Behind every threat hunt is a human operator.
What is hypothesis-centered threat hunting?
HCTH is a proactive effort to drive intelligence into usable data. It works by identifying the where, how, and who of a particular threat. Where does it fit into the attackers kill chain. Who is likely to use this emerging threat, and how does it operate at a heuristic level.
Hypothesis-centered threat hunting adapts to each network individually, as no two are the same. Developing a baseline of how that environment typically operates helps the team of threat hunters to identify irregular behavior. Focusing on the behavioral aspects of a given threat allows us to bolster detections early by focusing on ‘how’ the subject operates, rather than the whack-a-mole IOC approach that was common in the industry in the past.
HCTH vs Traditional Threat Hunting Model
Traditional threat hunting is a proactive measure designed to identify threats by looking for specific Indicators of Compromise (IoC), or Indicators of Attack (IoA). These are the typical offerings from MDR providers, usually involving an automated scan/approach for previously identified IOCs.
Adversaries are aware of how organizations respond to their efforts and adjust accordingly. They are actively iterating on their own processes to leverage more advanced techniques, seeking to evade existing security controls whenever possible.
HCTH builds upon the traditional threat hunting model by using a deep understanding of attacker tradecraft to ask “how does this emerging threat fit into the existing threat model”. Answering this question identifies at what stage in the attacker’s chain of objectives this threat will occur, and looks at how the subject operates at a behavioral level.
The heuristic element of this approach means that attackers not only have to change their infrastructure after we detect them (IP addresses, filenames, hashes, etc.) but they also have to adjust their tactics, techniques and procedures (TTPs), which is far more costly to do. For further reading on this concept; Pyramid of Pain: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Understanding how the threat fits into the attacker killchain guides the hypothesis for how the threat will likely be utilized. A common example we often see is files masquerading as something they are now, typically shortcut files (.lnk) attempting to be PDFs. In this example, the lnk file will typically launch a scripting interpreter with predefined command line arguments to either load or callback to a second-stage payload. A basic approach would be to identify the hash of the shortcut file and block it network-wide. Great. An attacker can still use this technique with a different file. A more advanced approach would be to identify that the lnk file will open cscript, wscript, mshta, powershell, etc. Now we’re getting somewhere, as this approach means that an attacker cannot use any shortcut files to execute malicious scripts. What we do is first look for newly downloaded shortcut files in user writable directories, second, we look at the following two criteria:
- Does the file have a second extension (.pdf.lnk)
- Is the file size outside the standard deviation for that system (typically 2-5kb)
- Does the file launch a potential common lolbin (living off the land binary)
- Does the child process spawn further processes.
If any of the above is true the event is flagged and correlated against known-normal behavior for that system. Outliers are identified and reviewed for malicious activity. Now, an attacker cannot use this attack surface at all, and will have to change their tactic regardless of what new threats that arise. Taking a similar approach works with other threats as well, for example zero-day items such as CVE-2023-36884 was detected immediately upon attempted use by focusing on how the Follina vulnerability operated the year before. (Abnormal child processes spawning from Office documents, mshta, msdt, new web connections. Etc.).
Knowing normal in a network is the key-difference here. Identifying the heuristically anomalous activity behind an account accessing content it typically wouldn’t, can be an early warning sign that something is amiss, regardless of whether an emerging threat or zero day is being used to gain access.