Sharp Sticks and Small Spaces: The DISH Threat Hunting Reference Model
Predator isn’t just a good action movie. It’s a great action movie. An advanced alien hunts humans for sport, picking off elite soldiers one by one. After each attack, our hero learns the strengths and weaknesses of his adversary. And in the end, with sharp sticks and small spaces, he initiates contact with a superior foe in the only way he could to survive.
In other words, a day in the life of cyber security operations.
If we sit back behind our consoles and wait for attackers to trip alerts, we too run a high risk of getting picked off, one by one. We have to constrain adversary behavior as much as possible, then actively search out signs of malicious activity to engage where we have a relative advantage.
- What can we do that will be effective today?
- How do I determine my threat hunting needs?
- What is our capability roadmap - what should we buy and what should we build? What skill sets are strategic for these capabilities, and how do we attract and retain them?
- How do we measure effectiveness and adjust as needed?
- Depth: The number of observable attributes examined for malicious activity. Examples: Processes, Services, Scheduled tasks. MITRE lists 127 different identifiable entities in the Attack Techniques and Common Knowledge (ATT&CK) framework for describing late-stage activities in the attack lifecycle (kill chain). After starting with all attack forms, and then subtracting out all items covered by secure configurations or high confidence security alert Use Cases, the remaining items represent the "visibility gap" that needs to be evaluated as hunting candidates based on risk.
- Intensity - Hunt frequency, as measured in number of times per day/week that data is collected and analyzed from each environment. Based on exposure and potential impact, some systems may be hunted weekly, while others are reviewed daily or more. Automated security alerts based on SIEM correlation rules that fire represent a special hunt case where frequency = continuous. This makes sense, because SIEM was designed to automate log review 'hunting' in the first place. Looking at SIEM and response automation as part of the hunting continuum enables leadership to evaluate hunting and alerting activities as complementary parts of a unified capability. To the extent that automated detection forces attackers to move slowly, this has the potential to increase the effectiveness of hunting activities.
- Scope - The number and type of entities to be included in hunting activity. Examples include all endpoints, servers, DMZ hosts, websites, outbound connections, user sessions, etc. Scope, depth and intensity define the volume of data needed to support hunting activities.
- Heuristics - The methodology used to proactively find malicious activity. Examples: Simple searches for Indicators of Compromise (IOCs) such as known file names, hashes, IP addresses, registry values, etc. High fidelity alerting on known malicious content. Also tool track detection - observation of known system changes that occur when malicious tools are used. Slightly more complex methods include Data Stacking, where all instances of a given entity are captured across a hunt scope, and then rare occurrences are examined. At the high end of heuristic category are machine-assisted processes such as behavior and entity analytics that attempt to alert on outliers identified through time-series analysis or machine learning.