Choosing the right place to hunt for threat intelligence

Building a hunt team is becoming popular in the threat intelligence world. Proactively searching for interesting threat information can help detect a SOC detect new threats and problems. Sometimes information from hunting can find something that has been in the environment for years. A successfully hunt is lots of fun and analysts always enjoy bringing back a trophy of something they found.

Hunt programs can also be designed to look for threat intelligence. When discussing a hunt program I like considering where my hunting grounds are. I like to separate hunting into two factions.

– External to the company environment
– Internal to the company environment

Hunting for information external to the environment can be a popular tactic. Bad guys are everywhere and doing interesting things all of the time. Researching them for indicators can lead in many interesting directions including underground and clandestine organizations. However, with all of this exploring you do run into questions of authority. Should you attempt to connect to a malicious website with a sandbox? Should you be purchasing stolen documents to look for company credentials? Overall I tend to feel that this type of activity is best done by research companies and government/law enforcement, because it pretty quickly gets into areas of vague legality and violating personal privacy.

Internal hunting is similar in that you are moving around the environment looking for things that are suspicious. However, it is different because you own the infrastructure. Internal hunting is largely going to net a higher benefit for your organization. If you see something in your environment, you know it will be… attacking your environment, or has already attacked it. Conversely, external threats may never by interested in attacking you. Therefore, it makes sense to concentrate on strange behavior in your environment, and match it up with what is happening outside, rather then solving external problems to prevent them internally.

A great hunt team will be able to notice anomalies and inefficiencies in the network. This indication that something is amiss can be numerous things. Although it could be the next APT breaking down your door, it can also be a misconfigured server. That’s not to say that aspect should be ignored, instead if you can document it and show it to the process owners you can help make the whole system better.