idea of Threat Hunting. Feels like something important (which it is) and cool (depends on your point of view). I want to be a good threat hunter, and so do many people both blue and red teamers alike. The problem is, that Threat Hunting is a huge umbrella area. It is non-specific. Earlier this week the topic of what is threat hunting was asked by Dr. Anton Chuvakin on twitter.
What are the most abysmally fake examples of totally NOT threat hunting that vendor(s) called “threat hunting”? #question
— Dr. Anton Chuvakin (@anton_chuvakin) March 10, 2018
The thread is a good look at how people view threat hunting, and what it is or is not. Dr. Chuvakin responded with this:
Well, this is how I am planning to phase it 🙂 pic.twitter.com/sH6QTijT8V
— Dr. Anton Chuvakin (@anton_chuvakin) March 13, 2018
There are some flaws with this thinking, and it all comes down to how you define threat hunting. Let us move away from information security for a second, remove the word threat and look at wha they key word is, Hunting.
You want to get some fresh venison, and a set of antlers on your wall. Deer hunting season is here. So how does one go about hunting a deer? First you have to get to the woods with some sort of weapon (gun, bow, spear for those really wanting a challenge). Next to have to find the deer. Track it. How do you do that? Find footprints, use some sort of sound or smell, anything to track down the deer. You become a detective, and use deception. Finally you have to actually take the shot and hope it is good for the kill. Three main phases of hunting: Location, Deception/Detection, Kill shot. Is it not hunting if you have a dog that helps automate the detective/deception phase. That dog makes it easier to find the deer.
Now let us look at how that relates to Threat Hunting in the world of infosec. Phase 1: Location. You can threat hunt in your own network (which most of us do knowingly or unknowingly), out in the Internet, on the Dark Web. You can hunt for the vulnerabilities, the compromises, zero day attacks. You can hunt for The actors, malware, lateral movement. What is the location, the area you are hunting in? Phase 2 is where you do your detective work. This can include honeypots, honeynets, deception technology, going through logs manually or using automation. To say going through large amounts of data, not using tools, or anything else that limits how you can find the threat(s) is limiting your success. In fact, Threat Detection (Incident Detection) is the first two phases of threat hunting. They are a subset of threat hunting. The kill shot is the only difference. That kill shot in our world can be plugging the hole, removing the malware, blocking a C2 IP address, anything that kills(mitigates) the immediate threat that you have found.
This is true threat hunting. It is not about the tools, any tool can be used. It is about the result. Did you find the threat and remove or mitigate it? Threat hunting is a process, and one that many things can fall under. It can only be defined in the broadest terms and then whittled down to specific areas. Trying to shrink those broadest terms and limit what can be used does nothing but hurt the hunt and puts us at a bigger disadvantage to beating the black hats we are after.