TTP hunting is an intelligence-based type of cyber threat hunting that analyzes the latest TTP (Tactics, Techniques, and Procedures) used by hackers and cybercriminals. TTP threat hunters study the newest tools and technologies used by cybercriminals, learn how to detect new attack trends, and gather enough cyber threat intelligence so that companies can fully protect their attack surface.
What is Cyber Threat Hunting?
Cyber threat hunting involves proactively seeking out potential cyber attacks that could exploit new vulnerabilities and creating a security plan to protect against them. In order to do so, threat hunters must be highly knowledgeable about the latest threat landscape so that they can defend themselves or their companies from new and advanced threats.
Although the traditional security measures can protect against most cyber threats, it’s often the less common but far more sophisticated malware that can cause the most damage. Once the hackers are in the system, they can move freely without being detected while slowly performing data exfiltration. Without active threat hunting, companies put themselves at risk of millions of dollars in damages.
The main goal of cyber threat hunting is to take proactive measures before any malicious activity occurs, rather than waiting for an attack to happen to respond. While threat detection monitors current systems to identify any security issues, threat hunting goes one step further by attempting to establish preventative measures. Companies and individuals can provide better network security and endpoint protection from threat actors by understanding the latest TTP.
Cyber Threat Hunting vs. TTP Hunting
TTP hunting is a form of cyber threat hunting that focuses on the specific behaviors, attack patterns, and operational techniques that threat actors use. TTP hunting proactively anticipates an attack by creating correlations with past cyber attacks to pinpoint potential sources.
TTP Hunting Methodology
Because TTP hunting relies on increased awareness and experience in the industry, threat hunters can create hypotheses to test based on the data and their extensive knowledge. Their expertise helps them prioritize which potential threats to test and target first. In order to execute a successful hunt, most threat hunters use the following processes:
1. Learn the Threat Landscape
The changing landscape of new malware technology requires TTP or cyber threat hunters to think like threat actors. An effective threat hunter would need to demonstrate high levels of creative thinking and analytical skills to get ahead of any cyber threats. In addition, they must also stay informed of the newest threats by using open source intelligence methods, such as scanning the dark web or combing the internet for potential attack vectors.
Some questions they would need to consider:
- How would a potential hacker attempt to access the network from the outside?
- What are known attack behaviors or techniques that past cybercriminals have used?
- Where would be the most accessible entry point to exploit a vulnerability?
In 2013, the Mitre Corporation created the MITRE ATT&CK framework (Adversarial, Tactics, Techniques, & Common Knowledge), a comprehensive, globally-accessible database of cybercriminal tactics. This database helps generate visibility into the full scope of attacks and is highly recommended for companies looking to improve their security posture.
2. Collect Data to Create Threat Models
Threat hunters can use various security tools to help them manage and analyze data to uncover anomalies. They can then use the data sets to create threat models, representing the organization’s entire attack surface and every possible threat scenario. Each scenario becomes a testable hypothesis, which is left up to the team to decide which ones are most likely to become a real threat.
Some commonly used security tools are:
- Security Information & Event Management (SIEM) - SIEM tools combine security information management (SIM) and security event management (SEM) to provide real-time monitoring and analysis of systems. They feed valuable event reporting and logging insights into potential security threats directly to an organization’s security operations center (SOC). When paired with AI and ML, SIEM security solutions can be a powerful tool for predicting threats.
- Managed Detection & Response (MDR) - MDR is a service that monitors an organization’s entire IT environment and provides threat hunting capabilities as well. MDRs typically come equipped with a SOC, which can include a suite of tools including firewall protection, intrusion detection systems (IDS), intrusion protection system (IPS), endpoint detection and response (EDR), penetration testing, vulnerability scanner, user and entity behavior analytics (UEBA), and much more.
3. Investigate Using Known IOCs to Determine IOAs
IOCs (indicators of compromise) are digital evidence of a data breach after a cyber incident. Using the MITRE ATT&CK framework, security teams can use known IOCs to hunt for new threats. This method of IOC searching requires an extremely knowledgeable threat hunter because they need to fine-tune the searches to filter out more common results. A broad search that returns too many results will prevent accurate assessments of future threats.
A few common IOCs are:
- Irregular network traffic or DNS requests
- Large number of file requests
- Unauthorized privilege escalation
- False-positive file hashes (MD5, SHA1, SHA256)
- Unrecognized IP addresses
- Multiple failed logins
- Surge in database activity
- Unusual changes to system registry or system files
Once the IOCs have been identified, security teams can begin to determine the IOAs (indicators of attack). IOAs are indicators that show a cyberattack is likely to happen in the near future and change in real-time as more data comes in. Because IOAs dynamically adapt to the incoming data, it’s one of the most important aspects of proactive TTP hunting.
4. Execute the Security Plan
After completing the research and collecting the necessary data, it’s time to begin threat hunting. Using the threat model to define which threats to hunt first, the TTP hunters will start to record as much information as possible, including eliminating false positives and relaying high-risk threats and suspicious findings to the security team.
Many organizations hire dedicated threat hunting services or hire full-time threat hunters to manage this specific security protocol. Threat hunting requires around-the-clock attention and a constantly updated threat intelligence lifecycle to analyze potential threats more effectively.
Other Cyber Threat Hunting Methodologies
While TTP hunting is more of an intelligence-based approach, there are also analytics and research-based approaches that threat hunters may utilize.
Artificial Intelligence (AI) & Machine Learning (ML)
Using AI and ML, many large corporations have begun to take this analytics-based, automation approach to comb through massive amounts of data sources on the internet. This advanced analytics approach searches for any anomalies or irregularities that could signal a potential threat. These signals become new leads for the threat hunting team to follow up on and identify.
Digital Forensics & Incident Response (DFIR)
DFIR-based hunting is one of the more advanced remediation methods of cyber threat hunting that involves high-level knowledge of digital forensics. It requires a detailed eye to investigate an infected network or device to learn the exact entry point of a breach.
Although DFIR is more of a reactionary technique, DFIR analysts can take their findings to create better cybersecurity practices to minimize an organization’s risk of a future attack. They can take the digital artifacts left behind by the breach to correlate with known IOCS and identify potential IOAs.
Crown Jewels Analysis (CJA)
CJA follows a broader approach to threat hunting, relying on advanced knowledge of the industry to seek out potential threats. During a CJA, the threat hunter must:
- Identify the organization’s core mission and which digital assets it deems most important (aka “crown jewels”).
- Then, they must determine ALL potential risks and threats associated with those assets by performing a Threat Susceptibility Assessment (TSA).
- Subsequently, a Risk Remediation Analysis (RRA) must be performed to determine the best procedures to reduce or mitigate the risks.