Threat hunting is the process of looking for malicious activity and its artefacts in a computer system or network. Threat hunting is carried out intermittently in an environment regardless of whether or not threats have been discovered by automated security solutions. Some threat actors may stay dormant in an organization’s infrastructure, extending their access while waiting for the right opportunity to exploit discovered weaknesses.
Therefore it is important to perform threat hunting to identify malicious actors in an environment and stop them before they achieve their ultimate goal.
To effectively perform threat hunting, the threat hunter must have a systematic approach to emulating possible adversary behaviour. This adversarial behaviour determines what artefacts can be searched for that indicate ongoing or past malicious activity.
Over the years, the security community has observed that threat actors have commonly used many tactics, techniques, and procedures (TTPs) to infiltrate and pivot across networks, elevate privileges, and exfiltrate confidential data. This has led to the development of various frameworks for mapping the activities and methods of threat actors. One example is the MITRE ATT&CK framework.
MITRE ATT&CK is an acronym that stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). It is a well-documented knowledge base of real-world threat actor actions and behaviours. MITRE ATT&CK framework has 14 tactics and many techniques that identify or indicate an attack in progress. MITRE uses IDs to reference the tactic or technique employed by an adversary.
images from Hacker News