Beginning a threat hunt does not require a good deal of planning, but there should be some structure as to how the threat hunt will be conducted, the sources of data, and the time period on which the threat hunt will focus. A brief written plan will address all of the key points necessary, and place all of the hunt team on the same focus area so that extraneous data that does not pertain to the threat hunt is minimized. The following are seven key elements that should be addressed in any plan:
- Hypothesis: A one- or two-sentence hypothesis that was discussed earlier. This hypothesis should be clearly understood by all the hunt team members.
- MITRE ATT&CK tactic(s): In the previous chapter, there was a discussion about the MITRE ATT&CK framework and its application to threat intelligence and incident response. In this case, the threat hunt should include specific tactics that have been in use by threat actors. Select the tactics that are most applicable to the hypothesis.
- Threat intelligence: The hunt team should leverage as much internally developed and externally sourced threat intelligence as possible. External sources can either be commercial providers or OSINT. The threat intelligence should be IoCs, indicators of attack (IoAs), and TTPs that are directly related to the hypothesis and the MITRE ATT&CK tactics that were previously identified. These are the data points that the hunt team will leverage during the hunt.
- Evidence sources: This should be a list of the various evidence sources that should be leveraged during the threat hunt. For example, if the hunt team is looking for indicators of lateral movement via SMB, they may want to leverage NetFlow or selected packet captures. Other indicators of lateral movement using Remote Desktop can be found within the Windows event logs.
- Tools: This section of the plan outlines the specific tools that are necessary to review evidence. For example, Chapter 10, Analyzing Log Files, addressed log file analysis with the open source tool Skadi. If the threat hunt will make use of this tool, it should be included in the plan.
A group of tools that greatly aid in threat hunting is Endpoint Detection and Response (EDR) tools. These tools build on the existing methodology of antivirus platforms. Many of these platforms also have the ability to search across the enterprise for specific IoCs and other data points, allowing threat hunt teams to search an extensive number of systems for any matching IoCs. These tools should be leveraged extensively during a threat hunt.
- Scope: This refers to the systems that will be included in the threat hunt. The plan should indicate either a single system or systems, subnet, or network segment on which to focus. In the beginning, threat hunters should focus on a limited number of systems, and add more as they become more familiar with the toolset and how much evidence can be examined in the time given.
- Timeframe: As threat hunting often involves a retrospective examination of evidence, it is necessary to set a timeframe upon which the threat hunt team should focus. For example, if an originating event is relatively new (say, 48 hours), the timeframe indicated in the plan may be limited to the past 72 hours, to address any previously undetected adversarial action. Other timeframes may widen the threat hunt to 14—or even 30—days, based on the hypothesis and threat intelligence available.
Here is an example threat hunt plan that incorporates these elements into an easy-to-view framework:
In this sample plan, the hypothesis is that an adversary has taken control of one or more of the DMZ web servers. The associated MITRE ATT&CK tactics involve either exploiting the web application or establishing a Command and Control channel. In this plan, the threat hunt team will utilize OSINT. The sources and tools involve logs and packet captures and will be reviewed for the last 90 days. This is a simple plan, but it provides each member of the threat hunt team with all of the directions necessary to conduct the hunt.