Unstructured hunting

This is the most common form of threat hunting that is observed in many organizations that have some form of threat hunting capabilities

  • There is no specific methodology defined to conduct hunts and this doesn't rely on TTPs for hunts

  • Instead, this type of threat hunting primarily relies on analyst intuition and IOCs to drive hunts

  • There are many sites that share threat reports and IOCs associated with a specific threat for free

  • Organizations may have paid sources that provide threat intelligence to obtain the latest threat reports/IOCs when they have them

There are multiple schools of thought for unstructured hunting

  • The first one is that unstructured threat hunting starts from a trigger or an indicator of compromise (IOC)

  • The hunter searches the network for malicious patterns before and after the trigger or IOC

  • Threat hunters can investigate historical data as far as data retention limits permit

  • This type of threat hunting can discover new types of threats or threats that penetrated the environment in the past and are now dormant

  • In the next section, we will talk about cyber-threat intelligence as it is primary source for threat hunting

Cyber-threat intelligence

What is cyber-threat intelligence (CTI)?

A collection of data regarding threats:

  • Organizations may collect intelligence for internal use

  • Some companies collect and sell threat intelligence, both directly and through the purchase of security platforms

  • There are commercial and open-source threat intelligence source available

  • There are also Information Sharing and Analysis Centers (ISAC) that collect, analyze and disseminate actionable threat information to its members

  • There are ISACs for various industries like financial, industrial, etc, that organizations can be part and obtain valuable intel. Sometimes they acquire real-time intel that can be used to mitigate risks

Open-Source Intelligence (OSINT)

Cyber threat information which is collected/shared publicly

  • Open-source intelligence can be used on its own

  • OSINT can be combined with threat data collected by an organization

Commercial threat intelligence

Cyber-threat information is provided by many security vendors for a fee and provides the following advantages over OSINT

  • Visibility - The level of coverage is broader and more expansive than what a select open-source community can focus on, providing you with more holistic threat intelligence and enabling you to be more proactive, rather than reactive, with your security actions

  • Triage - It can provide severity levels for IOCs and related alerts, which can help you triage and focus on what's most important for your team to address

  • Context - This provides more intelligence context to know what action you need to take next when you see an alert within your dev environment or identify a specific vulnerability

Another school of thought is analyst intuition

  • It is defined as a method of finding malicious activity without knowing exactly what type of threat you are looking for

  • Instead, the hunter relies on behavioral analysis to find these threats

  • In short, unstructured hunting is investigative work where a cyber-threat hunter observes behavior and looks for anomalies

  • For example, if someone sends out spam emails, a system administrator might notice unusual activity on his network and investigate further

  • If he finds something suspicious, he could act immediately or wait a few days to see if the same email addresses start sending again

PreviousStructured hunting (MITRE)NextEntity driven hunting

Last updated