You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment.

Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components of a program? How do you measure its success?

Despite the increasing demand for threat hunting, a prescriptive framework, which isn’t tied to a vendor, is hard to come by. Security leaders often ask our X-Force team, “Can you teach us how to do threat hunting? Are there any resources that can walk us through this?”

After hearing those questions repeatedly, Grifter, X-Force Head of Research John Dwyer and X-Force Global OT Incident Response Lead Sameer Koranne did some exploring. They searched publicly available sources for a central place that covers the operational pieces of threat hunting, including what an internal team looks for, processes that ensure a program’s success, and an overall definition of threat hunting and potential outcomes. They looked for technical and non-technical documentation and couldn’t find anything. Even the definition of threat hunting had a thousand different explanations. If an organization can’t define what threat hunting means, how will it know if its team is being successful? How will the team carry out the right vision of what threat hunting should entail? Companies must set their definition of threat hunting, its goals, why it’s important for them, and how they can direct their threat hunters to carry out their vision before they build a program.

To fill the framework gap, the X-Force team built their own. They will present it at the 2022 Black Hat conference. I asked them to provide a high-level summary of the talk. Below is the information they shared.

Building a Hypothesis

Despite the thousands of definitions, one component of threat hunting doesn’t change — the non-technical pieces are just as important as the technical ones. Threat hunting exercises are part of a business unit, and like anything else require defined processes for technical and business-focused stakeholders alike. It’s hard to justify a threat hunting investment without knowing the goal and actions to take to ensure success. Companies should know the stakeholders involved, their roles and how those roles are impacted by the engagement. Creating one mission statement for the program can help establish a consistent process.

Some companies build a threat hunting program that’s predominantly based on alerts. Threat hunting entails much more than alerts. It’s proactive, testable, and based on a hypothesis. For example, if you say, “I know malware ‘x’ exists,” you can then generate a hypothesis that states, “If malware ‘x’ was executed on my system, then I should be able to collect evidence ‘y’ and ‘z’ to prove that the malware is there.” In other words, if there is malware “x” it will look like “y” and “z.”

Threat hunters can then use that hypothesis when looking for the malware. They would look for the ‘y’ and ‘z’ evidence to detect it. An alert doesn’t exist for the malware yet. A threat hunter’s job is to try to find it. In their framework, John, Sameer and Grifter explain the components of an effective and ineffective hypothesis.

Top Questions to Ask About Threat Hunting

When creating a threat hunting program, it’s important to ask the right questions. The top ones include:

  • What is threat hunting to us? Again, it’s critical companies pick a definition that resonates with them. The definition will help set the vision for what they hope to achieve.
  • How do we know what to hunt for? Defining the hypothesis can help answer this question because it defines the threat and its traits.
  • How do we threat hunt? Establishing a repeatable process that takes you from the threat to the goal is critical. In their framework, the X-Force team defines a standard process that companies can use and customize based on their objectives.
  • How do we measure success? Understanding your KPIs for threat hunting is also key. You can map out those metrics using the framework or base them on the goals for your company — security and business alike. For example, a good metric may be, “number of vulnerabilities we remediated that could or did enable malware ‘x’ to infect our environment.” The metric ties directly to the objective of finding and preventing malware ‘x.’ An example of an ineffective metric may be “number of threats we find.” That metric doesn’t set you up for success.

You could also gather metrics based on a specific threat. For example, the ransomware Conti was popular in 2021. If you aim to discover if Conti has infected your environment, you may want to know the number of hunts your team executed in the last month that map to an observed behavior of Conti.

The Frequency of Threat Hunting

So how often should companies hunt for threats? X-Force recommends the number match the available data that is relevant to the hunt. If you want to hunt for a specific threat, the hunt needs to be tied to a data source, such as an event log. You need to understand how long the data is available to you and assign hunt frequency based on that number. If you have data for 30 days, then you would execute a threat hunt on a 30-day cycle, for example.

What to Expect at Black Hat 2022

If you are interested in learning more about the threat hunting framework, join the X-Force talk at Black Hat 2022.

The X-Force team is also presenting two more talks at Black Hat 2022. X-Force Red hacker Brett Hawkins will talk about how attackers can abuse Source Code Management (SCM) systems. The presentation will provide an overview of SCM systems, and detail ways to abuse some of the most popular ones such as GitHub Enterprise, GitLab Enterprise and Bitbucket to perform various attack scenarios.

X-Force Red hacker Dimitry Snezhkov is presenting a Black Hat talk and arsenal tool demonstration about payloads, ELF binaries, ELF section docking and unveil a proof-of-concept loader and injector tool for evading malware detection mechanisms.

Also, meet our X-Force hackers, responders, researchers and analysts at the IBM Security booth #BHNL B.

To learn more about X-Force visit: www.ibm.com/security/xforce

More from Threat Hunting

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Reflective call stack detections and evasions

6 min read - In a blog published this March, we explored reflective loading through the lens of an offensive security tool developer, highlighting detection and evasion opportunities along the way. This time we are diving into call stack detections and evasions, and how BokuLoader reflectively loads call stack spoofing capabilities into beacon. We created this blog and public release of BokuLoader during Dylan’s summer 2023 internship with IBM X-Force Red. While researching call stack spoofing for our in-house C2, this was one of…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today