Threat hunting frameworks, techniques and methodologies

Why are threat hunting frameworks important?

More organizations than ever are adopting threat hunting models and frameworks to help guide their security operations and investigations teams when looking for suspicious and malicious behavior in their environments. There are several reasons threat hunting has grown in prominence as a core practice, including the security community's better understanding of attacker behaviors and attack indicators, improved sharing of threat intelligence and the maturity of tools that facilitate hunting at scale through granular queries, such as endpoint detection and response (EDR).

Threat hunting methodologies

As the concept of threat hunting has taken hold in the security community, numerous methodologies have been released that will help security teams build an effective threat hunting program. Here are some of the most prevalent.

Sqrrl Threat Hunting Reference Model

Created in 2015, Sqrrl is still widely regarded as one of the most influential in early-stage threat hunting strategies. As much a philosophy as it is a framework, Sqrrl created the first hunting process loop with the following phases:

• Generate a hypothesis. This hypothesis will likely be related to the events occurring and how/where they occurred.
• Investigate using threat hunting tools and techniques.
• Look for any attack patterns and TTPs.
• Use evidence (or lack thereof) to inform and enhance investigations.

Targeted Hunting integrating Threat Intelligence (TaHITI)

The TaHiTI framework aims to more readily combine threat intelligence and threat hunting into a single model. This model builds on the Sqrrl model by generating new threat intelligence from hunting activities, which then feeds back into the threat intelligence feed for adversary analysis and hunting exercises. Taking active threat hunting feedback and performing correlation through automation tools, analytics and machine learning techniques is now a mainstay of threat hunting models, largely due to TaHiTI.

Prepare, Execute and Act with Knowledge (PEAK)

The PEAK threat hunting methodology expands threat hunting with three different hunting models:

• Hypothesis-driven.
• Anomalies compared against a baseline.
• Threat hunting based on models.

This model also focuses heavily on statistical analysis and data categories, as well as event times and aggregation of event time analysis.

The Open Threat Hunting Framework (OTHF)

OTHF is a newer project that expands threat hunting frameworks to also include governance, staffing, data types and use cases when hunting for threats, and finite tactical recommendations for operationalizing and performing threat hunting in an organization.

Mitre ATT&CK

Most in the industry are familiar with the Mitre framework, which can help to inform adversary tactics and common threat models while hunting for IoCs and TTPs. While not necessarily prescriptive, ATT&CK can act as a backdrop to any and all other threat hunting activities when looking for behaviors and common attacker actions.

Threat hunting methodologies often align with ancillary projects, such as the IoC-TTP Pyramid of Pain by David Bianco to help define criticality and priority on detection scenarios too.

Key threat hunting techniques

A comprehensive approach to threat hunting involves using various methodologies to address different kinds of threats. When looking at core threat hunting techniques, security teams need to evaluate structured threat hunting based on pre-attack methods and TTPs from frameworks such as Mitre; unstructured threat hunting tactics based on IoCs and real-time threat intelligence; and situational threat hunting focused on a current campaign or immediate threat.

The following are some common threat hunting models:

• Structured threat hunting that focuses on known TTPs and Mitre ATT&CK behaviors, such as account hijacking and lateral movement.
• Unstructured threat hunting typically driven by internal IoCs that originate from investigations and response efforts, which in turn usually include specific content and activity across systems and identities within each particular organization.
• Situational threat hunting, which usually comes from community TTPs based on observed activity in the wild. This could range from simple IoCs, such as file hashes, to communication with known malicious domains.

Within these models, tactical methods and hunting techniques can include the following:

• IoC searching. Many organizations rely heavily on basic searches that include IoCs, such as file hashes, file names, usernames and groups, and other foundational elements of a compromise or potential incident.
• Keyword searching. Many threat hunts rely on keyword searches that look for particular terms or event types in system and application logs, or particular URL terms such as directory references that indicate suspicious or unusual activity. Keywords are also used commonly when searching in the Windows registry or for parameters within system configuration files.
• Network indicators. Many different types of network indicators are used in hunting practices, including common IoCs such as IP addresses and domains, as well as types of traffic that might indicate suspicious activity or compromise, especially if related to exploitation of a known network-accessible vulnerability that runs on a particular TCP or user datagram protocol port.
• Network traffic pattern analysis. Monitoring for patterns of network traffic can be much more difficult than hunting for more atomic IoCs, but it often pays dividends to security teams that need more behavioral introspection into how attackers operate. Patterns can be simple, such as time of day or network source origination, or more complex, such as unusual access attempts or quantity of traffic to and from domains and/or network services.
• Clustering or correlation. While many unique indicators and patterns can fuel threat hunting, more mature organizations rely on enrichment activities that include correlation of events and data in a SIEM as well as forensics and incident response artifacts correlated with threat intelligence. These offer more nuanced and specific hunting patterns and models. Tools like EDR, network detection and response and SIEM platforms are the most prevalent in building correlated scenarios, often in conjunction with SOAR automation tools. These cases include threat actor information, in-house evidence and defined playbooks for network, endpoint and application-specific threats identified within Mitre ATT&CK and other models.

Successful threat hunting requires several things. First, teams need tooling that facilitates hunting at scale across both workloads and network environments, ideally for both on-premises and cloud infrastructure. Second, hunting playbooks need to be well defined to include IoCs and pattern matches, as well as unique behaviors and indicators derived from internal and external threat intelligence. Finally, threat hunting needs to be integrated into detection and response functions as well as forensics.

Threat hunting models are still evolving, but they can help organizations to build and mature their threat hunting capabilities, which is a good thing to focus on overall.

Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.