Cyber Threat Hunting leveraging MITRE ATT&CK Framework – Must for Modern SOC


Written By Neha Dhyani.

Threat hunting is a proactive cyber defense activity, which is focused on the pursuit of attacks and the evidence that attackers leave behind when they’re conducting reconnaissance, attacking with advance malware, or exfiltrating critical data. Rather than just relying on reactive information or hoping that SOC (Security Operation Center) tool flags and alerts to the suspicious activity, threat hunter will apply human analytical capacity and understanding about environment context to more quickly determine when unauthorized incident happens.

Threat Hunting allows attacks to be discovered during early phase with the goal of stopping them before adversaries can carry out their attack objectives. While skill & experience definitely helps, the ever-changing landscape of threat actors, and their sophistication, requires the threat hunter to take a well-organized approach and follow an open framework that structures a methodical hunt based on updated TTPs (tactics, techniques, and procedures) of top global threat actors.

Simplifying SOC Complexity with evolving threat landscape

As per Gartner Board of Directors Survey 2022, 88% of respondents viewed cybersecurity-related risk as a business risk, not just a technology risk & 51% of respondents had experienced a cyber-security risk incident in the past two years. By getting ready for the inevitable breach, rather than expecting that it will always be prevented, organizations having Modern SOC with threat hunting capabilities can deliver a better security posture and set the foundation for their team to proactively hunt for advance threats.

As per VMware Global Incident Response Threat Report (2021), respondents indicated that targeted victims now experience integrity and destructive attacks more than 50 % of the time.  As per report, more than 60 % of respondents reported ransomware attacks during the past 12 months, and these attacks are becoming increasingly malicious. This escalation stems from adversaries implementing multistage campaigns involving penetration, persistence, data theft, and extortion.

These stats prove that attacks are becoming more stealthy, destructive, and targeted leveraging advanced techniques. As per IBM’s cost of data breach report 2021, it took an average of 287 days to identify and contain a data breach On average, it takes organizations more than 7 months to detect a malicious attack and another 81 days to contain it. And the average cost of a breach lasting more than 200 days is $4.87 million, which means that every second counts.

Attacks that caused the most damage and are toughest to detect and prevent include Advanced Persistent Threats (APTs) that are carried out during prolonged dwell times. Cyber Threat hunting is particularly needed in battling APTs that start with an initial undetected compromise, and then build out long-term multi-phase attacks. The SolarWinds attack disclosed in 2020 is a known & famous example of an APT.

SANS 2021 threat hunting Survey Report, indicates steady improvement seen in organizations overall security posture as a result of threat hunting. According to the report, organizations have seen anywhere from a 10-25% improvement in their security posture from threat hunting over the last year. Looking at the yearly trends since 2019, it appears that organizations improve their security posture by approximately 25% as a result of performing threat hunting. Overall, this brilliant result highlights the positive impact that threat hunting can have on organizations.

Effective threat hunting relies on a mindset and a methodical framework that allows the security analyst to think like a threat actor, and then use that understanding to determine what clues to look for that might indicate an attack underway.

Making Threat Hunting Effective & Efficient with MITRE ATT&CK Framework

Threat hunters rely on MITRE ATT&CK framework that guides them to think through each stage of a potential attack, and then determine the evidence to search for. MITRE ATT&CK is globally accessible knowledge base that incorporates an exhaustive list of offensive TTPs based on real-world observations, that hunt teams can draw from when constructing hypotheses. TTPs are behaviours, methods, or patterns of an activity used by a threat actor, or group of threat actors.

Cyber Threat hunter start each hunt activity with a simple query: what is it that we are looking for. Since ATT&CK Framework is a complete list of all presently known post compromise behaviours, it has answers to that query. The framework guides SOC teams on which cyber threat groups to watch out for, which specific techniques, platforms, data sources or software programs that might be used to target your SOC environment, and how to early detect and mitigate against the adversarial techniques described in the framework.

MITRE ATT&CK framework can be used to discover potential threats and identify areas of risk and improvement in SOC environment. It provides a detailed catalogue of which data sources should be examined when investigating the possibility that a particular tactic or technique has been used in an environment. It can be used to assess how effective an organization SOC is at detecting, analysing, and responding to security breaches.

Modern SOC should leverage on ATT&CK Framework to increase the efficacy of threat hunting program and look for wider set of evidence by hunting for adversarial TTPs rather than specific signatures. With superior information available on adversary groups/threat actors, the techniques they’re likely to use and how they will behave once they gain access to the target network, SOC teams can harden their defense and make targeted improvements to threat detection/prevention systems. Thus, threat hunting leveraging ATT&CK framework increase the likelihood of containing and preventing a threat, thereby strengthening security posture of an organization.

About Author: Neha Dhyani is Senior Security Consultant at Nokia Solutions & Networks with more than 15 years of proven expertise across domains including telecom security(5G/4G), Cloud Security, Next-gen SOC Security, EDR/XDR, Threat Hunting, Container security & Advance Threat Analytics. She is an Australian Computer Society (ACS) Certified Professional in Cybersecurity and holds various industry-leading cybersecurity credentials.


Leave A Reply