Good Hunting

The personal blog of Chris Gerritz. I muse on malware, threat hunting, and security incidents. Occasionally more.

The Two Threat Hunter Personas

Been seeing incredible growth of hunt teams in the last year, whether standing up for the first time, or re-branding from existing activities. Unlike many other security trends, Hunt is actually fairly easy to define (find bad guys that have bypassed your security controls) but the consensus is that it's pretty hard to pin down the best implementation/process.

On the industry side, we've seen Security Analytics companies brand as Threat Hunting tools, EDR vendors claiming that they handle all things endpoint, even a few network forensics tools are being branded for the hunter. It's a bit of a mess I'll leave to the analysts to figure out.

The demand for the various hunt solutions and approaches though is being driven by two pretty distinct personas. These two personas come from two schools of thought and have very different ways of approaching the problem of finding threats that have bypassed security controls and defenses.

The two primary personas of hunters I'm seeing are:

  • Threat Intel Analysis
  • DFIR analysts

Threat Intel Analyst Hunters

Threat Intel Analysts have long wished to make their intel more actionable - hunt does that. In general, Threat Intel (TI) practitioners are data junkies. Typical workflow for the TI hunter is to rely on aggregated information and sensor data (i.e. IDS alerts, Proxy logs, Firewall logs, host OS logs, and EDR events) going into a big data bucket (i.e. Splunk, Elastic, Hadoop, SEIM). With sufficient infrastructure feeding this bucket of data, the TI hunter can then craft searches and filters of that data to actively hunt for activity and events that were missed during real-time monitoring or automated alerting.

In less mature organizations, this ends up being a Threat Intel Analyst placed in front of a Search Bar and told "Go". These analysts rely on IOC and threat intel feeds for a majority of what to search for. The mature/experianced hunter is driven by informed hypothesis on what a hacker targeting their organization might do.

Typically this type of hunting becomes effective when the network has reached a high level of maturity with regard to network and host instrumentation, centralized collection and storage of security and log data.

DFIR Hunters

DFIR analysts prefer digging into hosts: blasting out scripts, running Sysinternals Autoruns, grabbing Pre/Super-fetch data, etc. off the endpoint and stacking the data together to find anomalies and suspicious artifacts. Tools of choice for this are usually custom scripts, Google GRR, Mandiant Redline, Sysinternals, etc. (For real scalability, depth, and automation in this area, I highly recommend checking out my company's commercial product: Infocyte HUNT).

The issue for most DFIR tools and techniques is they are not very scalable. Typically these techniques can be performed or analyzed one host at a time or, at most, a handful. Volatility Framework or Rekall are good examples: amazing tools for finding memory-resident malware and other evidence of compromise but difficult to perform volatile memory acquisitions and analysis on more than one hosts at a time.

The DFIR Hunter becomes a true hunter when they can scale the appropriate types of techniques and use them to proactively find threats with or without the bread crumb trail typically present in a declared incident. This almost certainly means abandoning traditional forensic acquisition processes. While that might turn off some hard core forensics people, the reality is, nobody expects chain of custody or forensic integrity until you've actually discovered and declared a problem and discovery is exactly what you are doing when hunting.

Conclusion: Which is better?

Neither. I don't believe they are mutually exclusive, they are two schools of thought and have applicability for different types of threats and environments. Sometimes you won't have direct endpoint access and you'll have to make due with TI Hunting in whatever data is available to you. Most of the time comprehensive logs don't exist or don't go back far enough, or instrumentation of the network is so poor that the only route you can take is to dive into your endpoints DFIR-style.

Interestingly, what I have found is that the Threat Intel Hunter will rely on an endpoint DFIR process to validate any findings or suspicions they come up with. The DFIR hunter goes the exact opposite direction, they have a forensically validated finding on some endpoints (i.e. presence of malware) and would then go to the bucket of event logs to correlate the findings for root cause analysis and characterizing any historical actions (like exfil) that host might have taken while compromised.

A mature hunt team will use both approaches. If you are just getting started, it will really depend on your budget, existing skill sets and the maturity of your organization to determine which you should adopt first. I'm personally a big believer in DFIR hunting techniques and have utilized them at 800,000 node scales all the way down to a single machine. With proper automation, I've seen it give massive ROI at any size organization.

Author image
San Antonio, TX Website
Chris Gerritz is a retired Air Force cyber warfare officer and pilot. He now hunts malware for a living as co-founder of Infocyte.