Threat Clustering and Threat Hunting

In this article we are going to learn about threat clustering carried out by Threat Hunting teams. But, first of all, let’s define some terms.

First of all, Threat Hunting refers to the art of proactively searching for and detecting cybersecurity threats hidden in an environment. It is a dynamic and strategic approach that allows defenders to discover and neutralize potential dangers before they escalate, making it an essential skill in today’s cybersecurity landscape.

Second, Threat Hunting analysts, also called Threat Hunters, need techniques to identify and track APTs and their activities. APT refers to an advanced, persistent threat that operates covertly and with malicious intent over an extended period of time. To accomplish their goals, APTs use sophisticated techniques, tactics and procedures (TTPs) to gain access to high-value networks and information systems, such as government, financial, military and other systems.

[Read more…]

Horizontal and Vertical Hunting with Persistent Engagement

In today’s cybersecurity landscape, the concept of Threat Hunting or the proactive pursuit of cyber threats begins merely as soon as an actor establishes their foothold in an organization, limiting the detection capabilities and overall understanding of a campaign that a hunter may have regarding the offensive capabilities of their adversary. In this context, I propose and intend to tackle these challenges with two main tactics that hunters can employ to disrupt the offensive operations of state actors and non-state actors more effectively: Horizontal Hunting and Vertical Hunting, while integrating elements of persistent engagement to enhance visibility.

Initially, as is usual in hypothesis-driven Threat Hunting, we formulate hypotheses based on intelligence feeds to conduct proactive searches within our environment. However, this approach often lacks precision in both operational capabilities and strategic insight into the adversary’s intentions. This can be attributed to various factors, including:

  • Limited intelligence collection capabilities
  • Technical expertise of both hunters and Threat Intelligence teams  
  • Uncertainty about the proactivity of the hunting team
  • Urgency to deploy detection capabilities (which may not always be effective) or publish articles by the Threat Intelligence team.  
[Read more…]