In response to my post More on Threat Hunting, Rob Lee asked:[D]o you consider detection through ID’ing/“matching” TTPs not hunting? To answer this q
[D]o you consider detection through ID’ing/“matching” TTPs not hunting?
To answer this question, we must begin by clarifying “TTPs.” Most readers know TTPs to mean tactics, techniques and procedures, defined by David Bianco in his Pyramid of Pain post as:
How the adversary goes about accomplishing their mission, from reconnaissance all the way through data exfiltration and at every step in between.
In case you’ve forgotten David’s pyramid, it looks like this.
It’s important to recognize that the pyramid consists of indicators of compromise (IOCs). David uses the term “indicator” in his original post, but his follow-up post from his time at Sqrrl makes this clear:
There are a wide variety of IoCs ranging from basic file hashes to hacking Tactics, Techniques and Procedures (TTPs). Sqrrl Security Architect, David Bianco, uses a concept called the Pyramid of Pain to categorize IoCs.
At this point it should be clear that I consider TTPs to be one form of IOC.
In The Practice of Network Security Monitoring, I included the following workflow:
You can see in the second column that I define hunting as “IOC-free analysis.” On page 193 of the book I wrote:
Analysis is the process of identifying and validating normal, suspicious, and malicious activity. IOCs expedite this process. Formally, IOCs are manifestations of observable or discernible adversary actions. Informally, IOCs are ways to codify adversary activity so that technical systems can find intruders in digital evidence…
I refer to relying on IOCs to find intruders as IOC-centric analysis, or matching. Analysts match IOCs to evidence to identify suspicious or malicious activity, and then validate their findings.
Matching is not the only way to find intruders. More advanced NSM operations also pursue IOC-free analysis, or hunting. In the mid-2000s, the US Air Force popularized the term hunter-killer in the digital world. Security experts performed friendly force projection on their networks, examining data and sometimes occupying the systems themselves in order to find advanced threats.
Today, NSM professionals like David Bianco and Aaron Wade promote network “hunting trips,” during which a senior investigator with a novel way to detect intruders guides junior analysts through data and systems looking for signs of the adversary.
Upon validating the technique (and responding to any enemy actions), the hunters incorporate the new detection method into a CIRT’s IOC-centric operations. (emphasis added)
I’m also very thankful, however it’s defined or packaged, that people are excited to search for adversary activity in their environment, whether via matching or hunting. It’s a big step from the mindset of 10 years ago, which had a “prevention works” milieu.