The release of Mandiant's APT1 report provided information security professionals with a deep insight into one of the most experienced and prolific threat groups operating. The insight into the Chinese PLA Unit 61398 also provided a context around these sophisticated threat actors. The term Advanced Persistent Threat (APT) became part of the information security lexicon. Information security and incident responders now had insight into threats that conducted their activities without detection, and over a significant period of time.
Continued research has also demonstrated that organizations still lag far behind in their ability to detect a breach that has occurred or that is currently ongoing. The 2018 Cost of a Data Breach Study: Global Overview authored by IBM and Ponemon Institute determined that of the 477 organizations that were surveyed, there was an average of 197 days that passed before the breach was detected. This average indicates that threat actors had over half a year to conduct their activities free from defenders' actions.
With the threat that APTs pose, coupled with the average time even moderately sophisticated groups can spend in a target network, organizations have started to move from passive detection and response to a more active approach, to identify potential threats in the network. This practice, called threat hunting, is a proactive process, whereby digital forensics techniques are used to conduct analysis on systems and network components to identify and isolate threats that have previously gone undetected. As with incident response, threat hunting is a combination of processes, technology, and people that does not rely on preconfigured alerting or automated tools, but rather, incorporates various elements of incident response, threat intelligence, and digital forensics.
This chapter will provide an overview of the practice of threat hunting by examining several key elements.
First is an understanding of the threat hunting maturity model, which provides a construct to the various aspects of threat hunting. Second, the threat hunt cycle explores the process that encompasses threat hunting, from start to finish. Third, as threat hunting is a proactive process, to ensure it is properly executed, effective planning is necessary. This chapter will provide an overview of how to plan for a threat hunt. Understanding these topics will provide you with the foundation to incorporate threat hunting into your own operations, and enable you to be better positioned to identify previously unidentified threats.
We will cover the following topics in this chapter:
- The threat hunting maturity model
- The threat hunt cycle
- MITRE ATT&CK
- Threat hunt planning
- Threat hunt reporting