TTP-Based Threat Hunting – Why and How?

In its simplest definition, threat hunting is a process to identify whether adversaries reached to the organization’s network or not.

Despite many precautions taken at the perimeter level and many technologies used, breaches cannot be prevented. As a result of this situation, technologies to detect whether an attacker is inside have also come to the fore in recent years. EDRs and NDRs are mostly developed and used for detecting and they use many different methods for this.

Pyramid of Pain

In the event of a breach, the most important way to lower dwell time is to implement a regular and continuous threat hunting process. Earlier, as discussed in pyramid of pain, there are several methods for threat hunting like using signatures, IoCs, anomaly detection or TTPs.

A signature can be IP addresses, domains, or file hashes about the threat actor but as you can see above, they are at the bottom of the pyramid. Because they can be changed very easily by the attacker and these information mostly include false positives. When attackers register a new domain, or get a new IP address, it will be a 0-day for the organization and will be impossible to detect the attack via IoC sweep.

Therefore, using the attackers’ TTPs for threat hunting will give much more accurate results. Attackers do not change the techniques that they are using frequently, especially if they have been successful before with these techniques. The MITRE ATT&CK framework is the best way for this technique. Many organizations have adapted their infrastructure to miter or continue to work on this issue. If they haven’t started this yet, they should start as soon as possible.

Threat Intelligence: For a better and continuous threat hunting, threat intelligence is essential. There are lots of techniques and tactics in Att&ck and analysts must decide with threat intel where to start. For a start, it may be a good method to start by identifying the actors that will threaten them depending on the country, region and sector of the organization. This process will prioritize TTPs for hunting. It must be ensured that the threat intel provides this information up-to-date.

Developing Hypotheses: After prioritizing the TTPs for hunting, next step is to creating the hypotheses. This step means determining the data that should be collected to detect the adversarial behavior. According to the required data, it is determined with which security controls the detection should be made.

At this stage, also there is a need to make a gap analysis to be ensure that we can detect all the related activity. If necessary, other security controls should be added. This process can be done with security validation tools like Verodin, since In Verodin all tests and reports are Att&ck based. Hunt teams should correct both they can get needed logs from every piece of the network and these logs are sent to SIEM regularly. So Verodin also should be used for these steps.

This data selection phase also provides to use SIEM more effective. By understanding the adversarial techniques, organizations can reduce the log size by reducing the volume of data collected. This will also allow analysts to encounter fewer false positive alerts and saves time.

The most annoying thing in SIEM administration is the volume of data. Thus, while we are getting data from host or network security controls, we should carry out that we do not send useless data to the SIEM. Be careful about both EDR and especially NDR solutions can create huge amount of data.

Leave a Reply