Effective Threat Hunting
This post was written by Luke Rusten, our Director of Security Operations, and was originally published on his personal Substack. In this article, Luke delves into his approach to threat hunting, walking through a detailed example. Threat hunting is central to Recon’s security operations strategy, and Luke’s leadership continues to strengthen our threat detection and response capabilities.
Introduction
Before we dive into the mechanics of effective threat hunting and work through an example, it’s essential to understand why threat hunting is so important. Framing this will help guide how we approach our hunts. Here are some reasons threat hunting is critical:
-
Threats are often discovered after a compromise has occurred or a vulnerability is disclosed.
-
Detections are typically based on past observations, leaving gaps for novel attacks.
-
Threats can linger undetected for days, weeks, months, or even years before they’re uncovered.
While there are other reasons, these three points lead to one crucial concept: we won’t always detect new threats before they’ve been discovered. Knowing this helps us become more strategic in our approach to finding malicious activity, and in this post, I’ll explain how to hunt with these concepts in mind.
The Pyramid of Pain
If you want to read more about it you can read about it here, but the TL;DR: “This simple diagram shows the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them.”
When applied to threat hunting, we understand that searching for an IP address or Hash, may not be the best way to find the threat as these things frequently (and easily) change. Instead, focusing your threat hunting on indicators toward the top of the pyramid is far more productive.
Prioritizing The Hunt
Consider - Does this threat target my sector or industry? Is there a high probability I may be impacted? Do I have a lot of exposure to this threat?
If the answers to these questions are “no,” it might be worth re-prioritizing your hunt. Of course, if you have the resources to investigate more obscure threats, go for it—but for most, focusing on high-probability, high-impact threats is the most effective use of time and resources.
Continuous Improvement
I recommend tracking the following at a minimum:
- Hunt Environment: (Windows, MacOS, Linux, Cloud, etc)
- Number of new detections added
- Number of telemetry improvements
- Threat found (Yes/No)
Also, be sure to document your hunt and what you’ve learned. Your documentation will help describe what is normal for your environment, which can be valuable if you’re ever investigating an incident. Documenting your hunts is also important for both rerunning them in the future and continuously improving them over time.
Putting It Together: A Practical Example
First let's pretend we are the threat hunters responsible for protecting a hospital. We receive this advisory related to BlackSuit (Royal) Ransomware who is known to target healthcare. That checks one of our priority boxes!
In this report there are tons of IOCs (indicators of compromise) and TTPs (tactics, techniques and procedures) that are utilized by the ransomware group. Should we search for the hashes, filenames, IPs or domains? That might work. Instead I am going to focus on something at the top of the pyramid of pain.
In the report we see the threat actors use a tool called Chisel.
Chisel is a tool that can be used by attackers for various nefarious purposes. It can be used for C2 (command and control), data exfiltration, bypassing firewalls, etc. A few TTPs that map back to MITRE are:
T1071.001 - Application Layer Protocol: Web Protocols
-
Description: Adversaries may communicate using the application layer protocols associated with web traffic to avoid detection/network filtering by blending in with legitimate traffic. They often use port 443 (HTTPS).
-
Relevance: Since the connection is happening over port 443, the use of a common web protocol like HTTPS to conceal malicious traffic is a common technique.
T1090.002 - Proxy: External Proxy
-
Description: Adversaries may use external proxies to obfuscate their command and control communications by routing traffic through an external proxy such as a SOCKS proxy.
-
Relevance: The command includes :socks, indicating the use of a SOCKS proxy to relay traffic, which is common for masking communications between an infected host and the attacker’s infrastructure.
T1036.005 - Masquerading: Match Legitimate Name or Location
-
Description: Adversaries may use masquerading by placing an executable in a legitimate path, using a legitimate-sounding name, or leveraging built-in system executables (e.g., conhost.exe).
-
Relevance: The path C:\Users\Public\ combined with a legitimate-sounding executable like conhost.exe suggests potential masquerading.
Observations and Focus Areas
With these techniques in mind, here are some key indicators to investigate for this threat hunt:
-
Network connections initiated from binaries in C:\Users\Public\ or its subfolders. In my experience, very few legitimate executables should be making network connections from this location. Common false positives may include certain VPN clients or educational tools.
-
SOCKS client commands that are running throughout your environment.
-
Common Windows binaries executing from unusual directories.
Continuous Improvement: Close Visibility Gaps
For this threat hunt, we must confirm our visibility into these activities:
-
Do we have process creation/process tracking events that include command-line activity?
-
Are we monitoring network connection events, specifically those originating from our areas of concern?
While performing your threat hunt, you may find that you do not have the visibility, telemetry, or access required to answer important questions. That’s a great finding! Threat hunting will force you to identify and confront these types of gaps before an incident.
Continuous Improvement: Implement Better Detections
For detections, I highly recommend utilizing SigmaHQ—a fantastic resource for threat research and detection development. Each detection is mapped to the MITRE ATT&CK framework and comes with references for further exploration. Here are some relevant detections that could enhance our coverage against the threat from our example:
- Network Connection Initiated From Users\Public Folder
- System File Execution Location Anomaly
- PUA - Chisel Tunneling Tool Execution
Useful tip: Tools like uncoder.io or sigconverter.io will allow you to input a Sigma rule and output a hunting query that works with various tools. Check them out!
Conclusion
As I mentioned earlier we won’t always detect new threats before they’ve been discovered. Using the above methodology, we may find Chisel, or we may find any number of tools used by threat actors that share similar TTPs (regardless of hash, filename, destination IP, etc). We've also improved our detection capabilities, so whether it's Chisel or an entirely new tool, if it shares the same TTPs, we have a strong chance of detecting it.
By being methodical and purposeful in your hunts, you'll not only improve your detection capabilities, but also increase the difficulty for adversaries to operate undetected in your environment.