Full Report
Answered by Chris Brenton of Active Countermeasures | Questions compiled from the infosec community by Shelby Perry This article was originally published in the Threat Hunting issue of our infosec […] The post Questions From a Beginner Threat Hunter appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Establishing and Executing Threat Hunting Capabilities
## Overview
These practices focus on the methodologies, prerequisites (data and knowledge), and tooling required to successfully transition from passive threat detection to active, hypothesis-driven threat hunting. Threat hunting involves proactively searching network and host data for Indicators of Compromise (IOCs), even when no alerts have been triggered.
## Key Recommendations
### Immediate Actions
1. **Define Initial Hunting Checks:** Immediately identify the first specific threat behaviors you intend to hunt for (e.g., hunting for C2 communications).
2. **Identify Required Data Sources:** For your prioritized checks, explicitly list the data required. For network C2 hunting, this means ensuring traffic capture is actively occurring at the network perimeter (e.g., firewall internal interface).
3. **Start Traffic Capture:** Implement necessary hardware/configuration (network tap or switch SPAN port) to capture network traffic relevant to your initial hunt checks.
### Short-term Improvements (1-3 months)
1. **Develop C2 Detection Logic:** Implement tooling and processes capable of analyzing captured traffic data in large chunks (12+ hours) to properly distinguish stealthy C2 patterns from legitimate background noise.
2. **Build OS/Application Baseline Knowledge:** For endpoint hunting, conduct initial deep dives into standard, legitimate usage patterns for critical operating systems (especially PowerShell usage on Windows) to establish a baseline for anomaly detection.
3. **Select and Master Core Tools:** Choose one network analysis tool (e.g., Zeek, Tshark, Wireshark) and actively focus on mastering its capabilities for your environment before introducing others.
### Long-term Strategy (3+ months)
1. **Formalize Lateral Movement Investigation:** Create a standardized procedure to investigate lateral movement once a C2 server is suspected: identify the C2, then monitor internal systems for communication patterns pointing to that C2, ensuring monitoring spans 4-8 hour intervals between beaconing attempts.
2. **Cross-Discipline Knowledge Integration:** Systematically expand knowledge depth in both network protocols (understanding traffic obfuscation techniques over standard ports like TCP/443) and OS internals/scripting usage (e.g., non-IT use of PowerShell).
3. **Integrate Hunting with Detection:** Use successful threat hunts to refine and tune existing threat detection rules and SIEM alerts, reducing blind spots identified during proactive searches.
## Implementation Guidance
### For Small Organizations
- **Focus on High-Value Data:** Prioritize capturing and analyzing north/south network traffic first, as this is often the easiest and most revealing source for initial C2 detection.
- **Leverage Existing Tools:** Select one powerful, versatile analysis tool (like Wireshark or Tshark for deep dives) and become highly proficient, delaying investment in enterprise-grade SIEM/NDR solutions until proficiency is achieved.
- **Prioritize Known Threats:** Focus early hunts on high-probability internal activities, such as unauthorized use of powerful scripting tools like PowerShell on non-privileged endpoints.
### For Medium Organizations
- **Implement Targeted Capture:** Deploy network taps or SPAN ports strategically between core network segments, rather than just the perimeter, to better facilitate lateral movement analysis.
- **Tool Specialization:** Begin using purpose-built tools like Zeek for high-level traffic flow analysis alongside a precise tool like Suricata for pattern matching, optimizing workflow efficiency.
- **Document Hunting Hypothesis:** Ensure every hunting session is tied to a specific hypothesis (e.g., "We hypothesize an attacker is using DNS tunneling") which dictates the required data and investigative steps.
### For Large Enterprises
- **Scale Data Retention:** Implement scalable infrastructure capable of retaining network captures or detailed logs for extended periods (12+ hours) to support deep-dive analysis across large timelines.
- **Formalize Playbook Development:** Develop formal, documented playbooks for common hunting scenarios (e.g., C2 over DNS, beaconing detection) that can be executed consistently by various security personnel.
- **Cross-Team Knowledge Sharing:** Establish dedicated sessions to train IT/System administrators on what constitutes suspicious endpoint activity (e.g., non-standard process execution) to assist in endpoint-focused hunting efforts.
## Configuration Examples
| Scenario | Configuration/Check Focus | Actionable Insight |
| :--- | :--- | :--- |
| **Network C2 Hunt** | Analyze TCP 443 traffic flows | Investigate sessions using TCP/443 that *do not* contain a successful SSL/TLS handshake, as this suggests obfuscated C2 traffic. |
| **Endpoint Suspicion (Windows)** | Monitor execution of native OS scripting tools | Flag and investigate any PowerShell process execution initiated by user accounts outside the IT or Security departments. |
| **C2 over DNS Hunting** | Aggregate and review DNS query volume per FQDN | Profile for FQDNs exhibiting unusually high query counts, especially if the remote system resolves to an attacker-controlled domain. |
## Compliance Alignment
The principles of proactive threat hunting directly support robust security posture required by various frameworks:
- **NIST SP 800-53 (CA, RA):** Threat hunting supports Continuous Monitoring (CA) activities and Risk Assessment (RA) by actively validating the effectiveness of existing controls against active threats.
- **ISO/IEC 27002 (A.12.4, A.18.2):** Supports operational monitoring and compliance review by documenting and executing validated security verification activities beyond standard alerting thresholds.
- **CIS Critical Security Controls:** Specifically supports Control 17 by ensuring that threats are being actively searched for, not just passively waited upon.
## Common Pitfalls to Avoid
1. **Tool Overload:** Do not attempt to learn every available security tool simultaneously (e.g., switching daily between Zeek, Suricata, and Wireshark). **Pick one tool per function and master it** before expanding your toolkit.
2. **Ignoring Stealthy Indicators:** Failing to analyze data in large temporal chunks (e.g., looking only at 5-minute logs) will cause highly periodic or stealthy C2 beaconing to blend into normal noise.
3. **Lack of Knowledge Specificity:** Relying only on alert signatures instead of foundational knowledge. Do not assume all TCP/443 traffic is secure HTTPS; knowledge of the SSL/TLS handshake failure is critical for detecting C2 tunneling.
4. **Underestimating Persistence Required for Lateral Movement:** Assuming compromised systems "phone home" frequently. Be prepared to monitor communications over 4-8 hour intervals when tracking secondary infections.
## Resources
- **Tool Exploration:** Try out open-source network analysis tools conceptually similar to: **Zeek** (for traffic flow analysis), **Suricata** (for specific pattern detection), **Tshark** (for command-line analysis), and **Wireshark** (for deep forensic analysis).
- **Further Learning:** Review resources on Deep Packet Inspection (DPI) techniques and the specifics of command channel obfuscation techniques (especially DNS tunneling).