Welcome to the wonderful world of threat hunting! This is the first in a series of blog posts where we’ll walk through how we at RADICL conduct our threat hunts. This post will cover, at a high level, the process by which we plan for and execute hunts. Each subsequent post will dive into key steps along that process and culminate in a real-world scenario. By the end of the series, you should be equipped with all the tools necessary to start running your own hunts.
I’m very much a visual learner, so I think any good process should have a good process diagram. So, to kick things off, you’ll find the visual representation of what I’ll be explaining over the course of this post below:
Threat hunting should always start with research. But what to research? To answer that question, let's channel the timeless wisdom of Sun Tzu: "If you know the enemy and know yourself, you need not fear the result of a hundred battles." This philosophy is a cornerstone in the realm of threat hunting. With that in mind, the first thing you should do is research your own organizational environment by conducting terrain analysis. Terrain, in this context, covers the whole of your organization’s attack surface, including people, processes, and technology. This analysis should extend beyond just cataloging what’s there. You must put on your threat actor goggles and think through how someone could exploit and abuse your terrain.
Once you've wrapped your head around your organization's ins and outs, the next move is to “know your enemy” by conducting a threat analysis. This process includes identifying, researching, and prioritizing the threat actors likely to target your organization. Familiarize yourself with the tactics, techniques, and procedures they've historically employed and how those could be leveraged against your organization.
Once equipped with knowledge about both your adversaries and your organization, research is mostly over, and it’s time to prepare for your hunt. Choose a broad topic derived from the tactics/techniques used by the actors you identified during threat analysis. Typically, I focus on tactics/techniques seen in recent campaigns or areas lacking defensive coverage. More research follows (I did warn you that it was only mostly over), drilling down into how these threat actors execute the tactic or technique of interest (in other words, we’re getting down to the procedural level). How do these threat actors execute their techniques? What tools or command line wizardry do they employ? What traces does this activity leave in log data or on systems?
With a solid grasp of how these threat actors manifest your selected topic, it's time to craft a hunt hypothesis – a testable supposition about potential threat activity on your network. "Testable" is key; you must prove or disprove your supposition. This hypothesis should be a more focused version of the hunt topic. For example, if your topic was defense evasion used by APT41, then your hypothesis could be something like “APT41, while conducting operations on my environment, will inject a malicious payload into a benign process as a means of defense evasion”. Armed with your hypothesis, identify the data sources necessary for validation. For instance, since the above example revolves around Windows process injection, ensure you have access to Windows event logs.
Finally comes the fun part – the hunt. Hunting involves analyzing and manipulating data to uncover the artifacts that align with the behavior defined in your hypothesis. A successful hunt generally leads to one or more of three actions: if malicious activity is detected, kick off an incident response; if weaknesses in your defenses are unearthed, make a hardening recommendation; and finally, convert any high-fidelity, low-noise analytics into detection logic, adding them to your organization's security stack. After incident response, hardening, and/or detection logic creation the hunt is over! Make sure to document the hunt for future reference and prepare for the next one.
Congratulations! Making it to this point in the article means you now know, at a high level, what the threat hunting process entails. As promised in the intro, the next several posts will dive into the various key elements of our hunt process including terrain analysis, threat analysis, hunt planning, and detection writing. Stay tuned!
If you’d like to find out how RADICL can help you get the most out of your threat hunting, Let’s Talk