Art of War: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
Threat Hunting: Threat hunting is proactive process looking for abnormal activities, searching for anomalies on servers and endpoints to gather evidences of intrusions in unusual ways.
Why we need Threat Hunting: There is rise of non-malware/ file-less attacks. Gaps in Scan based technologies and threat intelligence providers (IOC feeds). Scan based tools will only detects the threats that have signatures (relying on signature based) and IOCs provides feeds to threats that are previously identified. Tools constantly changes but the attacker’s behavior is constant and end goal is always same.
Pyramid of Pain:
Threat hunting is mainly focusing on the behavior of the attack.
Behavior = Tactic + Technique + Procedure
Tactics: An action carefully planned to achieve short term targets in an attack (Gives why that action)
Techniques: Describes how they do it.
Procedure: A series of actions (tactics) conducted in a certain way to achieve end goal of an attacker, a behavior profile of the attack.
TTPs explains behavior of an attacker with answers to What attackers are doing, and How they are doing. It develops contextual understanding across incidents, campaigns, and threat actors.
Key areas to focus:
a) All Executions
b) All Network connections
c) All file modifications
d) All Registry Modifications
e) All cross-process Events
f) All Unique binaries
The Kill Chain:
| Focus on Prevention | Focus on Detecting and Responding | |||||
| 1.Reconnaissance | 2.Weaponization | 3.Delivery | 4.Exploitation | 5.Installation | 6.Command and Control | 7.Actions on Objectives |
How to Use MITRE ATT&CK Matrix:
(Adversarial Tactics, Techniques and Common knowledge)
Find and make a list of all tactics that are identified from different security solutions.
Group simillar techniques and create separate layer for each.
Merge all the layers, then you will be able find out procedures and impact.
To be continued…..
Paraga 