Threat Intelligence
Threat Management

Threat Hunting: How to leverage Threat Intelligence for proactive cyber defense

Oct 1, 2024 8 min read
Thumbnail Blog Post_Threat Hunting with OpenCTI

Threat hunting is exciting because it transforms cybersecurity from a reactive to a proactive discipline. Instead of passively waiting for alerts, threat hunters actively seek out hidden threats, uncovering sophisticated attacks that evade traditional defenses. It’s like solving a high-stakes puzzle where no two hunts are the same but are chances to outsmart adversaries, discover new attack techniques, and protect valuable assets.

The dynamic nature of the job, where no two hunts are the same, challenges hunters to think creatively, adapt to constantly evolving threats, and stay ahead of cybercriminals. This sense of discovery, combined with the mission-critical impact of their work, makes threat hunting a thrilling and rewarding pursuit in the cybersecurity field.

In this article, I will try to explain the main tasks of a threat hunters and propose a way to efficiently integrate threat intelligence with threat hunting in order to improve their campaigns.


What is Threat Hunting?

Threat Hunting is a proactive method used by Security Analysts for identifying cyber threats in the organization’s network. It includes searching iterative methods to identify indicators of compromise, threats such as Advanced Persistent Threats (APTs), and Hacker tactics, techniques, and procedures (TTP), which damage the existing system.

This activity is mainly the responsibility of threat hunters, who are generally Tier-3 analyst.
Here is a common methodology for threat hunting:

1. Preparation and Planning

  • Define Objectives: Clearly outline the goals of the threat hunt, such as detecting advanced persistent threats (APTs), insider threats, or specific types of malware. This can be driven by the publication of a new attack campaign.
  • Gather Intelligence: Collect threat intelligence from internal and external sources, including threat feeds, security bulletins, and past incident data.
  • Identify Key Assets: Determine which assets (e.g., servers, endpoints, networks) are most critical and likely to be targeted.

2. Hypothesis Development

  • Formulate Hypotheses: Create hypotheses about potential threats based on gathered intelligence and how they might manifest within the network.
  • Define Indicators of Compromise (IOCs): Identify specific artifacts that could indicate a compromise, such as unusual network traffic, file changes, or unauthorized access attempts.

3. Data Collection and Analysis

  • Collect Data: Gather relevant data from various sources including logs, network traffic, endpoint telemetry, and system configurations.
  • Baseline Normal Activity: Understand what normal behavior looks like for your environment to better identify anomalies.
  • Analyze Data: Use automated tools and manual analysis to sift through collected data and identify deviations from the norm that match your hypotheses.

4. Hunt Execution

  • Search for Threats: Conduct searches based on your hypotheses and IOCs across different data sources.
  • Use Tools and Techniques: Employ a combination of security tools (SIEMs, EDRs, NDRs) and manual techniques to spot unusual patterns and activities.
  • Iterate and Adapt: Continuously refine your searches based on initial findings and emerging intelligence.

5. Investigation and Response

  • Investigate Findings: Thoroughly investigate any anomalies or suspicious activities to determine if they are benign or indicative of a threat.
  • Contain and Mitigate: If a threat is confirmed, take steps to contain and mitigate the impact, such as isolating affected systems, removing malware, or changing compromised credentials.
  • Root Cause Analysis: Determine the root cause of the threat to understand how it bypassed existing defenses and to prevent recurrence.

6. Documentation and Reporting

  • Time For Feedback: Share the results of your hunt with all relevant stakeholders to provide them with the evidence they need to justify any changes required to improve your overarching security strategy.

How does CTI fit with Threat Hunting?

Cyber Threat Intelligence (CTI) plays a crucial role in threat hunting by providing the contextual information needed to identify, understand, and mitigate threats. Here’s how CTI fits into the threat hunting process:

1. Informing Hypotheses Development

  • Contextual Information: CTI provides detailed information about threat actors, their tactics, techniques, and procedures (TTPs), and past incidents. This helps hunters develop more informed and relevant hypotheses about potential threats in their environment.
  • Indicators of Compromise (IOCs): CTI offers IOCs such as IP addresses, domain names, file hashes, and signatures associated with known threats. These IOCs can be directly used to craft hypotheses and guide searches within the network.

2. Enhancing Data Analysis

  • Threat Patterns: CTI helps identify patterns of malicious behavior. By knowing how certain types of threats typically manifest, hunters can better analyze data for anomalies that match these patterns.
  • Prioritization: CTI allows hunters to prioritize their efforts by focusing on threats that are more likely to target their specific industry or organization. This ensures that the most relevant and dangerous threats are addressed first.

3. Improving Detection Capabilities

  • Behavioral Indicators: Beyond IOCs, CTI provides behavioral indicators that describe how threats operate. This can include methods of lateral movement, persistence mechanisms, and exfiltration techniques, which are critical for detecting advanced threats.
  • Emerging Threats: CTI keeps hunters informed about new and emerging threats. This ensures that threat hunting efforts are up-to-date and capable of addressing the latest attack methods.

4. Guiding Response and Mitigation

  • Contextualizing Findings: CTI helps contextualize findings during a threat hunt. When a potential threat is identified, CTI can provide background information on the threat actor, possible motives, and associated attack vectors, which aids in a more effective response.
  • Mitigation Strategies: CTI often includes recommended mitigation strategies for specific threats. This information is valuable for quickly containing and neutralizing threats that are discovered during a hunt.

5. Continuous Improvement

  • Feedback Loop: The results of threat hunting activities feed back into the CTI process. New findings and insights from threat hunts can enhance CTI, making it more robust and accurate over time.
  • Threat Landscape Awareness: Regularly integrating CTI into threat hunting keeps hunters aware of the evolving threat landscape, helping them stay proactive and adaptive in their defense strategies.

How to effectively use OpenCTI for Threat Hunting?

  • Preparation: Before starting a hunt, hunters review OCTI reports to understand the latest threats targeting their industry. Custom dashboards can help prioritize threats or attack campaigns relevant to their context (organization, industry, location, supply chain).
TH Article_Report view in OpenCTI
Report view in OpenCTI
  • Hypothesis Development: Based on what has been identified following up the review of the reports and security dashboards, hunters formulate specific hypothesis such as “Threat actor LockBit is likely to use spear-phishing emails with malicious attachments.”.
  • Creation of a Hunt campaign: OpenCTI case management is a great tool for overseeing a series of tasks that can be based on custom template. Assigned team members can collaborate in real-time, share their insights and analysis.
TH Article_Campaign Creation in OpenCTI
Creation of a Hunt Campaign
  • Assigned Threat Hunters go through the different tasks:
TH Article_Assigned tasks
Assigned tasks
  • The Threat Hunting case acts as a container to store any Intelligence useful for the hunt:
    • Reports related with the threat hunting campaign
    • Any external references that can also be usefull
    • Once done, progress can be tracked in the tasks list
TH Article_TH Case_container
Case as a container in OpenCTI
  • From the collected sources (reports and external references) hunters will scope and identify IoA, IoC and vulnerabilities. OpenCTI investigation perfectly fits for this task, in one click, all the content attached to the case can be opened in an investigation sandbox.
TH Article_Investigation Sandbox
Investigation Sandbox
  • Graph visualization from the investigation is an ideal tool for quickly identifying and classifying entities and their relationships. Hunters can pivot from the report to the reported attack campaign, then this entity to another… allowing them to identify specific IOC, IOA, vulnerabilities that are used or associated with this campaign.
TH Article_Graph visualization
Graph Visualization in OpenCTI
TH Article_Graph visualization in knowledge graph
  • Once the investigation done, all the relevant threat intel that has been identified can be attached to the original threat hunting case…
TH Article_ Container Case
Add your investigation to the container (Case)
  • …and then be exported for the actual hunt:
TH Article_Case View
Case (Container) View of the Hunt
  • You’re all set for the hunt:
TH Article_Completed tasks view in OpenCTI
Completed tasks view
  • After the hunt, whether or not actual traces of an eventual attack have been found, come the reporting phase. This can be a teddious but necessary task to share your work with your team, other team or high management.
    • OpenCTI can assist you in that reporting task with “ask AI”. Our AI will summarize all the case based on all the attached content and write it to the desired audience, in the desired length depending on who this report is targeting.

Conclusion

Threat Hunting is still considered a new discipline in too many organizations that mainly rely either on preventing threats or waiting for the alerts to rise. This approach allows to proactively look for the early signs of an advanced attacks and mitigate it as soon as possible, thus limiting the impacts.

Is OpenCTI a good tool for threat hunters ?
Yes! This process that requires technical expertise, analytical skills and creativity from the hunters, is primarily manual. But it can be greatly assisted by threat intelligence.
Having a threat intelligence platform can help you scope, organize and gather all the materials required for a good hunt as I showed in that article.

If you have any comment, question, feedback, connect with us on slack !

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.