<img alt="" src="https://secure.hiss3lark.com/173130.png" style="display:none;">

Datashield's Resource Library

Read all of our news, articles, reviews, and more in our company blog

All Posts

Threat Hunting Mental Games

Mental Games: Threat Hunting Mental Models, Strategies, and Normal Behaviormental games

In the cyber security market today, there is a lot of buzzwords, one of them is threat hunting.

Many tools and services claim they have threat hunting capabilities, but in most cases, this isn’t 100% true.

Threat hunting is an active detection technique that requires real knowledge, understanding, and availability of data. Threat hunting is not a rule, signature, alert, or machine learning AI magic.

In practice, the technique involves a lot more than indicators of compromise (IoC’s). Searching for IoC’s that are new or that were previously unknown is what most traditional threat hunting is today.

 

Mental Models

A mental model is a process your brain goes through to figure out how something works and make a connection and relationship of the steps involved. Your brain builds a map based on knowledge of what a solution appears to be.

Smarter Faster Better by Charles Duhigg discusses how to go through a checklist of what is normal in a given scenario. As you gain experience and knowledge in your field of expertise, you start to learn how things work, what failures have occurred, and what should be happening.

To develop a mental model, you must be flexible and ask the right questions. Keep it simple and find a way to apply the questions to your scenario. You probably aren’t consciously aware that you are using a mental model, but you are using them all the time.

Threat hunting takes real understanding.

  • What is normal behavior on a network?
  • Who should and shouldn’t be logging into something?
  • How should an application act?
  • Where should this data be allowed to go?

Sometimes intuition kicks in, and you may “feel” something is off. Sort of like the cybersecurity “force.”

giphy

Threat hunting can be frustrating but rewarding. Often threat hunting leads you down rabbit holes, which after hours of research, turns into a normal item. You often spend massive amounts of time threat hunting... to your own demise. The 80/20 rule surely applies as positive results from threat hunting are few and far between with a significant amount of effort spent finding them.

images

Here is an example of a real-life threat hunt that occurred. One of our analysts detected a random PowerShell connection with an interesting reverse shell banner on an odd port. Malicious right?

After an analyst dug through everything that the host had done for hours, viewing tons of encrypted traffic that wasn’t decryptable, tracing ports and connections, and doing OSINT searching, he found out it was an opensource patching platform which happens to use a program from a hacker toolkit kit to test connections to a PC before sending a patch. Seems crazy right? So then why bother threat hunting?

Attackers are always changing tactics, using evasion techniques and tools such as virus total to go undetected.

Threat hunters are the cyber CSI guys.

giphy

They live for finding the needle in the haystack. The thrill of tracking down an attacker or malware that is deployed and talking back to a C2 server that was unknown is thrilling. And it does pay off.

We have found many items through threat hunting such as malware, crypto miners, remote access, and data exfiltration as part of these exercises.

Using these techniques, my team has detected accessible PII, breached third parties, breached devices such as firewalls, f5’s, and Citrix NetScaler’s. (These are in clients with the latest Next-Gen AV, SMTP filters, IDS/IPS systems, and other tools.)

Nothing will be detected 100% of the time by tools. That’s why we use our knowledge and skills to build a mental model that helps to identify abnormalities to determine if you should go down the rabbit hole or not.


If you have questions about threat hunting and mental games, contact us today.

Topics from this Article

Citrix, Threat Hunting, NGAV, Open Source

Jeff Marshall
Jeff Marshall
Jeff Marshall is the Chief Information Security Officer at Datashield and contributes technical content to the Datashield resource library. While not overseeing all of security operations, engineering, R&D and program management; Jeff carves out time to provide thought leadership and educational content for the Datashield resource library. His extensive background and knowledge serves as the anchor for Datashield's article base.

Related Posts

Partner Digest: Week of 5/25/20 - Digital Shadows Q1 Cyber Topics and SentinelOne Highlights

Datashield Partner Digest for the Week of May 25th, 2020 - Highlights: Trending Cyber Topics Q1 2020 from Digital Shadows and SentinelOne Partner Spotlight.

VIDEO: Remote Workforce Roundtable Interview with Paul Jakobsen of Proofpoint

The full interview with Paul Jakobsen, North American Channel Manager at Proofpoint an enterprise email security focused cybersecurity solutions provider. The interview is around the recent shift to a remote workforce due to the COVID-19 pandemic. Topics of the interview include the marketing hype, addressing a remote workforce and moving forward with the Coronavirus implications.

Malwarebytes Overview

The ever-changing threat landscape that enterprise infrastructure endpoints face requires a comprehensive solution to discover, categorize, and respond to both old and new threats. Malwarebytes delivers dynamic endpoint security to combat this. It provides the following features to discovering and responding to cyber threats: