Building your Threat Hunting Framework: Key Considerations

Threat hunting shifts security operations from reactive to proactive by searching for signs of attacker tactics, techniques, and procedures (TTP) within an environment that have evaded or haven’t yet been picked up by existing detection technologies. Part of the difficulty of efficient and successful threat hunting is that it’s often conducted chaotically due to a lack of vendor-agnostic prescriptive models or frameworks. Here are five key considerations for building your own threat-hunting framework so that you can make your threat hunting processes repeatable and efficient. 

1. Formulate Useful Hypotheses

Any successful threat hunt should mirror a scientific endeavor in which you seek to test the validity of a hypothesis. This hypothesis is an assumption based on limited evidence that you want to use as a springboard for further investigation.

Central to the formulation of any useful threat hunting hypothesis is that it’s intelligence-driven and accounts for business requirements. In other words, you must base any hypothesis on being able to provide a good answer to the question, “why are you threat hunting?”

Cyber threat intelligence feeds provide actionable information on the characteristics of previous attacks, common access vectors used by threat actors, and the techniques and procedures that adversaries employ. This intelligence can either be from:

  1. high-level strategic intel that provides information on adversary motivations, abilities, and associated targets without technical details
  2. more targeted tactical intelligence that drills down into specific TTPs associated with a threat actor or malware family. 

Threat intelligence is a crucial element that guides threat hunting priorities and hypotheses in the right direction. Scoping each hypothesis to specific business requirements or concerns is also important, whether that means assisting with regulatory compliance, avoiding data breaches, or reducing unknown risks.  

An example of a hypothesis could read something like, “the threat actor is using pass-the-hash techniques on the NTLM protocol for lateral movement to breach PHI”. After formulating useful hypotheses, you can then identify the most important questions to answer in order to either prove or disprove your assumptions. 

2. Identify Your Data Sources

Figuring out the best sources of data to collect for testing a specific hypothesis is vital for any threat hunt. When there is no data or the data is not carefully selected, you either don’t have anything to investigate, or you end up not effectively testing your hypotheses.

Use the natural questions that emerge from a given hypothesis to identify appropriate data sources. Continuing the example of the NTLM lateral movement hypothesis, a natural question that emerges is “what does the normal baseline NTLM activity look like?” The obvious first source of data is the log events for NTLM authentication. 

Many of the most successful threat hunting teams use a collection management framework (CMF) to provide a repeatable structure for identifying data sources and determining the actionable and obtainable data from each source. The CMF helps understand the necessary data by answering:

  • What data must be obtained and from which systems?
  • What is available in the data?
  • How long is the data stored/retained?
  • What types of questions can the data answer?

Threat hunting teams can document the CMF using either a whiteboard or a simple spreadsheet. With your data sources carefully chosen, you are then well-positioned to analyze them and spot anomalies or other patterns that indicate whether your hypothesis is true or false. 

3. Use an Adversarial Model

Adversarial frameworks like the MITRE Attack framework map different tactics and techniques to recommended data sources that can help to detect specific threats. This can further narrow down the sources of information you should look for when testing a hypothesis. 

However, adversarial models are not just useful for finding good data sources. Another benefit of these models is that they outline all the steps a threat actor takes to compromise your environment and complete their objectives. Knowing where an adversary is likely to be allows threat hunters to stay one step ahead of them along the cyber kill chain and prevent them from meeting their goals. 

4. Automate Where Possible and Document Your Results

Automation has an important role to play in threat hunting. When you need to conduct any task more than once, it’s often a good candidate for automation. For example, when it comes to analyzing data, instead of time-consuming manual tasks, consider pushing all your data into a centralized SIEM that automatically aggregates, correlates, and analyzes the information for you. Running recurring scans or identifying suspicious malware, domains, and other indicators of compromise (IoCs) are other candidate processes suited to automation.  

It’s imperative to have a concise and clear written record of threat hunting activities. Good documentation makes future threat hunting efforts more efficient. The reported findings could include interesting observations, missing/incomplete data, false positives, true positives,

or any other relevant information that improves the understanding of your environment. The purpose, hypotheses, all data sources, and TTPs being investigated should also be clear in your documentation. 

5. Measure Success

It’s tempting to conclude that not finding an attacker during a threat hunt is a clear sign of faiure, but this is not the case. The success of threat hunting becomes easier to communicate when you set and measure useful metrics. From a high-level perspective, these metrics could include:

  • The number of hunts conducted within a certain period (e.g. quarterly)
  • Time spent overall and on individual threat hunts
  • Percentage of hypotheses effectively tested
  • Number of declared incidents triggered by threat hunting versus traditional alerts 

These metrics are particularly useful in communicating to management or decision-makers the contribution of threat hunting in improving security operations and security posture.  

Attack Surface Driven Hunting

Attack surface discovery maps out the set of points on the boundary of a system, a system

element, or an environment where an unauthorized party can infiltrate the system and access data. This attack surface is increasingly external in nature, with threat actors exploiting misconfigured public cloud servers, leaked credentials, and external source code repositories. 

Attack surface driven threat hunting smartly prioritizes hunts based on the threats that are directly associated with the available attack surface of your organization. Visibility into your attack surface is the basis for this prioritization. 

Flare is a digital footprint solution that generates a real-time view of your external attack surface. Flare enables threat hunters to work more effectively by eliminating noise and allowing security professionals to focus on high-risk threats that have the most probability of successfully infiltrating your network. 

Sign up for a free trial here.