Threat Hunting - Eye House

What is Threat Hunting?

Threat hunting is the proactive process of searching through networks, endpoints, and datasets to detect and isolate advanced threats that evade existing automated security solutions.

                Key Concept: Threat hunting assumes that adversaries are already inside your network. Instead of waiting for alerts, hunters actively search for signs of compromise.
            

Proactive vs. Reactive Security

Reactive Security (Traditional)

Wait for alerts from SIEM/IDS
Respond to triggered rules
Known signatures and patterns
Automated detection systems
Incident response after detection

Proactive Security (Hunting)

Actively search for threats
Hypothesis-driven investigation
Unknown and emerging threats
Human-driven analysis
Find threats before major damage

Why Hunt?

The average time to detect a breach is 207 days (IBM 2023). Automated systems miss sophisticated attacks. Threat hunting reduces dwell time and finds what automation misses.

Hunt vs. Detect: The Mindset Shift

Detection and hunting serve different but complementary purposes in a security program.

Detection (Automated Defense)

Purpose: Scale security monitoring across entire environment
Approach: Rule-based, signature-based, anomaly detection
Coverage: Known threats, defined patterns, established baselines
Strengths: 24/7 monitoring, consistent, scalable, low false negatives
Weaknesses: Misses novel attacks, can have high false positives, limited context

Hunting (Proactive Investigation)

Purpose: Find sophisticated threats that evade detection
Approach: Hypothesis-driven, creative, contextual analysis
Coverage: Unknown threats, zero-days, living-off-the-land techniques
Strengths: Finds novel threats, deep analysis, contextual understanding
Weaknesses: Resource-intensive, requires skilled analysts, not continuous

                The Relationship: Hunting feeds detection. Successful hunts become automated detection rules, continuously improving your security posture. Detection provides the foundation and telemetry that hunting relies upon.
            

Mindset Shift for Hunters:

Think like an attacker. Question assumptions. Ask "what if?" instead of "has this triggered an alert?" Embrace uncertainty and follow the data wherever it leads.

Hypothesis-Driven Hunting

Hypothesis-driven hunting starts with a testable theory about how adversaries might be operating in your environment.

The Hypothesis Framework

A good hunting hypothesis follows this structure:

IF [adversary behavior or technique]
AND [environmental condition or opportunity]
THEN [observable indicator or artifact]
WHERE [specific data source or location]

Examples of Hunting Hypotheses

Hypothesis 1: Credential Dumping

IF an attacker has gained initial access to a workstation
AND they want to escalate privileges or move laterally
THEN they may attempt to dump credentials from LSASS memory
WHERE we would see unusual process access to lsass.exe in EDR telemetry

Hypothesis 2: DNS Tunneling for C2

IF an attacker has established persistence
AND standard HTTP/HTTPS channels are monitored
THEN they may use DNS queries for command and control
WHERE we would see abnormally high DNS query volumes or unusual subdomain patterns

Hypothesis 3: Scheduled Task Persistence

IF an attacker wants to maintain access
AND they have local administrative privileges
THEN they may create a scheduled task for persistence
WHERE we would see schtasks.exe execution or Task Scheduler event logs

Sources for Hypotheses

Threat Intelligence: APT reports, IOCs, campaign analysis
Industry News: Recent breaches, new attack techniques
MITRE ATT&CK: Adversary tactics and techniques
Past Incidents: Your organization's history
Vulnerability Reports: New CVEs, exploit releases
Peer Sharing: ISACs, security communities

Best Practice: Document your hypotheses before hunting. This creates a clear investigation plan, helps focus your effort, and provides a record for future reference and operationalization.

Data-Driven Hunting

Data-driven hunting uses statistical analysis and anomaly detection to identify unusual patterns without a predefined hypothesis. This approach lets the data reveal potential threats.

Core Techniques

1. Anomaly Detection

Identify deviations from established baselines:

Volume anomalies: Unusual amounts of data transfer, login attempts, DNS queries
Timing anomalies: Activity during unusual hours, periodic beaconing
Behavior anomalies: User/system acting outside normal patterns
Geographic anomalies: Access from unexpected locations

2. Stack Counting (Frequency Analysis)

Count occurrences and find outliers. Most systems do similar things; outliers deserve investigation.

# Example: Find rare process names
processes | stats count by process_name | sort count | head 20

# Example: Find unusual parent-child relationships
processes | stats count by parent_process, child_process | rare

# Example: Uncommon network connections
network | stats count by dest_ip, dest_port | where count < 5

The Power of Stack Counting:

In an environment with 10,000 systems, if 9,998 are running similar processes and 2 are different, those 2 deserve investigation. Malware and attacker tools often stand out as statistical outliers.

3. Long-Tail Analysis

Focus on the "long tail" of rare events. The majority of activity is normal and repetitive; threats hide in rare, one-off events.

Long-Tail Example: Process Execution

In a large environment:

Short head: Top 100 processes account for 95% of all executions (normal)
Long tail: Bottom 5% contains thousands of unique processes (investigate here)

Attackers often use custom tools, renamed utilities, or legitimate-but-rare binaries that appear in the long tail.

4. Clustering and Grouping

Group similar entities to find outliers:

User behavior clustering (peer group analysis)
System behavior clustering (find the odd one out)
Network communication clustering (unusual connections)

Challenge: Noise vs. Signal

Data-driven hunting generates many potential leads. Not every anomaly is malicious. Skilled hunters develop intuition for which outliers deserve deeper investigation. Context is critical.

Intelligence-Driven Hunting

Intelligence-driven hunting leverages threat intelligence to search for specific adversary behaviors, indicators, or campaigns in your environment.

Types of Threat Intelligence

1. Indicators of Compromise (IOCs)

Specific artifacts that indicate malicious activity:

File hashes: MD5, SHA1, SHA256 of malware samples
IP addresses: C2 servers, malicious infrastructure
Domain names: Phishing domains, C2 domains
URLs: Malicious links, exploit delivery
Email addresses: Phishing senders
Registry keys: Persistence mechanisms
Mutex names: Malware identification

IOC Limitations:

IOCs are easily changed by attackers. A single character change in a file produces a different hash. Focus on IOCs for rapid triage, but don't rely on them exclusively. TTPs provide more durable intelligence.

2. Tactics, Techniques, and Procedures (TTPs)

How adversaries operate—harder to change than IOCs:

Tactics: The "why" (initial access, persistence, exfiltration)
Techniques: The "how" (spearphishing, scheduled tasks, DNS tunneling)
Procedures: The specific implementation details

TTP-Based Hunting:

Hunt for behaviors, not signatures. If threat intel indicates an APT group uses WMI for lateral movement, hunt for WMI activity in your environment—regardless of specific IOCs.

3. Threat Reports and Campaign Analysis

Detailed reports on adversary groups and campaigns:

APT group profiles and targeting patterns
Industry-specific threat campaigns
Attack timelines and kill chain analysis
Malware family analysis

Intel Sources for Hunters

MITRE ATT&CK

Comprehensive knowledge base of adversary tactics and techniques. Essential framework for TTP-based hunting.

Open-Source Feeds

AlienVault OTX, Abuse.ch, VirusTotal, URLhaus, threat researcher blogs and Twitter feeds.

Commercial Intel

Recorded Future, Mandiant, CrowdStrike Intelligence, vendor-specific threat intelligence platforms.

ISACs and Sharing Groups

Industry-specific Information Sharing and Analysis Centers, government partnerships, peer networks.

Intel-Driven Hunt Process

Consume: Review latest threat intelligence reports
Contextualize: Determine relevance to your environment
Extract: Pull out actionable IOCs and TTPs
Hunt: Search for indicators in historical and current data
Correlate: Connect findings to broader attack patterns
Operationalize: Create detections for ongoing monitoring

The Hunting Loop

Threat hunting is an iterative process. Each hunt informs the next, continuously improving your security posture.

1. Hypothesis

→

2. Data Collection

→

3. Analysis

→

4. Findings

→

5. Improve

↻

Phase 1: Hypothesis Formation

Develop testable theory about adversary activity
Based on intel, past incidents, or data observations
Define what success looks like
Identify required data sources

Phase 2: Data Collection

Gather relevant telemetry from identified sources
Query SIEM, EDR, network logs, cloud logs
Ensure data quality and completeness
Apply initial filters to reduce noise

Phase 3: Analysis

Apply hunting techniques (stack counting, anomaly detection)
Look for patterns, outliers, suspicious correlations
Pivot on interesting findings
Build timeline of events
Contextualize with business knowledge

Phase 4: Findings and Response

True Positive (Threat Found): Initiate incident response, contain threat, investigate scope
False Positive (Benign): Document why it appeared suspicious, add to exclusions if appropriate
Inconclusive: Insufficient data or unclear results—note for future investigation

Phase 5: Continuous Improvement

Operationalize findings: Create detection rules for ongoing monitoring
Document hunt: Record methodology, queries, results for knowledge sharing
Update playbooks: Incorporate learnings into SOC procedures
Identify gaps: Note missing telemetry or blind spots
Generate new hypotheses: What else should we look for?

                The Virtuous Cycle: Each completed hunt strengthens your defenses. Findings become detections. Gaps get filled. Hunters become more skilled. The organization becomes harder to compromise.
            

MITRE ATT&CK for Threat Hunters

The MITRE ATT&CK framework is the hunter's roadmap to adversary behavior. It organizes real-world attack techniques into tactics (the "why") and techniques (the "how").

The ATT&CK Matrix Structure

14 Tactics (Enterprise Matrix)

Initial Access

How attackers get in

Execution

Running malicious code

Persistence

Maintaining access

Privilege Escalation

Gaining higher permissions

Defense Evasion

Avoiding detection

Credential Access

Stealing credentials

Discovery

Learning the environment

Lateral Movement

Moving through network

Collection

Gathering target data

Command & Control

C2 communications

Exfiltration

Stealing data

Impact

Destruction/disruption

Using ATT&CK for Hunting

1. Technique-Based Hunt Planning

Select a technique and hunt for all its variations in your environment.

Example: T1053 - Scheduled Task/Job

Hunt objectives:

Find all scheduled task creations in last 30 days
Identify tasks created by non-admin tools
Look for tasks with unusual execution patterns
Check tasks pointing to temporary directories

Data sources: Sysmon Event ID 1, Windows Event ID 4698, EDR process creation logs

2. Tactic-Focused Hunting Campaigns

Hunt across all techniques within a tactic (e.g., hunt everything related to Persistence).

3. APT Group Mapping

ATT&CK includes known APT group behaviors. Hunt for techniques used by groups targeting your industry.

Example: APT29 (Cozy Bear) commonly uses:
- T1566.001: Spearphishing Attachment
- T1053.005: Scheduled Task
- T1027: Obfuscated Files or Information
- T1071.001: Web Protocols for C2

Hunt for these techniques if APT29 targets your sector.

4. Detection Gap Analysis

Map your existing detections to ATT&CK. Gaps are hunting priorities.

ATT&CK Navigator:

Use MITRE's ATT&CK Navigator tool to visualize coverage, plan hunts, and track which techniques you've investigated. Color-code the matrix to show coverage gaps.

Key ATT&CK Resources for Hunters

Technique Pages: Each technique includes detection recommendations and data sources
Data Sources: What telemetry is needed to hunt this technique
Mitigations: How to prevent or limit the technique
Procedure Examples: Real-world examples from APT groups

Common Hunting Techniques

1. Stack Counting

The most fundamental hunting technique: count occurrences and investigate outliers.

What to Stack Count

Process names: Find rare or misspelled executables
Process paths: Identify execution from unusual directories
Parent-child relationships: Detect abnormal process spawning
Network connections: Find rare destinations or ports
User agents: Identify non-standard tools
Commands executed: Spot suspicious command-line arguments
Registry modifications: Find rare registry changes
DLL loads: Detect unusual library loading

# Splunk example: Stack count process names, show rarest first
index=edr sourcetype=process
| stats count by process_name
| sort count
| head 50

# Example: Find rare parent-child combinations
index=edr sourcetype=process
| stats count by parent_process_name, process_name
| where count < 10

Why This Works:

In large environments, legitimate processes occur frequently. Malware, attacker tools, and exploitation artifacts are rare. Stack counting surfaces these needles in the haystack.

2. Frequency Analysis (Outlier Detection)

Identify statistical outliers in behavior patterns.

Frequency Analysis Applications

Login frequency: User logging in 100x more than peers
Data transfer volume: Workstation sending gigabytes externally
DNS query volume: System making 10,000 queries/hour
Failed authentication attempts: Account with excessive failures
Execution frequency: Process running far more or less than baseline

# Example: Find users with abnormally high login counts
index=windows EventCode=4624
| stats count by user
| eventstats avg(count) as avg_count, stdev(count) as stdev_count
| eval threshold=avg_count+(2*stdev_count)
| where count > threshold

3. Long-Tail Analysis

Focus on the rare, one-off events where threats hide.

Long-Tail Hunting Strategy

Aggregate data by key field (process, domain, user)
Sort by frequency (ascending)
Focus on bottom 5-10% (rare events)
Investigate items with count = 1 or < 5
Look for patterns in the rare items

# Example: Find rare domains accessed
index=proxy
| stats count by dest_domain
| sort count
| where count < 5

# Investigate: Are these typosquatting? DGA domains? Legitimate but obscure?

4. Beaconing Detection

Identify command-and-control beaconing by finding periodic network activity.

Beaconing Characteristics

Periodic timing: Connections every X seconds/minutes
Consistent size: Similar packet or request sizes
Regular intervals: Mathematical precision in timing
Persistent destination: Same IP/domain repeatedly

# Conceptual approach: Calculate time deltas between connections
# Group by source and destination
# Look for consistent intervals (stddev of deltas is low)
# Flag: Average delta is 30s, 60s, 300s, 600s (common beacon intervals)

Legitimate Beacons:

Not all beaconing is malicious. Software updates, heartbeats, monitoring agents also beacon. Baseline your environment to distinguish malicious from benign periodic activity.

5. Clustering and Peer Group Analysis

Group similar entities and find the outlier in each group.

Example: User Clustering

Group users by department, role, or behavior profile. If 99 accountants access similar systems and 1 accountant accesses development servers, investigate that outlier.

6. Time-Based Analysis

Hunt based on temporal patterns:

After-hours activity: Logins at 3 AM
Weekend activity: File access on Sundays in a 9-5 org
Rapid succession: Password spray across many accounts in minutes
Dormant accounts: Inactive for months, suddenly active

Threat Hunting Tools

Effective hunting requires the right tools for data collection, analysis, and visualization.

Data Collection and Query Platforms

SIEM Platforms

Splunk: Powerful search (SPL), visualizations, statistical functions
Elastic (ELK): Fast queries (KQL), scalable, Kibana dashboards
Microsoft Sentinel: Cloud-native, KQL queries, Azure integration

EDR Solutions

CrowdStrike Falcon: Process telemetry, memory forensics, threat graph
Microsoft Defender: Advanced hunting with KQL
Carbon Black: Process tree visualization, live response

Network Analysis

Zeek (Bro): Network protocol analysis, scripting
Wireshark: Packet capture and deep inspection
NetworkMiner: Artifact extraction from PCAP

Open-Source SIEM

Wazuh: Log collection, detection, EDR capabilities
Graylog: Log aggregation, search, alerting
OpenSearch: Fork of Elasticsearch, similar capabilities

Analysis and Investigation Tools

Jupyter Notebooks

Interactive analysis environment for threat hunting. Combine code (Python), queries, visualizations, and documentation in one place. Excellent for reproducible hunts.

HELK (Hunting ELK)

Pre-configured ELK stack optimized for threat hunting with Jupyter integration, pre-built analytics, and hunting-focused data models.

Velociraptor

Endpoint visibility and collection tool. Hunt across thousands of endpoints with VQL (Velociraptor Query Language). Artifact collection and analysis.

OSQuery

SQL-powered endpoint visibility. Query endpoints like databases. Cross-platform support. Integrate with fleet managers for at-scale hunting.

Threat Intelligence Integration

MISP

Malware Information Sharing Platform. Store, share, and correlate threat intelligence. IOC management and automated enrichment.

OpenCTI

Open-source threat intelligence platform. Knowledge graph of threats, TTPs, and observables. STIX 2.0 compliant.

TheHive

Security incident response platform. Case management for hunting findings. Integration with MISP and other intel sources.

Scripting and Automation

Python: Data analysis (pandas), visualization (matplotlib), automation
PowerShell: Windows environment hunting, Active Directory queries, remote execution
Bash: Linux/Unix hunting, log parsing, automation

Tool Selection Tip:

The best hunting tool is the one you know deeply. Master your SIEM's query language, learn its statistical functions, and understand its data model. Tool proficiency multiplies hunting effectiveness.

Documenting and Operationalizing Hunts

A hunt's value extends beyond the immediate findings. Proper documentation and operationalization multiply the impact of each hunting mission.

Hunt Documentation Best Practices

Essential Hunt Documentation Elements

Hunt Title and ID: Unique identifier and descriptive name
Date and Hunter: When performed, who performed it
Hypothesis: What you were looking for and why
Data Sources: Where you looked (SIEM, EDR, network logs)
Queries and Methods: Exact searches performed (reproducibility)
Findings: What you discovered (threats, false positives, benign)
Analysis: Your interpretation and conclusions
Recommendations: Follow-up actions, detections to create
Lessons Learned: Gaps discovered, methodology improvements

Example Hunt Template:

HUNT-2024-045: Scheduled Task Persistence Hunting

Date: 2024-03-15
Hunter: J. Analyst
Hypothesis: Attackers may use scheduled tasks for persistence
           after initial compromise.

Data Sources:
- Windows Event Logs (Event ID 4698)
- Sysmon logs (Event ID 1, process creation)
- EDR telemetry (task creation events)

Query:
index=windows EventCode=4698
| search TaskName!="*Microsoft*" TaskName!="*Google*"
| stats count by ComputerName, TaskName, Command
| where count < 5

Findings:
- 3 suspicious scheduled tasks discovered
- 2 confirmed malicious (credential harvesting)
- 1 false positive (legitimate admin tool)

Actions Taken:
- Created SIEM alert for similar task creation patterns
- Updated EDR blocking rules
- Notified IR team for containment

Recommendations:
- Baseline all legitimate scheduled tasks
- Enable scheduled task auditing on all endpoints
- Create monthly recurring hunt for this TTP

Operationalizing Hunt Findings

The ultimate goal: convert successful hunts into automated detections and improved security posture.

From Hunt to Detection

The Operationalization Process

Refine the Hunt Query: Optimize for performance and accuracy, reduce false positives
Create Detection Logic: Convert hunting query into real-time detection rule
Define Alert Severity: How critical is this finding?
Establish Response Playbook: What should SOC do when this triggers?
Test in Monitoring Mode: Run detection without alerting, validate accuracy
Deploy to Production: Enable alerting once validated
Tune Over Time: Refine based on false positive rate

The Hunting Flywheel:

Hunt → Find Threats → Create Detections → Free Up Hunting Time → Hunt More Advanced Threats → Improve Detections → Repeat

Each hunting cycle raises the bar. Automated detections handle known threats, allowing hunters to focus on novel, sophisticated attacks.

Knowledge Sharing

Hunt Library: Maintain a searchable repository of completed hunts
Playbooks: Document repeatable hunt procedures
Team Collaboration: Share findings, techniques, and lessons learned
Training: Use hunt results to train SOC analysts on new threats
External Sharing: Consider sharing anonymized hunts with security community

Measuring Hunt Effectiveness

Key Metrics for Hunting Programs

Hunt Frequency: Number of hunts per month/quarter
Coverage: Percentage of ATT&CK techniques hunted
True Positive Rate: Percentage of hunts finding actual threats
Dwell Time Reduction: Time from compromise to detection (hunting should reduce this)
Detections Created: Number of new detection rules from hunts
Gaps Identified: Blind spots discovered and addressed
Mean Time to Hunt (MTTH): How quickly can you investigate a hypothesis?

Avoid Vanity Metrics:

Don't measure success solely by "threats found." A hunt finding nothing malicious is still valuable if it validates your defenses, refines detection logic, or identifies telemetry gaps.

Continuous Improvement

After each hunt, ask:

What data would have made this hunt easier?
What new questions did this hunt generate?
How can we automate parts of this hunt?
What did we learn about our environment?
Are there related TTPs we should investigate next?

                The Hunter's Mindset: Every hunt is both an investigation and a learning opportunity. The goal isn't just to find threats today—it's to build a hunting program that becomes increasingly effective over time, making your organization a harder target for adversaries.
            

Summary: The Threat Hunter's Mission

                Threat hunting is proactive cybersecurity's highest expression. Hunters assume adversaries are present and actively search for evidence of compromise before automated systems detect it.
            

Key Takeaways

The Three Hunting Approaches

Hypothesis-Driven: Start with a theory about adversary behavior
Data-Driven: Let statistical anomalies guide investigation
Intelligence-Driven: Hunt based on external threat intelligence

Master all three—use them individually or in combination based on the situation.

The Hunting Loop

Hypothesis → Data → Analysis → Findings → Improve → Repeat

Each iteration strengthens defenses and hunter capabilities.

Core Hunting Techniques

Stack Counting: Find outliers by frequency
Long-Tail Analysis: Focus on rare events
Beaconing Detection: Identify periodic C2 activity
Clustering: Group and find the odd one out
Time-Based Analysis: Detect temporal anomalies

MITRE ATT&CK Framework

The hunter's essential reference. Map hunts to tactics and techniques. Use it to plan campaigns, identify gaps, and understand adversary behavior.

From Hunt to Detection

Operationalize findings. Convert manual hunts into automated detections. Document methodology. Share knowledge. Continuously improve.

The Hunter's Mindset

Think Like an Attacker, Act Like a Detective

Be curious—question everything, especially "normal"
Be methodical—document, measure, iterate
Be creative—adversaries don't follow playbooks, neither should you
Be persistent—most hunts find nothing, that's valuable too
Be collaborative—share findings, learn from peers

Next Steps in Your Hunting Journey

Practice: Use the Threat Hunting Lab to apply these concepts
Build Your Toolkit: Master your SIEM, EDR, and analysis tools
Study ATT&CK: Deep dive into techniques relevant to your environment
Start Small: Begin with simple stack counting hunts
Document Everything: Build your hunt library from day one
Join the Community: Follow threat researchers, read hunt reports, share your findings

                "Hunters don't wait for alerts. They actively search for threats, improve defenses, and raise the cost of attack. In the eternal cat-and-mouse game of cybersecurity, hunters shift the advantage to defenders."
            