Word Notes 11.16.21
Ep 76 | 11.16.21

threat hunting (noun)


Rick Howard: The word is: threat hunting. 

Rick Howard: Spelled: threat for security concern, and hunting for searching and detecting. 

Rick Howard: Definition: The process of proactively searching through networks to detect and isolate security threats, rather than relying on security solutions or services to detect those threats.  

Rick Howard: Example sentence: Changes in file systems and the Windows registry are two places threat hunting expeditions can find stealthy adversary groups.  

Rick Howard: Origin and context: According to Tony Sager, he invented the threat hunting idea in the mid-2000s when he developed the unifying mission model for his NSA defensive group called the Information Assurance Directorate. Richard Bejtlich put meat on the bones for cybersecurity specifically in an essay he wrote for Infosecurity Magazine in 2011, when he was the GE-CIRT director of incident response. And by the way, Bejtlich is a Cybersecurity Canon Hall of Fame winner for his book, "The Practice of Network Security Monitoring: Understanding Incident Detection and Response." 

Rick Howard: In a passage from this article though, he says this, "In the mid-2000s, the Air Force introduced the term "hunter-killer" for missions whereby a team of security experts performed "friendly force projection" on their networks. They combed through data from systems and, in some cases, occupied the systems themselves in order to find advanced threats. The concept of "hunting" (without the slightly more aggressive term "killing") is now gaining ground in the civilian world." 

Rick Howard: in 2010, Lockheed Martin released its strategic Intrusion Kill Chain model that refocused everybody from simply doing passive defense to forward-thinking defenses based on adversary behavior. In 2013, Caltagirone, Pendergast and Betz published their alternative strategic threat model called the Diamond Model. But in the same year, 2013, Mitre released the first version of its ATT&CK Framework, which did two things. It enhanced the strategic intrusion kill chain model with operational intelligence and added detail to the actions on the objective phase.  

Rick Howard: The impact was that for the first time intelligence analysts had access to a globally accessible knowledge base of known adversary behavior derived from real-world observations, from both Mitre intelligence analysts and from the cybersecurity intelligence community at large. In other words, it was the most complete, free, open source standardized database of adversary offensive playbook intelligence. 

Rick Howard: With the Mitre ATT&CK framework, threat hunters could now look specifically for known adversary behavior on their own networks. Penetration testers can now do red team exercises where they emulated known adversary behavior.  

Rick Howard: Nerd reference: As the Principal Security Strategist at Splunk in 2019, John Stoner gave a presentation at the SANS Digital Forensics and Incident Response Summit about his aha moment for threat hunting. And John is a true nerd. A man, completely after my own heart. In this clip, he talks about Spiderman and Neo from the movie The Matrix all in one sentence. 

John Stoner: Now as this fine gentleman says, with great power comes great responsibility. And anytime you're dealing with a matrix, you can't just dive into it, right? No matter what Neo says.  

John Stoner: What do I want to do from a modeling perspective?  

John Stoner: And so you have the kill chain on the one side. The diamond model on the other side. They're both great. They're both lovely.  

John Stoner: They do a lot of good things to help describe things after I find them. 

John Stoner: But you know, I'm not really a super creative guy from a hunting perspective. And I go, well, if I have a kill chain, I've got exploit. I could start hunting at the exploit stage, but, but what do I got to hunt for? Or, actions on objectives. Great, what do I hunt for?  

John Stoner: While I like the models to be able to overlay things that I find, it wasn't something that was really going to be impactful. 

John Stoner: And so I came to this small little thing called the MITRE ATT&CK framework. Maybe you’ve heard of it. I refer to it here as brain candy, because if you're maybe not as creative as other folks, and I'll say I'm kind of one of those people, I've got all of these techniques and all of these tactics to sit there and go, oh yeah, let's go one for that. 

John Stoner: Let's use this as a starting point. 

Rick Howard: Word notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.