Intro to Threat Hunting
Hi All,
I've been learning the basics and overall 'procedure' for threat hunting. Based off of videos and articles I've read, this is the general 'process' I came up with to get started. I'm looking for feedback on how this looks and for any comments or feedback would be much appreciated.
I do a lot of query building at work and wanted to learn more about the process for threat hunting and to try my hand at it.
How - To
- General How-to Guide for Threat Hunting Using MITRE ATT&CK:
- Use the MITRE ATT&CK Matrix - Enterprise - Windows: Matrix - Enterprise - Windows | MITRE ATT&CK®
- Identify an attack technique category: Start by selecting a category of attack techniques, such as Initial Access, Execution, Persistence, etc.
- Example: If you choose "Initial Access," you might focus on techniques like Phishing.
- Identify an attack technique category: Start by selecting a category of attack techniques, such as Initial Access, Execution, Persistence, etc.
- Explore the Technique (e.g., Phishing):
- Click on the selected technique: Once you've chosen a technique (like Phishing), click on it to access detailed information.
- Read the page:
- Choose a specific example or technique:
- Click on the group or tool associated with the technique (e.g., Axiom):
- Click on the selected technique: Once you've chosen a technique (like Phishing), click on it to access detailed information.
- Consider the Technique’s Application to Your Environment:
- Threat Model: Think about how an attacker might use this technique (e.g., Phishing / T1566) to breach your environment and what steps they might take to move laterally or escalate privileges once inside.
- Who would they target?
- How would they deliver the payload?
- How would it bypass current defenses?
- Once in the environment, what would the attacker go for?
- Threat Model: Think about how an attacker might use this technique (e.g., Phishing / T1566) to breach your environment and what steps they might take to move laterally or escalate privileges once inside.
- Hunt In Your Environment:
- Data Collection:
- Gather logs (SIEM + KQL)
- Check OSINT feeds for known intelligence based off the technique (Phishing)
- Formulate a Hypothesis:
- 'Based on the Technique (Phishing), hypothesize how an attacker might use that technique within your network
- Explore Data and Analyze:
- Search for indicators of the technique (Phishing) in your environment using KQL/SIEM
- Data Collection:
- Evaluate Your Current Defenses:
- Security Controls: Check if you have the necessary security controls in place to defend against this technique.
- Identify Gaps: Look for any weaknesses or gaps in your defenses.
- Improve Security Posture: Identify areas where you can enhance or strengthen your defenses.
- Develop or Adjust Detection Methods:
- Existing Detection Rules: Determine if you already have detection rules for this technique.
- Tuning: If existing, assess whether these rules need adjustment to be more effective.
- Creation: If not, develop new detection rules based on the information you’ve learned.
- Existing Detection Rules: Determine if you already have detection rules for this technique.
- Repeat for Other Techniques:
- Repeat the Process: Apply this approach to other techniques within the MITRE ATT&CK framework to systematically enhance your threat detection and response capabilities.
Any feedback would be much appreciated. Obviously, there's no 'step by step on how to hunt, but I am trying to build a general document I can follow for things to look for and how to start a hunt.
Thanks!