The art and science behind Microsoft threat hunting: Part 3
Earlier in Part 11 and Part 22 of this blog series, Microsoft Incident Response outlined the strategies, methodologies, and approaches that are used while performing a cyberthreat hunt in both pre- and post-compromised environments. This chapter outlines how Microsoft Incident Response, in collaboration with partner security teams, leverages three distinct types of threat intelligence in the threat hunting cycle, and how customers can utilize these artifacts themselves to improve their own incident response preparedness.
Microsoft Incident Response
Strengthen your security with an end-to-end portfolio of proactive and reactive cybersecurity incident response services.
Threat intelligence is often oversimplified to represent a feed of indicators of compromise (IOCs). The intersection between multiple types of threat intelligence, however, enables organizations and their threat hunters to have a holistic understanding of the cyberattackers and techniques that can and will target them. With this comprehensive cheat sheet of knowledge, threat hunters can not only increase efficiency when responding to a compromise, but proactively hunt their systems for anomalies and fine-tune protection and detection mechanisms.
Figure 1. Three types of threat intelligence.
Figure 1 introduces three types of threat intelligence that will be outlined in this blog—strategic, operational, and tactical. It provides a visualization of organizational effort versus the value gained when utilizing threat intelligence in more than one way. Typically, security teams integrate IOC cyberthreat feeds at a tactical level, but incorporating threat intelligence operationally requires daily investment, especially when alert queues seem endless. Strategic threat intelligence may seem familiar to most organizations but can be challenging to apply effectively, as this requires concentrated effort at multiple levels to understand the organization’s position within the overall threat landscape. How can threat hunters leverage these types of threat intelligence effectively for the benefit of their organization?
Strategic threat intelligence: Informed hunting driven by the overarching cyberthreat landscape
Security teams should be industry aware—being cognizant of the types of digital threats and current trends affecting industry verticals allows any team to be better prepared for potential compromise. Strategic threat intelligence is fundamentally based on understanding threat actor motives, which gives organizations an understanding of which threat actors they should be most conscious of in relation to the industry vertical or their most valuable resources. For example, government entities are traditionally targeted by nation-state advanced persistent threats (APTs) to perform cyber espionage, whereas organizations in the healthcare industry are commonly targeted by cybercriminal actor groups for ransomware operations and financial extortion due to the sensitivity of the data they possess. Understanding where the organization fits into this strategic picture determines the investment where its resources (people and time) may be constrained. Furthermore, it’s a key step toward developing an effective threat-informed defense strategy prioritizing the cyberattacks that target the organization.
Operational threat intelligence: Informed hunting to proactively understand the environment and its data
Having broad visibility into an organization’s attack surface is imperative when applying threat intelligence at an operational level. The crucial components spanning the perimeter of the on-premises network and extended entities such as cloud, software-as-a-service, and overall supply chain should be well understood:
- Where are the tier 0 systems in the organization?
- What intermediary lateral movement pathways exist to tier 0 systems?
- What security controls across the environment are (or aren’t) in place?
- What telemetry is produced by all systems in the environment?
Security teams should proactively analyze the data that comes from these entities to develop a baseline of normal operations. Along with this baseline, threat hunters should comprehend and exercise organizational processes. In the event of an identified anomaly, how is that behavior deconflicted? What teams within the organization need to be consulted? What is the process for ensuring false positives can be reported and circulated efficiently and effectively? Considering the secondary questions and tertiary actions of response steps greatly benefits threat hunting timeliness, staving off confusion during a rapidly evolving incident.
Tactical threat intelligence: Informed hunting to reactively respond to a live cyberthreat
Tactical threat intelligence is often an organization’s main integration to enhance a threat hunt, particularly in response to an active cyberattack scenario. Known-bad entities and atomic indicators such as IP addresses, domains, and file hashes are used to identify anomalies aligning to attacker techniques against targeted systems quickly. Additionally, if the cyberattack is already attributed to a threat actor, or the attack aligns to a particular motive, security teams can use these patterns of behavior to prioritize their hunting scope to their known tactics, techniques, and procedures. Novel indicators or associated research from the analysis should be shared with other vetted threat hunters within the organization and are a particularly valuable contribution to the wider threat intelligence community to further enrich detections for all organizations.
Putting it together: Threat intelligence and iterative threat hunting
Armed with this breakdown, threat hunters can now turn their attention to using varied threat intelligence to execute threat hunts and track down threat actors. The threat hunting iterative workflow shown in Figure 2 is something security teams will likely be familiar with; but are threat intelligence artifacts effectively being applied to create a holistic threat-informed defense strategy?
Figure 2. Feeding threat intelligence artifacts into an iterative threat hunting workflow.
When preparing a hunt, threat hunters should seek to apply strategic threat intelligence to prioritize the cyberthreats that target the organization. This directly leads into the hypothesis phase. Threat hunters include the gathered strategic artifacts in a hunt hypothesis based on the trends or threat actors impacting other organizations in the same vertical. This casts a wide net to identify anomalies and behaviors common to the industry. They are not limiting the hunt based on any one IOC, rather using the collective intelligence learned from similar intrusions to detect or prevent the attack scenario. For every investigation, whether it be proactive or reactive, Microsoft Incident Response threat hunters consider other incidents impacting victim organizations in the same industry as a guiding force to efficiently identify focus areas of analysis, leveraging research from Microsoft Threat Intelligence that outlines any applicable threat actor attribution.
Daily workflows should be enhanced with operational threat intelligence artifacts to determine an environmental baseline. Proactive hunt hypotheses should seek to test the understanding and actively seek to identify gaps in various aspects of the baseline, identifying any behavioral anomalies straying from “normal operations” and developing high-fidelity, real-world detections based on the true attempts at intrusion to their environments. Existing detections should be continuously reviewed and refined, hunting threads should include interrogation of both successful and failed access attempts, and data integrity should be verified. Security teams should question if:
- Centralized data is both complete and accurate—identifying if there are any gaps in the data and why.
- The schema is consistent between all data sources (for example, timestamp accuracy).
- The correct fields are flowing through from their distributed systems’ sources.
When security teams embody being the experts of their environment, they become more adept at identifying when a proactive threat hunt shifts into reactive response to active threat. This is invaluable when improving the speed of returning to normal operations and engaging additional support such as Microsoft Incident Response, who can enhance the hunt with threat intelligence from previous global incidents, working with the customer to deconflict abnormalities quickly for swift takeback and eviction of threat actors.
When incident response teams like Microsoft Incident Response are engaged during a reactive incident, the objective of threat hunting is to conduct analysis of live, historical, and contextual data on targeted and compromised systems and provide a detailed story of not only the attack chain, but the threat actor(s) conducting that attack. Enriching a threat hunt with tactical threat intelligence artifacts in the form of IOCs concentrates investigation scope and allows for rapid identification of threat actor activity. As the hunt progresses, relational entities to that indicator are uncovered, such as the identities involved in activity execution and lateral movement paths to different systems. Attention shifts from atomic indicators such as IP addresses and malicious domains, to artifacts left directly on compromised systems, such as commands that were run or persistent backdoors that were installed. This builds an end-to-end timeline of malicious activity and related indicators for organizations to stay informed, implement target security controls, and prevent the same, or similar, incidents in the future.
What is Microsoft Defender Threat Intelligence (Defender TI)?
Adhering to the collaborative cycle of threat intelligence, Microsoft Incident Response contributes front-line research to enhance and further develop detections for customers worldwide. Entities are aligned with industry frameworks such as the Diamond Model, to build threat actor profiles detailing the relationship between adversaries’ infrastructure, capabilities and victims. Microsoft Threat Intelligence is available in Microsoft Defender XDR for the community and fellow security teams to consume, validate, and refine into proactive detections for the organization.
How Microsoft Incident Response can support proactive threat protection
Microsoft Incident Response has cultivated and relies upon implementing the cycle between incident response and threat intelligence to protect our customers, leveraging insights from 78 trillion signals per day. Organizations can proactively position themselves to be well-informed by the threats targeting their organization by implementing threat intelligence in a holistic way, before an incident begins.
Embracing a collaborative culture amongst the threat intelligence community to not only consume entities, but to further contribute, refine, and enhance existing research, results in improved detections, controls, and automation, allowing all security professionals to get behind the same goal—track down and protect themselves from threat actors and their malicious intent.
You can read more blogs from Microsoft Incident Response. For more security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.
Learn more
Learn more about Microsoft Incident Response.
To get notified about new Microsoft Threat Intelligence publications and to join discussions on social media, follow us on X (@MsftSecIntel).
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1The art and science behind Microsoft threat hunting: Part 1, Microsoft Incident Response Team. September 9, 2022.
2The art and science behind Microsoft threat hunting: Part 2, Microsoft Incident Response Team. September 21, 2022.
READ MORE HERE