Unlock Peak Threat Hunting Performance with Smarter Intel Integration

Welcome! If you’re looking to sharpen your threat hunting game and tangibly measure your success, you’ve come to the right place. Today, we’re diving into how strategic use of threat intelligence can transform your threat hunting program from a good effort into a highly effective defense mechanism.

We’ll tackle three pivotal questions. Answering these will help you leverage threat intel more efficiently during your hunts and provide a framework to evaluate and consistently upgrade your approach. This discussion builds upon concepts I explored in a SANS paper back in 2018, now brought to life with fresh perspectives. The goal remains the same: to challenge and ultimately enhance your threat hunting capabilities.

The Power of Modeling: Quantifying Your Hunt

To truly gauge and improve our efforts, we need a way to measure them. This involves a modeling approach, allowing us to perform both quantitative and qualitative analysis. Let’s lean into the numbers for a moment.

1. Modeling Attacker Capabilities:

Effective threat intelligence is your best friend here. It helps you build a detailed map of an attacker’s potential actions. Imagine an adversary, let’s call them “Neurotic Squirrel.” We can break down their attack into stages, whether you’re using a framework like the Lockheed Martin Kill Chain or the ICS Attack Kill Chain.

• Attack Stage: For instance, within an “Installation” stage of an ICS attack.
• TTPs (Tactics, Techniques, and Procedures): Here, the attacker might use a tool like PSExec. This becomes a specific TTP.
• Observables: What digital footprints does PSExec leave? These are your observables – traces on the network or host logs.
• Observable Sources: Where would you find these footprints? Access to an admin$ share, for example, might appear in Zeek (formerly Bro) SMB logs or be visible as SMB connections in NetFlow data.

By creating these tree-like diagrams for attacker TTPs, you compile a catalog of observables. While it might seem intensive initially, especially when documenting common tools, these models become richer and more comprehensive over time, especially as more threat actors utilize publicly available tools. This modeling will be crucial when we discuss coverage.

2. Modeling Your Defensive Hunt Strategies:

Just as we map out attacker methods, we can model our own threat hunting activities. Some call these “playbooks,” while others might refer to them as hunting TTPs.

• Threat Hunt Engagement: For a hunt focused on “Neurotic Squirrel,” you might have specific playbooks.
• Playbooks/Hunt TTPs: These could be tool-focused (e.g., a PSExec playbook) or capability-focused (e.g., what can we find with NetFlow analysis across various actors?).
• Observables within Playbooks: A PSExec playbook would target specific observables, like admin$ share access or rundll32.exe artifacts.
• Observable Sources for the Hunt: These are the data sources you actively analyze during that playbook or hunt.

This parallel modeling of your defensive actions is vital for understanding your actual coverage against threats.

Key Questions to Elevate Your Threat Hunting

Now, let’s delve into the three questions that can help you refine your program:

Question 1: How Well Do Your Hunt Techniques Cover Known Attacker TTPs?

Think of a Venn diagram. On one side, you have “Known Attacker TTP Observables” – information gleaned from threat intelligence sources (e.g., “Neurotic Squirrel uses PSExec,” “APT29 employs Tactic X”). This is what your intel tells you threat actors are doing.

On the other side, you have “TTPs Reviewed During Your Threat Hunt” – what your team is actively looking for.

The sweet spot, the green overlap in the middle, is where your highest probability of detecting known threats lies. If an attacker’s TTP falls outside this overlap, you’re relying more on chance for detection. Our aim is to maximize this overlap, ensuring our hunts are directly relevant to known actor behaviors.

Essentially, by comparing your attacker TTP model (what they do) with your threat hunt TTP model (what you look for), you’re checking for alignment between their observables and your search parameters. If you know about 100 observables for a particular threat and your hunt plan actively looks for 90 of them, you have 90% coverage for those known elements. This measures the completeness and relevance of your hunt. While detecting unknown TTPs is possible, it’s inherently more challenging than finding what you’re specifically targeting.

Question 2: Are You Maximizing Your Data? (Data Used vs. Data Potentially Available)

This is where our detailed modeling truly shines. Let’s revisit the “Neurotic Squirrel” PSExec example and its observable sources.

• Scenario 1 (Good Coverage): For the observable “access to admin$ share,” if your model identifies three potential data sources (e.g., Zeek SMB logs, NetFlow, specific host logs) and your hunt utilized two of them, you collected data from two-thirds of the potential opportunities.
• Scenario 2 (Gap Identified): Imagine another observable for PSExec is “backdoor transferred via SMB.” If your hunt didn’t pull data from any of the sources that could reveal this, then detecting this specific activity becomes pure luck. This is a clear area for improvement – perhaps you need to incorporate new data sources or ensure existing ones are processed for relevant artifacts.
• Scenario 3 (Excellent Coverage): If you’re looking for a “new rundll32.exe process” spawned by PSExec and your hunt successfully utilized both event logs and netstat output (or similar process/network monitoring tools), you’ve achieved 100% coverage for the modeled sources for that observable. Your likelihood of detection here is significantly higher.

This question pushes you to evaluate the quality of your data collection, processing, and, crucially, its utilization in hunts. It helps you make concrete statements like, “57% of observable sources related to Neurotic Squirrel’s PSExec TTP are currently being leveraged in our hunts.” This establishes a baseline and allows you to set improvement goals (e.g., “Let’s increase that to 75%”). Gaps, like the SMB backdoor example, highlight where you need to enhance data collection or analytical techniques entirely.

Question 3: Which Intel Sources Drive the Most Effective Hunt Techniques?

This final question helps you assess how effectively your organization translates threat intelligence into actionable hunting and which intel sources provide the most bang for your buck. All programs operate under budget constraints, so prioritizing high-value intel is key.

Consider your observable model again.

• Perhaps “Threat Intel Source A” (let’s say, represented by green boxes in your model) points you towards observables covering two critical attack branches.
• Meanwhile, “Threat Intel Source B” (represented by yellow boxes) might cover fewer branches overall, but your hunts based on its intel are consistently more successful in actually detecting threats.

This analysis helps you understand two things:

1. Actionability: Are you effectively operationalizing your intelligence?
2. Impact: Which sources lead to successful detections and offer the highest value to your specific hunting program?

While one source might offer broader coverage (more branches), another might be more precise or relevant to the threats you face, leading to better detection outcomes. This understanding allows you to prioritize intel subscriptions or feeds that deliver the best results for your unique environment.

Moving Forward: From Insight to Action

By consistently asking these three questions and using a modeling approach, you can systematically improve your threat hunting program. You’ll gain a clearer understanding of your coverage, the completeness of your data usage, and the true value of your intelligence sources.

These are just a few ways to analyze and enhance your efforts. The journey to a mature threat hunting program is ongoing, but with a structured approach, you can maximize your team’s effectiveness and significantly boost your organization’s resilience against sophisticated attacks.

Feel free to explore these concepts further and adapt them to your own environment. Contact Insane Cyber to help secure your OT environment.