Introduction to Threat Hunting

Questions and Answers

What is the primary goal of threat hunting?

• To develop new security software.
• To replace automated security tools.
• To proactively search for and discover cyber threats that evade traditional defenses. (correct)
• To ensure compliance with industry regulations.

What is a key characteristic that differentiates threat hunting from traditional security measures?

• Threat hunting is a reactive approach.
• Threat hunting relies solely on automated tools.
• Threat hunting is focused on preventing all breaches.
• Threat hunting is a human-centric proactive approach. (correct)

What is the significance of dwell time in the context of cybersecurity?

• It represents the time it takes to develop a new security tool.
• It measures the speed of incident response activities.
• It indicates the duration of a cyber attack.
• It refers to the time an attacker remains undetected in a network. (correct)

According to FireEye's M-Trends 2019 Report, what was the average dwell time for an organization to discover it had been breached?

78 days (C)

Why is reducing dwell time a primary objective of threat hunting?

To minimize the potential damage from a successful attack. (C)

What initial step is crucial in the threat hunting process?

Identifying potential target systems and categorizing attacker techniques. (B)

How does threat intelligence contribute to the threat hunting process?

It provides insights for developing hunting techniques and protective measures. (C)

Which of the following is a key aspect of a successful threat hunter's mindset?

Thinking like an attacker. (C)

What is the traditional security approach that threat hunting aims to improve upon?

Waiting for an internal system or law enforcement to notify of a breach. (B)

According to the content, what is the estimated loss due to Business Email Compromise scams in the past three years?

$26 Billion. (C)

According to NIST, the Incident Response (IR) process is defined in how many steps?

4 (C)

What is the primary focus of the 'Preparation' phase in the NIST incident response process?

Preparing the organization to handle incidents. (B)

According to NIST, what constitutes a 'computer security incident'?

A violation or imminent threat of violation of security policies. (A)

During which phase of incident response would an IR team confirm if a breach took place?

Detection and Analysis. (D)

In the 'Containment, Eradication, and Recovery' phase of IR, what is the IR team's goal?

To gather intel and create signatures to neutralize the attacker and restore systems. (D)

What is the primary objective of the 'Post-Incident Activity' phase?

To improve the organization's overall security posture. (B)

How does threat hunting contribute to the 'Preparation' phase of incident response?

By providing predefined terms on how to operate, when to operate, and what to do in particular situations. (D)

In what ways might organizations incorporate threat hunting into their incident response documentation?

By including threat hunting in their IR documents or updating existing ones to cover it. (D)

How can a threat hunter assist during the 'Detection & Analysis' phase of IR?

By determining whether indicators point to an actual incident. (C)

Who typically defines the policies and procedures for the hunter or hunting team in the Post-Incident Activity phase?

The documentation outlining policies and procedures for the hunter or hunting team. (B)

How can threat hunters contribute to the 'Containment, Eradication, and Recovery' phase of incident response?

By providing recommendations and insights to improve overall security posture. (C)

What is the role of assessing threats, vulnerabilities, and likelihood in risk assessment?

To assess risk. (B)

In the context of threat hunting, what are the specific benefits of understanding the contents of a risk assessment report?

It helps the hunter to think like an attacker by determining which systems/processes an intruder would most likely go after (C)

Which documents might assist the hunter in determining which systems/processes require more focus?

Threat assessment report or a business impact analysis report. (C)

In smaller organizations, what role might a threat hunter play in addition to threat hunting?

Being responsible for multiple roles within the IT Security team. (A)

What factor determines hunting team composition?

Hunting team composition is determined by the size, industry, and hunger to hunt. (A)

An organization lacking a formal security team would most likely employ which type of hunter?

Ad-hoc hunter. (D)

What is a defining characteristic of an 'Ad-hoc' hunter?

They are responsible for multiple roles, hunts occur less frequently, and clear plans are required. (A)

In what type of organizations are 'Analyst and Hunter' roles commonly found?

Small organizations or those with extremely well-developed detection and baseline capabilities. (A)

Which statement best describes a 'Dedicated Hunting Team'?

Dedicated Hunting Teams are often found in a large organization or governmental organizations. (B)

In the context of cybersecurity, what does the term 'dwell time' refer to?

The duration an attacker remains undetected in an infiltrated network. (D)

According to the material, how does threat hunting differ from traditional security measures?

Threat hunting is a human-centric proactive approach, while traditional security is often reactive and automated. (A)

What is the main purpose of utilizing threat intelligence during a threat hunt?

To develop techniques and carry out necessary actions to protect systems from compromise. (C)

According to the provided information, what step is required for being a successful threat hunter?

Think like an attacker. (D)

According to the provided information, what is involved in the Preparation phase of incident response?

Preparing your organization to handle incidents. (A)

According to the provided information, which phase would confirm a breach?

Detection and Analysis. (B)

According to the provided information, what happens in the Containment, Eradication, and Recovery phase?

The IR team would gather intel and create signatures that will aid them in identifying each compromised system. (A)

According to the provided information, what is improved in the Post-Incident Activity phase?

Overall Security Posture (A)

According to the provided information, in what way does a threat hunter correlate to preparation?

A threat hunter or team can't operate without rules of engagement. (B)

According to the provided information, how can a threat hunter correlate to detection and analysis?

A hunter is useful in determining whether indicators point to an actual incident or not. (C)

According to the provided information, a risk assessment is for assessing which of the following?

Threats, vulnerabilities and their likelihood of occurring to the organization's assets. (D)

What is the purpose of a risk assessment report?

To list all the vital systems / processes and the impact to the organization, if anything would happen to these systems (C)

Flashcards

Dwell Time

The average time an organization takes to discover they have been breached.

Threat Hunting

The human-centric process of proactively searching data and discovering cyber threats.

Threat hunting aims to

Actively looking for threats that other security measures have missed.

Incident Response (IR)

A systematic approach to managing security incidents, including preparation, detection, containment, eradication, and recovery.

Preparation Phase (IR)

A phase in incident response focused on preparing an organization to handle incidents.

Security Incident

An event that violates computer security policies or threatens an organization's security.

Detection and Analysis

A phase where security incidents are categorized and analyzed to verify a breach.

Containment, Eradication, and Recovery

A phase to isolate, neutralize, and restore systems after an incident.

Post-Incident Activity

A phase where the incident is reviewed to improve future security measures.

Risk Assessment

The act of assessing potential threats and vulnerabilities to an organization's assets.

Risk assessment report

A list of systems that are vital to processes.

Ad-hoc Hunter

Responsible for multiple roles, hunts less frequently, task-oriented; found in organizations with no formal security team.

Analyst and Hunter

SOC analysts with hunting responsibilities; skills are complementary; often found in small organizations.

Dedicated Hunting Team

Specialized team whose sole purpose is threat hunting; well-experienced and qualified; often found in large organizations.

Study Notes

• The module will cover what Threat Hunting is, its association with other practices, and different Threat Hunting teams.

Introduction to Threat Hunting

• Cybercrime losses are significantly increasing despite businesses investing heavily in cybersecurity.
• Business email compromise scams alone led to losses of over $26 billion in the past three years, according to a recent IC3 report.
• Cybercriminals are constantly evolving and bypassing traditional defenses, which means automated detection tools alone are not enough to detect advanced, stealthy attacks.
• FireEye's M-Trends 2019 Report states the average time for an organization to discover they have been breached is 78 days, also known as dwell time.
• External notification was specifically outlined in the report as a means to identify a compromise, with a dwell time of 184 days in 2018.
• Threat hunting is therefore a human-centric, proactive process of searching data and discovering cyber threats.
• Threat hunting changes from waiting for an internal system, such as an IDS, or law enforcement to notify them that they have been breached, to actively detecting threats that nothing else detected.
• Threat hunting aims to reduce the dwell time by identifying threats in a very early stage of the infection.
• The hunting process begins by identifying potentially targeted systems or data and categorizing which behavioral techniques the attackers may use and confirm abnormal activity.
• Threat Intelligence is often utilized to develop techniques and carry out necessary actions to protect systems from compromise.
• Hunting is an offensive-based strategy
• Hunters should think like an attacker and require strong practical understanding of cyber threats and the cyber-kill chain.
• Hunters need to know their environment and hunting is easier with quality data and resources.

Incident Response

• Incident response (IR) is associated with threat hunting (TH).
• Abbreviations IR and TH may be used.

Incident Response Process

• According to NIST, the IR process is defined in 4 steps: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.
• Preparation phase involves preparing the organization to handle incidents where responsibilities, hardware, tools, and documentation are outlined.
• Preparation involves taking steps to reduce the probability of an incident from ever occurring.
• NIST defines an incident, or a computer security incident, as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
• Detection and Analysis phase - the IR team to confirm if a breach took place.
• Analyzing all the symptoms which were reported to classify the situation as an incident.
• Containment, Eradication, and Recovery phase - the IR team would gather intel and create signatures that will aid them in identifying each compromised system.
• Countermeasures can be put in place to neutralize the attacker and attempt to restore systems/data back to normal.
• The post-incident activity phase is a "lessons learned” phase with the goal to improve the overall security posture of the organization and to assure that a similar incident will not happen again.

How Incident Response & Hunting Correlate

• A threat hunter cannot operate without rules of engagement, which will determine the predefined terms on how to operate, when to operate, and what to do in a particular situation.
• Organizations might include threat hunting in their IR documents or simply update existing ones to cover it, without having to create separate threat hunting documents.
• Hunters are useful in determining whether the indicators presented point to an incident and assist in obtaining overlooked artifacts.
• In certain corporations, a hunter might already be expected to conduct the tasks covered in the Containment, Eradication, and Recovery phase (not mandatory) and can be passed to another member of the IR team, as defined in the documentation outlining the policies and procedures for the hunter or hunting team.
• Hunters have a vast knowledge of various IT domains and IT Security, which allows them to assist in the Containment, Eradication, and Recovery phase of IR and provide insight on how the organization can improve its overall security posture via quick or future implementation.

Risk Assessments

• A risk assessment is the process of assessing threats, vulnerabilities, and their likelihood of occurring to the organization's assets.
• A risk assessment report will list all the vital systems / processes and the impact to the organization, if anything would happen to these systems.
• This report provides the hunter with an idea as to what systems/processes an intruder would most likely go after.
• With a risk assessment report, a hunter can determine where his/her focus should be
• Resources will not be wasted focusing on a less vital system or process.
• Other documents that might assist the hunter in determining which systems/processes require more focus than others would be a threat assessment report or a business impact analysis report.
• In large corporations, it is not the job of the hunter to conduct the risk assessments.
• In smaller organizations, the hunter may not be a dedicated threat hunter and may be responsible for multiple roles within the IT Security team and may only be able to hunt one time a week or even one time a month.

Threat Hunting Teams

• There is no general definition or description of what a hunting team should be composed of, as organizations determine this based on their size, industry, and hunger to hunt.
• The three most commonly encountered types are: ad-hoc hunter, analyst and hunter, and a dedicated hunting team.

Ad-hoc Hunter

• The Ad-hoc hunter is usually responsible for multiple roles in the organization, and therefore the hunts occur less frequently.
• The hunts are more task-oriented, requiring a clear plan of what to hunt for on a given hunting trip.
• This type of hunter is primarily found in organizations with no formal security team.

Analyst and Hunter

• This type of hunter is most common where SOC analysts also have the responsibility to perform hunting with complementary skills.
• This type of hunter is often found in small organizations or those with extremely well-developed detection and baseline capabilities.

Dedicated Hunting Team

• This type of hunter is the most specialized consisting of a team of a few well experienced and qualified members with the sole purpose is to hunt, often found in a large or governmental organization.