Unstructured hunting

This is the most common form of threat hunting that is observed in many organizations that have some form of threat hunting capabilities

There is no specific methodology defined to conduct hunts and this doesn't rely on TTPs for hunts
Instead, this type of threat hunting primarily relies on analyst intuition and IOCs to drive hunts
There are many sites that share threat reports and IOCs associated with a specific threat for free
Organizations may have paid sources that provide threat intelligence to obtain the latest threat reports/IOCs when they have them

There are multiple schools of thought for unstructured hunting

The first one is that unstructured threat hunting starts from a trigger or an indicator of compromise (IOC)
The hunter searches the network for malicious patterns before and after the trigger or IOC
Threat hunters can investigate historical data as far as data retention limits permit
This type of threat hunting can discover new types of threats or threats that penetrated the environment in the past and are now dormant
In the next section, we will talk about cyber-threat intelligence as it is primary source for threat hunting

Cyber-threat intelligence

What is cyber-threat intelligence (CTI)?

A collection of data regarding threats:

Organizations may collect intelligence for internal use
Some companies collect and sell threat intelligence, both directly and through the purchase of security platforms
There are commercial and open-source threat intelligence source available
There are also Information Sharing and Analysis Centers (ISAC) that collect, analyze and disseminate actionable threat information to its members
There are ISACs for various industries like financial, industrial, etc, that organizations can be part and obtain valuable intel. Sometimes they acquire real-time intel that can be used to mitigate risks

Open-Source Intelligence (OSINT)

Cyber threat information which is collected/shared publicly

Open-source intelligence can be used on its own
OSINT can be combined with threat data collected by an organization

Commercial threat intelligence

Cyber-threat information is provided by many security vendors for a fee and provides the following advantages over OSINT

Visibility - The level of coverage is broader and more expansive than what a select open-source community can focus on, providing you with more holistic threat intelligence and enabling you to be more proactive, rather than reactive, with your security actions
Triage - It can provide severity levels for IOCs and related alerts, which can help you triage and focus on what's most important for your team to address
Context - This provides more intelligence context to know what action you need to take next when you see an alert within your dev environment or identify a specific vulnerability

Another school of thought is analyst intuition

It is defined as a method of finding malicious activity without knowing exactly what type of threat you are looking for
Instead, the hunter relies on behavioral analysis to find these threats
In short, unstructured hunting is investigative work where a cyber-threat hunter observes behavior and looks for anomalies
For example, if someone sends out spam emails, a system administrator might notice unusual activity on his network and investigate further
If he finds something suspicious, he could act immediately or wait a few days to see if the same email addresses start sending again

PreviousStructured hunting (MITRE)NextEntity driven hunting

Last updated 8 months ago

Cyber-threat intelligence

What is cyber-threat intelligence (CTI)?

A collection of data regarding threats:

Organizations may collect intelligence for internal use

Some companies collect and sell threat intelligence, both directly and through the purchase of security platforms

There are commercial and open-source threat intelligence source available

There are also Information Sharing and Analysis Centers (ISAC) that collect, analyze and disseminate actionable threat information to its members

There are ISACs for various industries like financial, industrial, etc, that organizations can be part and obtain valuable intel. Sometimes they acquire real-time intel that can be used to mitigate risks

Commercial threat intelligence

Cyber-threat information is provided by many security vendors for a fee and provides the following advantages over OSINT

Visibility - The level of coverage is broader and more expansive than what a select open-source community can focus on, providing you with more holistic threat intelligence and enabling you to be more proactive, rather than reactive, with your security actions

Triage - It can provide severity levels for IOCs and related alerts, which can help you triage and focus on what's most important for your team to address

Context - This provides more intelligence context to know what action you need to take next when you see an alert within your dev environment or identify a specific vulnerability

Another school of thought is analyst intuition

It is defined as a method of finding malicious activity without knowing exactly what type of threat you are looking for

Instead, the hunter relies on behavioral analysis to find these threats

In short, unstructured hunting is investigative work where a cyber-threat hunter observes behavior and looks for anomalies

For example, if someone sends out spam emails, a system administrator might notice unusual activity on his network and investigate further

If he finds something suspicious, he could act immediately or wait a few days to see if the same email addresses start sending again