Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The Threat Hunting Maturity Model
Table of Contents
What is threat hunting? 3
Level 0 5
Level 0 in DNIF 6
Level 1 8
Level 1 in DNIF 9
Level 2 10
Level 3 11
Level 4 14
2
The Threat Hunting Maturity Model
At our last DNIF Konnect meetup, we had a poll asking people whether they
thought their organization engaged in threat hunting. Here are the results:
This shows us that the field is growing and gaining popularity in the industry.
Threat hunting can be described as the process of proactively searching
through networks and host data to detect and (where applicable) eliminate
attackers from networks and hosts. Contrary to the usual approaches, threat
hunting combines the use of threat intelligence, analytics and security tools
with human skills.
In his presentation, Ankit Panchaal explained that while tools are important,
threat hunting is not specific to any particular technology (read our blog Five
Levels Of Threat Hunting: Key Takeaways From DNIF Konnect 2 to know
3
The Threat Hunting Maturity Model
more). Instead, it is a process of knowing what signs to look for, when to look
for them and where to find them. It emphasizes applying human skills and
knowledge to seek out malicious activity that hasn’t already been identified by
other detection techniques.
The HMM describes five levels of hunting capabilities, ranging from HM0 (least
capable) to HM4 (most capable) depending on the following three factors:
● The quantity and quality of the data collected by the organization regularly
● The tools used to analyze the data
● The skills of the analysts who actually use the data
4
The Threat Hunting Maturity Model
Of all these factors, analysts’ skills are the most important, since those skills
are what helps them turn data into detections. The quantity and quality of the
data is a close second; the higher the volume and the greater the variety of
data available to the analyst, the more results they will find and the more
effective they will be as a hunter. Lastly, the tools used to analyze the data help
shape an organization’s hunting techniques and develop a hunting style suited
to its environment. Next, let’s examine each level in greater detail.
Level 0
HM0 is the Initial Level. At this level, an organization primarily relies on
automated alerting tools such as an IDS, SIEM platform or antivirus to detect
malicious activity across the enterprise. At this stage, signature-based
detection updates and threat intelligence feeds are often incorporated.
Organizations may even create their own signatures or indicators, though
these are exclusively for use with automated monitoring systems.
5
The Threat Hunting Maturity Model
Level 0 in DNIF
This query fetches the last successful login time for each user:
After creating the profile, this query will update the database with data from
new logins when they occur:
>>_retrieve user_last_login
6
The Threat Hunting Maturity Model
In the following query, we fetch the details of users that have logged in in the
last 24 hours. We then check if the value of $SystemTstamp for each login
event exceeds the value of $d_time for the users in the store. If it does, an alert
is generated.
7
The Threat Hunting Maturity Model
Level 1
The next level, HM1, is known as the Minimal Level. This is the first level in
which any type of hunting is performed. At this level, an organization still relies
primarily on automated alerting — but here, staff at least routinely collect some
IT data from around the enterprise and store it in a central location, such as the
database of a SIEM platform or some other log management tool. Analysts in
the organization base their detection decisions largely upon the available
threat intelligence.
Organizations at this level tend to track the latest threat reports from a
combination of open and closed sources. Analysts are then able to extract key
indicators from these reports and search the data to identify if the threats
detected have been observed recently.
8
The Threat Hunting Maturity Model
Level 1 in DNIF
The following query fetches data for the last 24 hours from a firewall, where
the firewall is communicating with a destination IP suspected to be malicious
based on available threat intelligence. If the firewall blocked the
communication, an alert is generated for suspicious network traffic.
9
The Threat Hunting Maturity Model
Level 2
HM2 is the Procedural Level. Organizations at this level regularly learn about
and apply procedures developed by others, and may make minor changes to
them. The focus here is on applying specific analysis techniques to a given
type of input data in order to discover a particular kind of malicious activity. At
this level, though, organizations are not yet capable of creating new
procedures for themselves.
Level 2 in DNIF
An event store named domains is created, including all malicious domains that
devices in the network have communicated with. The sequence of queries
below fetches a domain from the event store and runs a DomainTools lookup
using the get_parsed_whois function. The query on line 3 checks for results
with 404 response codes and excludes them from the final result set.
10
The Threat Hunting Maturity Model
With _field, we create a new field called $CurrentDate to store the current date
for each of these domains. We then create another field named $DomainAge
that calculates the difference between the date when the domain was created
and the current date.
Level 3
HM3 is the Innovative Level. Organizations at this level have at least a few
hunters with knowledge of a variety of data analysis techniques, and the ability
to apply them to identify malicious activity. At this level, organizations create
and publish their own procedures instead of relying on those developed by
11
The Threat Hunting Maturity Model
others. The key at this stage is for analysts to apply these procedures and
make them repeatable, so they can be performed frequently.
Level 3 in DNIF
With DNIF you can set a baseline for each user’s activities based on their daily
behaviour. You can check the history of each activity of individual users from
the dashboard. Based on the user’s usual behaviour and how much deviation
there is from previous actions, you can also set a severity score, to raise an
alert for each activity.
12
The Threat Hunting Maturity Model
13
The Threat Hunting Maturity Model
Level 4
The final level, HM4, is the Leading Level. HM4 is similar to HM3, but with one
big difference: automation. At this level, any hunting process that proves to be
successful will be operationalized and turned into an automated detection
strategy. This frees analysts from the burden of manually running the same
process over and over, allowing them to concentrate on improving existing
processes or creating new ones instead.
14
The Threat Hunting Maturity Model
Level 4 in DNIF
The hunting processes that were found to be successful in the previous level
can be automated and scheduled to run at regular intervals.
Businesses have been trying for years to find the best, most efficient way to
detect threats and shut them down before they happen — but none of this
matters if a business does it incorrectly. Incorrect information within threat
hunting can’t help a business succeed, and is liable to do the opposite. Threat
hunting is all about piecing together different sources of data to build a picture
of future attacks.
The maturity model can be used as a resource to help businesses take the
time to fully understand threat hunting. In order to help reduce the pains
commonly associated with developing a hunting program, using the HMM as a
foundation for a business’s hunting capabilities can allow that business to
more efficiently work its way through the levels it takes to grow threat hunting
capabilities organically.
15
The Threat Hunting Maturity Model
16
The Threat Hunting Maturity Model
About DNIF
DNIF is a first-of-its-kind NextGen SIEM with multi capabilities like UEBA, Log
Management, SOAR, Security Analytics and Threat Intelligence, all bundled up
together onto a single platform to bring in process efficiency, better
manageability and reduced risks.
ttps://dnif.it
WEB h
EMAIL hello@dnif.it
USA INDIA
2570 N. First Street 2nd Floor, San Jose, 2nd Floor, Reliable House, KanjurMarg
CA 95131, USA (w), Mumbai 400078, IN
© 2018 NETMONASTERY NSPL. All rights reserved. NETMONASTERY, DNIF, DQL, The “OPEN” Big Data Analytics Platform are
trademarks or registered trademarks of NETMONASTERY NSPL and/or its affiliates in the INDIA, and/or US and other countries.
The title image is a photo by Cayetano Gil on U
nsplash and is used with full credit to the owner.
17