Entity driven hunting

Situational or entity-driven hunting

Situational threat hunting focuses on high-risk/high-value entities such as sensitive data or critical computing resources

• Its main benefit is that it helps focus and prioritize threat-hunting activity to improve its effectiveness

• Attackers commonly target specific high-value/high-risk assets such as domain controllers or privileged users as IT administrators and DevOps Managers

• Threat hunting helps identify these high-priority targets and conduct focused searches for relevant threats

• A situational hypothesis could come from an enterprise's internal risk assessment or a trends and vulnerabilities analysis unique to your environment

Entity-oriented leads come from crowd-sourced attack data that, when reviewed, reveal the latest TTPs of current cyberthreats

A threat hunter can then search for these specific behaviors within the environment

Crown Jewel Analysis (CJA)

Crown Jewel Analysis determines which systems or assets are critical

Crown jewels are essential to an organization:

• Provide basic functionality

• Required for organization's core services/functionality

Identifying crown jewels (CJ)

• Determine mission objectives before attempting to identify crown jewels

• Mission objectives represent the processes/services critical to an organization

• Define crown jewels for different critical functions

Determining dependencies

• System components may fail if other components fail

• Component failure relationships are known as dependencies

• Crown jewels suffer from dependency failures too!

Dependency map

A dependency map shows the qualitative relationship between a crown jewel and its various supporting assets

• In the event of asset failure, the map will show which failures will degrade the CJ's performance or cause the CJ to fail and which failures can be worked around

Attack graphs

After determining the crown jewels for an organization, consider how they might be attacked (both directly and through their supporting assets)

Example

The domain administrator account is the most powerful account in the domain

It's given domain-wide access and administrative rights to administer the computer and the domain, and it has the most extensive rights and permissions over the domain

Your internal risk assessment indicates that your domain administrator accounts are a concern. This will form the Purpose for a threat hunt

Domain administrator account activity in your environment and the associated logs needed become the Scope of your hunt

The hunter should formulate a plan to conduct the hunt based on the scope like looking for outliers in domain admin account logons

After planning, the hunter should execute the hunt by collecting and analyzing relevant data to determine if any questionable activity is observed the environment

If there is confirmed suspicious activity in the environment, detailed investigation across the attack life cycle must be performed to determine the extent of the threat and response should be handled accordingly

Any lessons from the hunt should be used as feedback to improve the hunting process