Cyber Threat Hunting (2): Getting Ready

In my previous post I went through the basics of hunting and its benefits for the organization and for analysts. To continue the journey, today I am going to cover the preparations you need to do before you go out there and hunt. We are covering preparations and locations to hunt.

As you need some degree of preparation for many of the activities we carry on a daily basis, you can improvise but I suggest you don´t do it as hunting is an activity that requires a high level of concentration and you only want to focus on what it is important for the hunt.

The following is a list of basic things to have ready before you start the hunt. The list is subject to be modified according to your needs however this should cover the basis.


  1. Technology deployed in your network and layout
  2. Network Baseline
  3. Devices Log format
  4. Tools
  5. Most valuable assets of your network (Crown Jewels)
  6. Understand the attack life cycle


1. Technology deployed
This is a very important aspect before you start hunting. To understand all the technology used in your network. You should be able to identify the brand, how it is used and what for. Also it is very important to understand the layout of your organization’s network.

2. Network Baseline
This one is a no-brainer. If hunting is detecting anomalous behaviour or deviation from the baseline it makes sense to start understanding what are the normal flows of information and behaviour in the network you are protecting.

3. Device log format
Understanding all log format being thrown at you by your network devices is of extreme importance. You want to do this well in advance before starting your hunt. You will not enjoy studying your logs at the same time you are trying to find the needle in the haystack.

4. Tools
The tools you choose will influence the result of your hunting exercise. If you choose bad tools or tools that are not supporting your objective or not performing as expected, you will not get the results you are aiming for.

5. Your Crown Jewels
Where is your most valuable information in the network? this is one of the most important questions you have to make to your organization. You will not deploy resources where the value of your assets are low. You will want to used the max amount of resources to protect the most sensible zones in your network.

6. Understand the attack life cycle
It is vital for you and your organization to understand well in detail the kill chain and attack life cycle so you stop your adversary in its track, minimizing the impact for the organization in case of a compromise.

The reality check.

This the best part…. In many organizations you will not have some of the basics such as Network layout, Baseline and Crown Jewels. It is not that your organization is ugly, it is simply that many networks were built in past decades and they scaled up very fast to support the business and they were not documented.

Unfortunately these are the ones that are more important within the basics as the other are mostly operational and you can acquire them with ease.

What happens after the reality check?

Special_Forces    VS guerrilla_fighters


I know what you are thinking…

You thought you were doing special operations when the reality is that you are going to be doing guerrilla warfare. If you have a security visualization tool and a data analytics solution you are well equipped. Both technologies together can provide the best support to hunt as visualization can help to make sense of large amounts of information and this helps to pinpoint anomalies that later can be investigated in detail through data analytics.

We will go through different techniques to detect adversaries inside the network using only logs and without help of advanced solutions. This approach requires you to understand very well the current techniques used by adversaries to get into your network, establish persistence, pivot and ultimately exfiltrate information. This is probably the challenging part of this journey, you need to be up to date to understand their techniques, tactics and procedures (TTP’s).

The only tool I would recommend is a scripting language to help you parse and filter the logs, yet you can choose to go through 5,000 lines of logs without it. Good luck.

Hunting is about spending a lot of time searching for something that is elusive by nature. APT´s are not designed to be easily detected and if you are going to hunt you better be well equipped for it.

What are the locations to hunt?

The main locations where you can start your hunt are,

  • Perimeter
  • Internal Network
  • Endpoint

In these locations you have to pull out and correlate information from different devices such as firewalls, proxies, routing devices and DNS servers to mention a few. In each of these locations you have to understand which are the indicators that may signal the presence of an adversary trying to penetrate or actively penetrating your organization.

Which locations is the best?

In any of the mentioned locations you can find signals of adversary presence however is in the endpoint where you will have higher chances to detect this activity. The main reason for this is because the adversary will leave in the endpoint the largest forensic footprint over time.





From the chart above  we can infer that to detect an intruder we will need to go to different areas in our network. Initial exploitation can be detected in the perimeter or endpoint, command and control can be detected also in the perimeter, privilege escalation in the endpoint and data exfiltration can be detected anywhere in the network. The log sources we are using is something I will cover when I will explain the techniques used by the adversary to penetrate, extend and accomplish his mission.

Now we are ready to start hunting, in coming posts I will explain some of the techniques and logs we need to look into in order to detect intrusions.


Click to access ey-third-generation-security-operations-centers-2015.pdf

Hunting in the Dark – HTCIA 2015 from Ryan Kazanciyan



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s