reading-notes
Dedicated to my thoughts while learning cybersec
Threat Hunting with Security Onion
11/12/2020
Cyber threat hunting is an active cyber defence activity. It is “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.” This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox (computer security) and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.
Threat hunting starts with a hypothosis that some angle of attack or vulnerability could occur so let’s try to prove that it can and then specifically address how the attack was successful… Like in Science theory the hypothosiser is going to attempt to prove their assumptions are correct and once proven true then steps can be taken to mitigate the problem.
In threat hunting there are two types of indicators a problem could exist
- Indicator of compromise
- An indicator of compromise (IOC) tells you that an action has happened and you are in a reactive mode. This type of IOC is done by looking inward at your own data from transaction logs and or SIEM data. These types of unusual activities allow security administration teams to spot malicious actors earlier in the cyberattack process.
- Examples of IOC include
- unusual network traffic,
- unusual privileged user account activity,
- login anomalies,
- increases in database read volumes,
- suspicious registry or system file changes,
- unusual DNS requests and Web traffic showing non-human behavior.
- Indicator of Concern
- Using Open-source intelligence, data can be collected from publicly available sources to be used for cyberattack detection and threat hunting.
- Tools like Atomic Red Team can help identify specific areas of concern
Tactics, Techniques and Procedures (TTPs)
The threat hunting maturity model is detailed as below:
| Level | Category | Description |
|---|---|---|
| 0 | Initial | an organization relies primarily on automated reporting and does little or no routine data collection. |
| 1 | Minimal | an organization incorporates threat intelligence indicator searches. It has a moderate or high level of routine data collection. |
| 2 | Procedural | an organization follows analysis procedures created by others. It has a high or very high level of routine data collection. |
| 3 | Innovative | an organization creates new data analysis procedures. It has a high or very high level of routine data collection. |
| 4 | Leading | an organization automates the majority of successful data analysis procedures. It has a high or very high level of routine data collection. |