SlideShare a Scribd company logo

Threat Hunting Procedures and Measurement Matrice

Vishal Kumar, profile picture
Vishal Kumar

The document provides a comprehensive overview of threat hunting, emphasizing its significance as a proactive process to detect cyber threats that evade automated systems. It discusses the threat hunting maturity model, essential skills for analysts, and the importance of threat intelligence, while outlining a structured process for conducting effective threat hunting. Additionally, it introduces various hypotheses for monitoring threats and outlines a risk rating measurement matrix to assess the potential impact of threats on organizations.

Technology
Related topics:
Threat Hunting Information Security Cyber Awareness Cyber-Security
1 of 11
Downloaded 85 times
1
2
Most read
3
Most read
4
5
6
7
8
9
10
11
1 | P a g e Table of Content CONTENTS INTRO TO HUNTING............................................................................................................................ 02 THREAT HUNTING MATURITY MODEL................................................................................................. 02 BASIC REQUIREMENT FOR THREAT HUNTING...................................................................................... 03 THE PYRAMID OF PAIN ....................................................................................................................... 04 IMPORTANCE OF THREAT INTELLIGENCE IN THREAT HUNTING ............................................................ 04 PROCESS TO CONDUCT THREAT HUNTING........................................................................................... 05 RISK RATING MEASUREMENT MATRIX ................................................................................................ 11
2 | P a g e Figure 1: A Successful Threat-hunting technique Threat Hunting Procedures 1. Intro to Hunting – What it is, Why It’s Important, Hunting is a proactive, hypothesis-based investigation process of cyber-attacks. Threat hunting is the human-driven, proactive and iterative search through networks, endpoints, or datasets to detect malicious, suspicious, or risky activities that have evaded detection by existing automated tools. Threat hunting has been around for a while, but it has only recently become a focus of modern enterprise Security Operation Centres (SOCs). Hunting can revolutionize the threat detection efforts of an organization, The purpose of hunting is specifically to find what is escaped by the automated alerting and monitoring systems. Hunting is searching for anomalies by patrolling through data, rather than investigating a call in from SIEM. It is also important to keep in mind that successful hunting is tied to capabilities in three different areas: 2. Threat Hunting Maturity Model As mentioned, there are many kinds of techniques and practices that an analyst can pursue in hunting. Hunting maturity is a measure of what kinds of techniques and data analyst can work with. To help assess the current hunting capabilities and determine how analyst should be aiming to grow them, below is the reference of the Hunting Maturity Model (HMM). (the Hunting Maturity Model is just a prescriptive model, and many organizations will sometimes be at varying levels of capabilities: excelling at some criteria and less advanced in others)
3 | P a g e Figure 2: Threat-hunting maturity model The Hunting Maturity Model describes five levels of an organization’s proactive detection capability. Each level of maturity corresponds to how effectively an organization can hunt based on the data they collect, their ability to follow and create data analysis procedures (DAP), and their level of hunting automation. The HMM can be used by analysts and managers to measure current maturity and provide a roadmap for improvement. Often these improvements focus on a combination of tools, processes, and personnel. 3. Basic Requirement for Threat Hunting Analytical Mindset: This is, without question, the most important skill an analyst can possess. Without the innate curiosity in and pursuit of the “huh … that’s weird,” an analyst can have all the data in the world, but they will inevitably find themselves missing pieces of the puzzle. The analyst needs to be able to make reasoned assumptions and chart a new course when the trail runs cold. Log Analysis: Logs from services and devices are just a couple of the most important and underutilized sources of intelligence for any security department. The ability to analyze logs for anomalies and pivot between data sources to see the big picture is a key competency. Network Forensics: The ability to read and understand packet capture data and determine the malicious nature of network traffic. If you’re fortunate enough to extend your NSM capabilities to the endpoint with an EDR product, a sound foundation in host-based forensics is key to compliment your network knowledge. Network Architecture: An understanding of different network devices and how they operate within the environment. Attacker Lifecycle: Understanding the different events that happen at any given stage in an attack lifecycle will better prepare your analysts to compartmentalize and prioritize their findings and activities.
4 | P a g e Figure 3: Pyramid of Pain – Threat-hunting Tools: This is an incredibly broad area, but at a foundational level, an understanding of how log aggregators ingest data as well as the function of packet capture analysis tools are essential for the analyst to understand. OS Architecture: Different operating systems represent different attack vectors. A strong grasp of Windows- and Linux-based operating systems is essential. Attack Methods: Exploit Kits, Malware, Phishing, and software misconfigurations. Understanding how an attacker attempts to penetrate your network is key to hunting for indicators of the behavior. 4. The Pyramid of Pain The Pyramid of Pain is the simple diagram shows the relationship between the types of indicators that analyst might use to detect an adversary’s activities and how much pain it will cause to analyst to detect the indicators of an incident/attack. 5. Importance of Threat Intelligence in Threat Hunting Threat Intelligence or Cyber Threat Intelligence (CTI) is a part of cybersecurity that focuses on the analysis and collection of information on both potential and current cyber-attacks that threaten the security of an organization or its assets. Cyber Threat Intelligence is a proactive security measure that prevents data or security breaches and saves the financial cost required to clean up such a mess after a breach.
5 | P a g e CTI’s main objective is to provide companies an in-depth understanding about the cyber-threats that poses the greatest risks to their infrastructure and how to protect their business in the long run Cyber threat intelligence gathers raw information about new and existing threat actors from many different sources. CTI teams then analyze the collected data to produce appropriate threat intelligence management and feeds reports full of only the most important information that can be utilized by automated security control solutions and management to make security decisions for the company. The fundamental purpose of this kind of security is that it helps to keep companies informed of the advanced threats and exploits. 6. Process to Conduct Threat Hunting Threat hunting process starts with collecting the logs of all the sources such as security solution, database, servers, application logs etc. the best and easy method to collect the logs is to use the log management device such as SIEM. After the collecting the logs and normalizing the logs the next step is to develop the hypothesis and apply on the output of data to start the hunting. I. Gathering Data: Collect, Normalize, Analyse The following are some of the types of logs that may be important to collect in the organization environment: • Configuration Management Database (CMDB) • Application/service logs • DHCP • Proxy • Web and Application Server • Active Directory/LDAP • Domain Name Service (DNS) • Application Firewall • Database Application and Transaction • Host-based logs • Host/Network IDS/IPS • Firewall • Antivirus • Host-based logs • Operating System (e.g., Windows Event and UNIX Syslog) • Endpoint Detection Response (EDR) • Virtual Machine Hypervisor • Network infrastructure logs • VPN • Router • Firewall • Load Balancer The below graphic is defining the data collection framework which is designed to help organizations focus on discovering and qualifying the security incidents and attack.
6 | P a g e Figure 4: Data Collection Framework II. Development of Hypothesis for Threat-hunting After collecting, normalizing and analyzing the data, then next step is to development the hypothesis and apply it on the output of data to start hunting. Below is the list of sources which helps to develops the advance threat hunting hypothesis: Internal Sources: internal sources are those data which generates in the boundary of an organisation such as past incidents, SIEM alerts, VA/PT reports etc. these data sources are very important and helpful for threat hunter to build the hypothesis. The hypothesis which are built on the internal data sources are very much effective and realistic. Below are some examples of internal sources: • Past incidents • Reconnaissance attempts against your infrastructure • Threats to specific line of business and industry verticals • Threats to customers’ intellectual property • VA/PT reports External Sources: the external sources for development of hypothesis are those data which are generates outside of the boundary of an organisation or data publish by the other vendors such as Threat intel feeds, TTP’s of an attack, OSINT, threat advisories, govt. advisories, etc. The hypothesis which are builds on the external sources are proactive hypothesis which are one step ahead then the monitoring system. Below are some examples of external sources:
7 | P a g e Figure 5: MITRE ATT&CK Refresher MIRTE ATT&CK Recent Developments: https://attack.mitre.org/resources/updates/ • Paid intelligence feeds • Open Source Intelligence (OSINT) • Partnerships with government agencies • Security Advisories • TTP of an attack • Cyber Kill Chain III. List of Threat-hunting Hypothesis Below is the list of some basic threat hunting hypothesis: 1. Proxy Logs Traffic Analysis Hypothesis I. Hypothesis: Bytes uploaded stats/Data upload Hunt For: Session uploaded data > 1 MB Possible Threat: Data exfiltration Format: Number of bytes, client IP, server IP, server port II. Hypothesis: Bytes downloaded stats/file download Hunt For: Session downloaded data > 3 MB Possible Threat: Attacker downloading attack tools Format: Number of bytes, client IP, server IP, server port III. Hypothesis: HTTP host header/traffic on malicious domain/URL categories Hunt For: Hosts not ending with .com | .net | .org & host length > 30 char Possible Threat: DGA, suspicious domains (i.e. http://bit.ly/2jKNAhi or HTTP traffic to an IP address instead of FQDN) Format: Traffic Count, HTTP host, URL Categories
8 | P a g e IV. Hypothesis: HTTP referrer header Hunt For: Malicious referring domains Possible Threat: Watering hole and JS exploit kits Format: Count, HTTP referrer, HTTP status code (302) V. Hypothesis: HTTP user-agent header Hunt For: Uncommon or non-existing User-Agents Possible Threat: Malicious traffic Format: Count, HTTP user-agent, HTTP status code VI. Hypothesis: HTTP request methods/Suspicious HTTP request Hunt For: Methods other than GET/POST Possible Threat: Uploads (PUT method), tunnelling (CONNECT method) and injection Format: traffic count, HTTP method VII. Hypothesis: HTTP number of requests/beaconing on suspicious domains Hunt For: Clients sending increasing number of HTTP requests Possible Threat: Beacons, tunnelling, and data exfiltration Format: Count of traffic, client IP, server IP, Domain name, HTTP status code 2. Firewall Traffic Analysis Hypothesis I. Hypothesis: SSH sessions Hunt For: Unexpected connections Possible Threat: Recon and lateral movements Format: Count of traffic, client IP, server IP, server port II. Hypothesis: RDP sessions/Unauthorized Remote desktop connection Hunt For: Unexpected RDP clients/servers Possible Threat: Lateral movements Format: Count of traffic, client IP, server IP, server port III. Hypothesis: IRC sessions/Suspicious malware communication Hunt For: IRC clients Possible Threat: C&C traffic and potential insider Format: Count of traffic, client IP, server IP, server port IV. Hypothesis: FTP sessions/Data exfiltration Hunt For: Unexpected FTP clients/server Possible Threat: Lateral movements or data exfiltration
9 | P a g e Format: Count of traffic, Client IP, Server IP, Server port V. Hypothesis: TCP listening ports on private IPs/Inbound Traffic on critical ports Hunt For: Unauthorized service Possible Threat: Backdoors Format: Count of sessions, TCP port, server IP, protocol VI. Hypothesis: TCP listening ports on public IPs/outbound connection on suspicious IP Hunt For: Abnormal port / protocol combination (i.e. non-HTTP carried over port 80) Possible Threat: Unauthorized communication channel Format: Count of sessions, TCP port, protocol 3. Antivirus Traffic Analysis Hypothesis I. Hypothesis: Continues Malware infection on system Hunt For: Recurring/Malware reinfection Possible Threat: Format: Virus name, infected file, File Hash value, count of infection II. Hypothesis: Uncleaned malware infection Hunt For: Uncleaned malware Possible Threat: New Malware/ransomware without signature Format: Action Taken, Virus name, infected file, File Hash value, count of infection 4. Windows logs Analysis Hypothesis I. Hypothesis: Details Tracking events/Process Creation Hunt For: suspicious Process Created by Attacker/malware Possible Threat: APT threat, New Malware Format: Event ID 4688, 4689, New process name, Creator Process Name, Logon ID, Account Name II. Hypothesis: User added to privilege group Hunt For: ATP Expansion/Privilege escalation Possible Threat: APT Attack/ Format: event id 4732, 4728, 4756, 4746, 4751, 4761, Account name, Logon ID, III. Hypothesis: Detection of Mimikatz Hunt For: Credential dumps Possible Threat: APT Attack/ Format: event ID 4688, 4689, event data image: lsass.exe, Mimikatz.exe.
10 | P a g e 5. Other Hunting Hypothesis • Hunt for File-less Malware • Hunt for Malware • Hunt for Lateral Movements • Hunt for Windows Event IDs • Hunt for group policy violations • Hunt for Network Beaconing • Hunt for Insider Privilege Escalation • Hunt for Privilege failures • Hunt for PowerShell Errors • Hunt for PowerShell Traces • Hunt for Login Failures on Critical Servers • Hunt for vulnerabilities • Hunt for Persistence Threats • Hunt for Registry violations • Hunt for Network traffic denied by firewalls or IPs • Hunt for Unusual DNS requests - either to malicious domains or internal flaws • Hunt for Signs of DDoS activity and geographic irregularities • Hunt for Mismatched port-application traffic • Hunt for Unusual north-south or east-west network traffic • Hunt for Anomalies • Hunt for Unknown Network Shares • Hunt for Network Recon tools • Hunt for brute force RDP attempts • Hunt for Suspicious File Types • Hunt for Windows Admin Shares • Hunt for RDP. PSEXEC, Task created, Task scheduled, WMI, Services created • Hunt for Parent/Child relationships - Process • Hunt for Parent/Child relationships - MS Office • Hunt for Parent/Child relationships - Cmd • Hunt for Parent/Child relationships - PowerShell • Hunt for Parent/Child relationships - Memory • Hunt for Process Injection • Hunt for Windows onelinersto download remote payload - below ref: • Possible tools: powershell.exe, wmic.exe, regsvr32, rundll32.exe, mshta.exe, regasm.exe, regsvc.exe, odbcconf.exe, msbuild.exe, certutil.exe, bitsadmin.exe • Hunt for Masquerading • Hunt for Privilege Escalation - Access token manipulation • Hunt for Privilege Escalation - Weak service permissions • Hunt for UAC Bypass • Hunt for Credential Dumping • Hunt for Credentials Dumping - Dump SAM/SECURITY registry hives • Hunt for Credentials Dumping - Shadow Copies • Hunt for Mimikatz cmds / Hunting DCShadow • Hunt for Credentials Dumping - LSASS memory access
11 | P a g e • Hunt for Suspicious Services. Services that run executables from %systemroot%. • Hunt for Suspicious Services. Services that run PowerShell • Hunt for Beaconing • Hunt for BOT Activity • Hunt for Malicious Domains & DNS Tunneling 7. Risk Rating Measurement Matrix This rating is reserved for threats that will result in an impact to the organization. HIGH A threat is categorized as HIGH if: • it involves critical organization assets • attempts to evade standard signature-based detections • exfiltrates data outside the organization • attempts to create a communication link with external Command & Control • it results in direct reputational or financial loss for the organization MEDIUM A threat is categorized as MEDIUM if: • it involves limited infections at endpoints • malwares on system which cannot be cleaned/deleted/quarantined • attempts to connect externally which get blocked • access to suspicious domains or IP addresses LOW A threat is categorized as LOW if: • if it involves attempts of attacks from external sources • threats related security misconfiguration in systems • access to non-standard or non-business domains or IP addresses • involves installation of unnecessary applications (not necessarily malicious) Prepared By: -Vishal Kumar Threat Analyst

More Related Content

PDF
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
PPTX
Threat hunting - Every day is hunting season
Ben Boyd
 
PPTX
Threat hunting in cyber world
Akash Sarode
 
PPTX
Threat hunting and achieving security maturity
DNIF
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
PPTX
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
PPTX
Threat hunting for Beginners
SKMohamedKasim
 
PDF
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Threat hunting - Every day is hunting season
Ben Boyd
 
Threat hunting in cyber world
Akash Sarode
 
Threat hunting and achieving security maturity
DNIF
 
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Threat hunting for Beginners
SKMohamedKasim
 
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 

What's hot (20)

PPTX
Cyber Threat Hunting Workshop
Digit Oktavianto
 
PDF
Threat Hunting Report
Morane Decriem
 
PPTX
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
PPTX
What is Threat Hunting? - Panda Security
Panda Security
 
PDF
Introduction to MITRE ATT&CK
Arpan Raval
 
PDF
Threat Hunting with Splunk Hands-on
Splunk
 
PPTX
Threat Hunting
Splunk
 
PDF
Threat Intelligence
Deepak Kumar (D3)
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PDF
MITRE ATT&CK Framework
n|u - The Open Security Community
 
PPTX
MITRE ATT&CK framework
Bhushan Gurav
 
PPTX
Cyber Threat Intelligence
Prachi Mishra
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
PPTX
Osint {open source intelligence }
AkshayJha40
 
PPTX
Threat hunting foundations: People, process and technology.pptx
Infosec
 
PDF
Threat Hunting
Splunk
 
PPTX
Security operation center (SOC)
Ahmed Ayman
 
PDF
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
PDF
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Threat Hunting Report
Morane Decriem
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
What is Threat Hunting? - Panda Security
Panda Security
 
Introduction to MITRE ATT&CK
Arpan Raval
 
Threat Hunting with Splunk Hands-on
Splunk
 
Threat Hunting
Splunk
 
Threat Intelligence
Deepak Kumar (D3)
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
MITRE ATT&CK Framework
n|u - The Open Security Community
 
MITRE ATT&CK framework
Bhushan Gurav
 
Cyber Threat Intelligence
Prachi Mishra
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Osint {open source intelligence }
AkshayJha40
 
Threat hunting foundations: People, process and technology.pptx
Infosec
 
Threat Hunting
Splunk
 
Security operation center (SOC)
Ahmed Ayman
 
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Ad

Similar to Threat Hunting Procedures and Measurement Matrice (20)

PDF
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
PDF
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
PPTX
Hunting the Evil of your Infrastructure
A. S. M. Shamim Reza
 
PPTX
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
PPTX
Building a Successful Threat Hunting Program
Carl C. Manion
 
DOCX
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docx
manas23pgdm157
 
PDF
Enhancing Cyber threat hunting for your team | 2021
KharimMchatta
 
PDF
Leveraging Threat Intelligence to Guide Your Hunts
Sqrrl
 
PPTX
Security Analytics for Data Discovery - Closing the SIEM Gap
Eric Johansen, CISSP
 
PDF
Telesoft Cyber Threat Hunting Infographic
Sarah Chandley
 
PPTX
Introduction to Threat Hunting in an SOC
wininlifeacademy5
 
PDF
[Bucharest] Attack is easy, let's talk defence
OWASP EEE
 
PDF
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
PDF
Cyber Threat Intelligence
Marlabs
 
PDF
Let the Hunt Begin - Security Bootcamp 2024
Security Bootcamp
 
PPTX
Unit-1&2,mdngmnd,mngmdnmgnmdnfmngdf.pptx
jayarao21
 
PDF
Why_TG
TOP GUN
 
PPTX
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
Anthony Melfi
 
PDF
cybersecurity-series-2019-threat-hunting.pdf
CecilSu
 
PDF
Cyber Threat Hunting Meap V05 Chapters 1 To 8 Of 13 Nadhem Alfardan
cawulineriku
 
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
Hunting the Evil of your Infrastructure
A. S. M. Shamim Reza
 
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Building a Successful Threat Hunting Program
Carl C. Manion
 
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docx
manas23pgdm157
 
Enhancing Cyber threat hunting for your team | 2021
KharimMchatta
 
Leveraging Threat Intelligence to Guide Your Hunts
Sqrrl
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Eric Johansen, CISSP
 
Telesoft Cyber Threat Hunting Infographic
Sarah Chandley
 
Introduction to Threat Hunting in an SOC
wininlifeacademy5
 
[Bucharest] Attack is easy, let's talk defence
OWASP EEE
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
Cyber Threat Intelligence
Marlabs
 
Let the Hunt Begin - Security Bootcamp 2024
Security Bootcamp
 
Unit-1&2,mdngmnd,mngmdnmgnmdnfmngdf.pptx
jayarao21
 
Why_TG
TOP GUN
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
Anthony Melfi
 
cybersecurity-series-2019-threat-hunting.pdf
CecilSu
 
Cyber Threat Hunting Meap V05 Chapters 1 To 8 Of 13 Nadhem Alfardan
cawulineriku
 
Ad

More from Vishal Kumar (20)

PDF
The Complete Questionnaires About Firewall
Vishal Kumar
 
PDF
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
Vishal Kumar
 
PDF
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
Vishal Kumar
 
PDF
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Vishal Kumar
 
PDF
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
Vishal Kumar
 
PPTX
Auditing System Password Using L0phtcrack
Vishal Kumar
 
PPTX
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
Vishal Kumar
 
PPTX
Fundamental of Secure Socket Layer (SSL) | Part - 2
Vishal Kumar
 
PDF
The Fundamental of Electronic Mail (E-mail)
Vishal Kumar
 
PPTX
Fundamental of Secure Socket Layer (SSl) | Part - 1
Vishal Kumar
 
PPTX
The Fundamental of Secure Socket Layer (SSL)
Vishal Kumar
 
PPTX
Hawkeye the Credential Theft Maalware
Vishal Kumar
 
PPTX
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
PPTX
Owasp top 10 security threats
Vishal Kumar
 
PPTX
Exploiting parameter tempering attack in web application
Vishal Kumar
 
PPTX
Mirroring web site using ht track
Vishal Kumar
 
PPTX
Collecting email from the target domain using the harvester
Vishal Kumar
 
PPTX
Information gathering using windows command line utility
Vishal Kumar
 
PPTX
Introduction ethical hacking
Vishal Kumar
 
PPTX
Social engineering
Vishal Kumar
 
The Complete Questionnaires About Firewall
Vishal Kumar
 
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
Vishal Kumar
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
Vishal Kumar
 
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
Vishal Kumar
 
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
Vishal Kumar
 
Auditing System Password Using L0phtcrack
Vishal Kumar
 
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
Vishal Kumar
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Vishal Kumar
 
The Fundamental of Electronic Mail (E-mail)
Vishal Kumar
 
Fundamental of Secure Socket Layer (SSl) | Part - 1
Vishal Kumar
 
The Fundamental of Secure Socket Layer (SSL)
Vishal Kumar
 
Hawkeye the Credential Theft Maalware
Vishal Kumar
 
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Owasp top 10 security threats
Vishal Kumar
 
Exploiting parameter tempering attack in web application
Vishal Kumar
 
Mirroring web site using ht track
Vishal Kumar
 
Collecting email from the target domain using the harvester
Vishal Kumar
 
Information gathering using windows command line utility
Vishal Kumar
 
Introduction ethical hacking
Vishal Kumar
 
Social engineering
Vishal Kumar
 

Recently uploaded (20)

PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 

Threat Hunting Procedures and Measurement Matrice

  • 1. 1 | P a g e Table of Content CONTENTS INTRO TO HUNTING............................................................................................................................ 02 THREAT HUNTING MATURITY MODEL................................................................................................. 02 BASIC REQUIREMENT FOR THREAT HUNTING...................................................................................... 03 THE PYRAMID OF PAIN ....................................................................................................................... 04 IMPORTANCE OF THREAT INTELLIGENCE IN THREAT HUNTING ............................................................ 04 PROCESS TO CONDUCT THREAT HUNTING........................................................................................... 05 RISK RATING MEASUREMENT MATRIX ................................................................................................ 11
  • 2. 2 | P a g e Figure 1: A Successful Threat-hunting technique Threat Hunting Procedures 1. Intro to Hunting – What it is, Why It’s Important, Hunting is a proactive, hypothesis-based investigation process of cyber-attacks. Threat hunting is the human-driven, proactive and iterative search through networks, endpoints, or datasets to detect malicious, suspicious, or risky activities that have evaded detection by existing automated tools. Threat hunting has been around for a while, but it has only recently become a focus of modern enterprise Security Operation Centres (SOCs). Hunting can revolutionize the threat detection efforts of an organization, The purpose of hunting is specifically to find what is escaped by the automated alerting and monitoring systems. Hunting is searching for anomalies by patrolling through data, rather than investigating a call in from SIEM. It is also important to keep in mind that successful hunting is tied to capabilities in three different areas: 2. Threat Hunting Maturity Model As mentioned, there are many kinds of techniques and practices that an analyst can pursue in hunting. Hunting maturity is a measure of what kinds of techniques and data analyst can work with. To help assess the current hunting capabilities and determine how analyst should be aiming to grow them, below is the reference of the Hunting Maturity Model (HMM). (the Hunting Maturity Model is just a prescriptive model, and many organizations will sometimes be at varying levels of capabilities: excelling at some criteria and less advanced in others)
  • 3. 3 | P a g e Figure 2: Threat-hunting maturity model The Hunting Maturity Model describes five levels of an organization’s proactive detection capability. Each level of maturity corresponds to how effectively an organization can hunt based on the data they collect, their ability to follow and create data analysis procedures (DAP), and their level of hunting automation. The HMM can be used by analysts and managers to measure current maturity and provide a roadmap for improvement. Often these improvements focus on a combination of tools, processes, and personnel. 3. Basic Requirement for Threat Hunting Analytical Mindset: This is, without question, the most important skill an analyst can possess. Without the innate curiosity in and pursuit of the “huh … that’s weird,” an analyst can have all the data in the world, but they will inevitably find themselves missing pieces of the puzzle. The analyst needs to be able to make reasoned assumptions and chart a new course when the trail runs cold. Log Analysis: Logs from services and devices are just a couple of the most important and underutilized sources of intelligence for any security department. The ability to analyze logs for anomalies and pivot between data sources to see the big picture is a key competency. Network Forensics: The ability to read and understand packet capture data and determine the malicious nature of network traffic. If you’re fortunate enough to extend your NSM capabilities to the endpoint with an EDR product, a sound foundation in host-based forensics is key to compliment your network knowledge. Network Architecture: An understanding of different network devices and how they operate within the environment. Attacker Lifecycle: Understanding the different events that happen at any given stage in an attack lifecycle will better prepare your analysts to compartmentalize and prioritize their findings and activities.
  • 4. 4 | P a g e Figure 3: Pyramid of Pain – Threat-hunting Tools: This is an incredibly broad area, but at a foundational level, an understanding of how log aggregators ingest data as well as the function of packet capture analysis tools are essential for the analyst to understand. OS Architecture: Different operating systems represent different attack vectors. A strong grasp of Windows- and Linux-based operating systems is essential. Attack Methods: Exploit Kits, Malware, Phishing, and software misconfigurations. Understanding how an attacker attempts to penetrate your network is key to hunting for indicators of the behavior. 4. The Pyramid of Pain The Pyramid of Pain is the simple diagram shows the relationship between the types of indicators that analyst might use to detect an adversary’s activities and how much pain it will cause to analyst to detect the indicators of an incident/attack. 5. Importance of Threat Intelligence in Threat Hunting Threat Intelligence or Cyber Threat Intelligence (CTI) is a part of cybersecurity that focuses on the analysis and collection of information on both potential and current cyber-attacks that threaten the security of an organization or its assets. Cyber Threat Intelligence is a proactive security measure that prevents data or security breaches and saves the financial cost required to clean up such a mess after a breach.
  • 5. 5 | P a g e CTI’s main objective is to provide companies an in-depth understanding about the cyber-threats that poses the greatest risks to their infrastructure and how to protect their business in the long run Cyber threat intelligence gathers raw information about new and existing threat actors from many different sources. CTI teams then analyze the collected data to produce appropriate threat intelligence management and feeds reports full of only the most important information that can be utilized by automated security control solutions and management to make security decisions for the company. The fundamental purpose of this kind of security is that it helps to keep companies informed of the advanced threats and exploits. 6. Process to Conduct Threat Hunting Threat hunting process starts with collecting the logs of all the sources such as security solution, database, servers, application logs etc. the best and easy method to collect the logs is to use the log management device such as SIEM. After the collecting the logs and normalizing the logs the next step is to develop the hypothesis and apply on the output of data to start the hunting. I. Gathering Data: Collect, Normalize, Analyse The following are some of the types of logs that may be important to collect in the organization environment: • Configuration Management Database (CMDB) • Application/service logs • DHCP • Proxy • Web and Application Server • Active Directory/LDAP • Domain Name Service (DNS) • Application Firewall • Database Application and Transaction • Host-based logs • Host/Network IDS/IPS • Firewall • Antivirus • Host-based logs • Operating System (e.g., Windows Event and UNIX Syslog) • Endpoint Detection Response (EDR) • Virtual Machine Hypervisor • Network infrastructure logs • VPN • Router • Firewall • Load Balancer The below graphic is defining the data collection framework which is designed to help organizations focus on discovering and qualifying the security incidents and attack.
  • 6. 6 | P a g e Figure 4: Data Collection Framework II. Development of Hypothesis for Threat-hunting After collecting, normalizing and analyzing the data, then next step is to development the hypothesis and apply it on the output of data to start hunting. Below is the list of sources which helps to develops the advance threat hunting hypothesis: Internal Sources: internal sources are those data which generates in the boundary of an organisation such as past incidents, SIEM alerts, VA/PT reports etc. these data sources are very important and helpful for threat hunter to build the hypothesis. The hypothesis which are built on the internal data sources are very much effective and realistic. Below are some examples of internal sources: • Past incidents • Reconnaissance attempts against your infrastructure • Threats to specific line of business and industry verticals • Threats to customers’ intellectual property • VA/PT reports External Sources: the external sources for development of hypothesis are those data which are generates outside of the boundary of an organisation or data publish by the other vendors such as Threat intel feeds, TTP’s of an attack, OSINT, threat advisories, govt. advisories, etc. The hypothesis which are builds on the external sources are proactive hypothesis which are one step ahead then the monitoring system. Below are some examples of external sources:
  • 7. 7 | P a g e Figure 5: MITRE ATT&CK Refresher MIRTE ATT&CK Recent Developments: https://attack.mitre.org/resources/updates/ • Paid intelligence feeds • Open Source Intelligence (OSINT) • Partnerships with government agencies • Security Advisories • TTP of an attack • Cyber Kill Chain III. List of Threat-hunting Hypothesis Below is the list of some basic threat hunting hypothesis: 1. Proxy Logs Traffic Analysis Hypothesis I. Hypothesis: Bytes uploaded stats/Data upload Hunt For: Session uploaded data > 1 MB Possible Threat: Data exfiltration Format: Number of bytes, client IP, server IP, server port II. Hypothesis: Bytes downloaded stats/file download Hunt For: Session downloaded data > 3 MB Possible Threat: Attacker downloading attack tools Format: Number of bytes, client IP, server IP, server port III. Hypothesis: HTTP host header/traffic on malicious domain/URL categories Hunt For: Hosts not ending with .com | .net | .org & host length > 30 char Possible Threat: DGA, suspicious domains (i.e. http://bit.ly/2jKNAhi or HTTP traffic to an IP address instead of FQDN) Format: Traffic Count, HTTP host, URL Categories
  • 8. 8 | P a g e IV. Hypothesis: HTTP referrer header Hunt For: Malicious referring domains Possible Threat: Watering hole and JS exploit kits Format: Count, HTTP referrer, HTTP status code (302) V. Hypothesis: HTTP user-agent header Hunt For: Uncommon or non-existing User-Agents Possible Threat: Malicious traffic Format: Count, HTTP user-agent, HTTP status code VI. Hypothesis: HTTP request methods/Suspicious HTTP request Hunt For: Methods other than GET/POST Possible Threat: Uploads (PUT method), tunnelling (CONNECT method) and injection Format: traffic count, HTTP method VII. Hypothesis: HTTP number of requests/beaconing on suspicious domains Hunt For: Clients sending increasing number of HTTP requests Possible Threat: Beacons, tunnelling, and data exfiltration Format: Count of traffic, client IP, server IP, Domain name, HTTP status code 2. Firewall Traffic Analysis Hypothesis I. Hypothesis: SSH sessions Hunt For: Unexpected connections Possible Threat: Recon and lateral movements Format: Count of traffic, client IP, server IP, server port II. Hypothesis: RDP sessions/Unauthorized Remote desktop connection Hunt For: Unexpected RDP clients/servers Possible Threat: Lateral movements Format: Count of traffic, client IP, server IP, server port III. Hypothesis: IRC sessions/Suspicious malware communication Hunt For: IRC clients Possible Threat: C&C traffic and potential insider Format: Count of traffic, client IP, server IP, server port IV. Hypothesis: FTP sessions/Data exfiltration Hunt For: Unexpected FTP clients/server Possible Threat: Lateral movements or data exfiltration
  • 9. 9 | P a g e Format: Count of traffic, Client IP, Server IP, Server port V. Hypothesis: TCP listening ports on private IPs/Inbound Traffic on critical ports Hunt For: Unauthorized service Possible Threat: Backdoors Format: Count of sessions, TCP port, server IP, protocol VI. Hypothesis: TCP listening ports on public IPs/outbound connection on suspicious IP Hunt For: Abnormal port / protocol combination (i.e. non-HTTP carried over port 80) Possible Threat: Unauthorized communication channel Format: Count of sessions, TCP port, protocol 3. Antivirus Traffic Analysis Hypothesis I. Hypothesis: Continues Malware infection on system Hunt For: Recurring/Malware reinfection Possible Threat: Format: Virus name, infected file, File Hash value, count of infection II. Hypothesis: Uncleaned malware infection Hunt For: Uncleaned malware Possible Threat: New Malware/ransomware without signature Format: Action Taken, Virus name, infected file, File Hash value, count of infection 4. Windows logs Analysis Hypothesis I. Hypothesis: Details Tracking events/Process Creation Hunt For: suspicious Process Created by Attacker/malware Possible Threat: APT threat, New Malware Format: Event ID 4688, 4689, New process name, Creator Process Name, Logon ID, Account Name II. Hypothesis: User added to privilege group Hunt For: ATP Expansion/Privilege escalation Possible Threat: APT Attack/ Format: event id 4732, 4728, 4756, 4746, 4751, 4761, Account name, Logon ID, III. Hypothesis: Detection of Mimikatz Hunt For: Credential dumps Possible Threat: APT Attack/ Format: event ID 4688, 4689, event data image: lsass.exe, Mimikatz.exe.
  • 10. 10 | P a g e 5. Other Hunting Hypothesis • Hunt for File-less Malware • Hunt for Malware • Hunt for Lateral Movements • Hunt for Windows Event IDs • Hunt for group policy violations • Hunt for Network Beaconing • Hunt for Insider Privilege Escalation • Hunt for Privilege failures • Hunt for PowerShell Errors • Hunt for PowerShell Traces • Hunt for Login Failures on Critical Servers • Hunt for vulnerabilities • Hunt for Persistence Threats • Hunt for Registry violations • Hunt for Network traffic denied by firewalls or IPs • Hunt for Unusual DNS requests - either to malicious domains or internal flaws • Hunt for Signs of DDoS activity and geographic irregularities • Hunt for Mismatched port-application traffic • Hunt for Unusual north-south or east-west network traffic • Hunt for Anomalies • Hunt for Unknown Network Shares • Hunt for Network Recon tools • Hunt for brute force RDP attempts • Hunt for Suspicious File Types • Hunt for Windows Admin Shares • Hunt for RDP. PSEXEC, Task created, Task scheduled, WMI, Services created • Hunt for Parent/Child relationships - Process • Hunt for Parent/Child relationships - MS Office • Hunt for Parent/Child relationships - Cmd • Hunt for Parent/Child relationships - PowerShell • Hunt for Parent/Child relationships - Memory • Hunt for Process Injection • Hunt for Windows onelinersto download remote payload - below ref: • Possible tools: powershell.exe, wmic.exe, regsvr32, rundll32.exe, mshta.exe, regasm.exe, regsvc.exe, odbcconf.exe, msbuild.exe, certutil.exe, bitsadmin.exe • Hunt for Masquerading • Hunt for Privilege Escalation - Access token manipulation • Hunt for Privilege Escalation - Weak service permissions • Hunt for UAC Bypass • Hunt for Credential Dumping • Hunt for Credentials Dumping - Dump SAM/SECURITY registry hives • Hunt for Credentials Dumping - Shadow Copies • Hunt for Mimikatz cmds / Hunting DCShadow • Hunt for Credentials Dumping - LSASS memory access
  • 11. 11 | P a g e • Hunt for Suspicious Services. Services that run executables from %systemroot%. • Hunt for Suspicious Services. Services that run PowerShell • Hunt for Beaconing • Hunt for BOT Activity • Hunt for Malicious Domains & DNS Tunneling 7. Risk Rating Measurement Matrix This rating is reserved for threats that will result in an impact to the organization. HIGH A threat is categorized as HIGH if: • it involves critical organization assets • attempts to evade standard signature-based detections • exfiltrates data outside the organization • attempts to create a communication link with external Command & Control • it results in direct reputational or financial loss for the organization MEDIUM A threat is categorized as MEDIUM if: • it involves limited infections at endpoints • malwares on system which cannot be cleaned/deleted/quarantined • attempts to connect externally which get blocked • access to suspicious domains or IP addresses LOW A threat is categorized as LOW if: • if it involves attempts of attacks from external sources • threats related security misconfiguration in systems • access to non-standard or non-business domains or IP addresses • involves installation of unnecessary applications (not necessarily malicious) Prepared By: -Vishal Kumar Threat Analyst