SOC Strategies And Best Practices For Hunting Unknown Threats

Diamond Model Centered-Approaches to Hunt

While there are a variety of approaches you can take with your hunt strategies, perhaps one of the most widely accepted is the Diamond Model centered-approach attributed to Active Response. The Diamond Model seeks to establish a formal method of applying scientific principles to intrusion analysis in terms of measurement, testability, and repeatability. Its approaches focus on four core features of the most basic underlying elements of most intrusion activity, which are infrastructure, victim or target, capability, and adversary or attacker. One of the biggest advantages of the Diamond Model is how the relationships between its four core approaches allow a hunter to easily pivot from one approach to another as the hunter gains new insights or discovers new malicious activity using any one of those approaches.

Infrastructure-centered approach

When initiating a hunt, many seasoned cyber threat hunters like to focus on the infrastructure approach first, and from there move to the target, attacker, or capabilities approach next. As the name suggests, “the infrastructure-centered approach focuses on the malicious infrastructure” an attacker might use or might have used to compromise your environment. The idea is that as part of your investigation of a malicious infrastructure it often becomes easier to hypothesize who the bad actor is, what was being targeted, or what capabilities were used in the compromise. You might find interaction activity between a target in your environment and the attacker’s infrastructure. Perhaps you’ll discover a threat payload, toolkit, or living-off-the-land activity (capability) delivered or controlled from within the infrastructure.

A major advantage of the infrastructure approach is its ability to provide more predictive gains over the other approaches since that infrastructure has to be in place before attackers can connect with your environment and employ whatever capabilities they have at their disposal. Often times just being able to discover something on the malicious infrastructure side enables you to early on stop a threat from spreading or even infiltrating your environment by setting up pre-emptive defenses. And that’s what hunt is all about, being proactive and predictive, rather than reactive.

One of the disadvantages of the infrastructure approach can be limited access to data. Your hunters might need to look for hosts in areas of your organization’s environment that they aren’t allowed to see, such as financial servers, human resources information, and other sources. When you limit hunters’ access to data, you limit what they can hunt. That’s one of the many reasons why it’s important to make sure you have executive buy-in on your hunt efforts—so hunters can get all the access they need to be successful.

Target-centered approach

In the target-centered approach, also referred to as the victim-centered approach, the attacker’s target becomes the central element of your hunt. In many ways the target approach is equivalent to a honey pot. You’re trying to attract adversaries to make it easier to hunt and discover bad actors, network attacks, malicious email deliveries, and other threats. Some hunters put more emphasis on the target approach because it’s fairly easy to implement and has a high likelihood of producing actionable results that might coincide with your hypothesis. Your hunters can log those results and report them to your SOC, enabling them to produce content or use cases for your SIEM to monitor. By doing that, you free your hunt team from having to hunt that activity in the future since it becomes a standard use case that your SOC can use to continuously track and monitor.

One of the disadvantages of the target approach is that it has the potential to reveal too many use cases. Trying to follow up on all those use cases can cause you to stray from your hypothesis and essentially start hunting in the wild where you’re no longer following defined processes or best practices. To keep that from happening when using this approach, it’s best if hunters try to focus on one phase of the attack lifecycle, such as infiltration, lateral movement, or data gathering.

Capability-centered approach

The capability-centered approach focuses on analysis of an attack’s capabilities and then uses available intelligence to help the hunter make connections between those capabilities and the attacker’s potential targets and infrastructure. It can also give the hunter insights on technologies used, and perhaps even the attacker himself. To pursue the capability-centered approach many organizations leverage subscriptions to external threat intelligence or their own threat intelligence libraries. Those without access to those types of intelligence sources might take advantage of community-driven intelligence libraries like VirusTotal.

Mature SOCs take a serious approach to the intelligence available to them, whether it comes from industry, government, or open sources. They make the exploration and analysis of that intelligence a standard part of their processes and procedures. Part of that exploration assists them in building out their future threat detection, mapping out what was once unknown into the known. Another significant part is to determine if any new threats in that intelligence already exists in their environment that they need to hunt out. Whatever your intelligence sources might be, your ability to optimize that intelligence whether for hunt or detection depends largely on the sophistication and expertise of your analysts and hunters, as well as the tools you make accessible to them.

Attacker –centered approach

The attacker-centered approach, also known as the adversary-centered approach, typically looks for information on the attackers themselves. Getting visibility on the attacker can be the holy grail of hunting. When successful, it’s the stuff of headlines. Not only can it expose nefarious activity that few people might be aware of, but it can reveal a digital trail of information that can provide beneficial insights on the attacker’s tactics and techniques. And if you can combine that with the infrastructure and capabilities part of the equation, you can build a broad picture of possible breaches or threats going on in your environment and elsewhere that you can leverage in your overall hunt and defense initiatives.

Unfortunately, the attacker-centered approach is one of the most difficult approaches to pursue. Unless you have access to legal channels for acquiring the information you need, you can run into dead ends before you start. A simple thing such as asking an ISP for information on who owns an IP address will likely go unanswered. While there are free means to discover a domain name owner, getting the actual detailed information needed for the hunt usually requires legal intervention, such as a warrant.

Another difficulty with the attacker-centered approach is that to be able to attribute an attack to a specific person, many aspects of the attack need to stay the same for an extended period of time. For example, will the attacker keep using the same IP address long enough for you to figure out who it belongs to? Probably not. Sophisticated attackers recognize the need to mask or change those types of things frequently. The difficult nature of the attacker-centered approach makes it one that is not usually recommended to pursue unless you have insight and access to the needed information that most organizations usually don’t have.

Follow your plan

Whatever your planned approaches to proving your hypothesis, follow the plan you developed using the four key questions discussed previously. That doesn’t mean you never pivot to pursue different paths or approaches. Rather it means structure your searches in way that supports your effort to prove or disprove your hypothesis. When your searches follow a more structured plan, you’ll end up with richer results that can give you more opportunities to pivot off that data into other avenues that provide even more information to help support or disprove your hypothesis. Following your plan, including sticking to your decided upon timeline, helps keep you on track so you don’t waste time pursuing aimless paths that don’t produce beneficial results.

Best tools for the hunt

From being able to quickly search large data sets to offering rich data visualization, the primary tool you use for your hunt should empower your hunters to quickly make the best decisions possible based on the information they have available. It needs to allow them to easily explore their hypotheses without necessarily having to be data scientists. But at the same time, that tool needs to be powerful enough and sophisticated enough to empower data scientists to easily dig deeper, including enhancing their ability to use their own Python code and libraries for custom statistical modeling and visualization. Ideally, that tool should also make it easier to automate and expedite your response to discovered threats through seamless integration with security orchestration automation and response (SOAR) solutions.

Whatever the expertise and sophistication of your hunters, ArcSight Investigate from Micro Focus enables hunters and analyst to be more successful in their hunt efforts. Its built-in security analytics increase hunt efficiency and provide ease of use with pre-defined visuals defined for specific use cases that removes guess work from investigative processes. With a point and click of the intuitive search interface, hunters can easily create complex search queries to find the data they’re looking for. If they want to go deeper into the data, sophisticated hunters can use their own custom Python code to perform advanced statistical modeling or data manipulation directly in Vertica, the high performance analytics platform that powers Investigate on the backend.

The columnar database in Vertica delivers responses to queries much faster than traditional row-oriented databases and handles analytics at an exabyte scale. It enables Investigate to execute searches up to 10X faster than other hunt tools and return results in seconds on data that spans even months or years. By allowing hunters to search and ask questions at scale, Investigates enables them to explore larger sets of data, faster. Investigate then presents that information in a friendly, more human readable format. And its flexible nature makes it easy to pivot off that information to follow a new path of clues or even shift to a different hunt approach.

The visual analysis of potential threat indicators in Investigate makes it easy for hunters to detect threats that elude machine correlation and other analytical tools. Its analytics-driven, guided investigation enables hunters to do more with less, accelerating both threat detection and incident investigation. Investigate also integrates with Siemplify, Demisto, and Micro Focus Operations Orchestration to allow hunters to engage the automated response of those SOAR solution without ever leaving the Investigate user interface.