Threat Hunt
BluSapphire_Threat Hunt_WhitePaper
Incident response strategy has evolved rapidly over past decade as Cyber-attacks are targeted and complex which are in general executed by extremely advanced adversaries who are no longer compromising one or two systems in an enterprise rather, moving laterally within the organization’s network in stealth and may present virtually everywhere. Hence, obsolescent Incident Response and Management methodologies shall fail in identifying compromised systems, fail to provide effective containment of the breach and eventually fail in faster response and remediation of an incident.
Threat hunt combines a proactive methodology, innovative technology, highly skilled people, and in- depth threat intelligence to find and stop the malicious activity. These attacks are hard-to-detect and executed by stealth attackers. Existing preventive tools oaen miss these attacks before they can execute their objectives. Threat Hunting is your last line of defense against reducing Dwell Time of attackers. So, It is no surprise that Threat Hunting is seens as a consistently growing area of investments in organizations.

Threat hunt is a combative procedure in uncovering hidden adversaries with a presumption that the attacker may be present inside an organization’s network for days, weeks and even months, preparing and executing attacks such as Zero Days, Advanced Persistent Threats and Unknown Threats. Threat hunt intends to uncover these malicious activities, seeking out indicators of compromise(s) (IOC’s) oaen based on the Threat Intelligence (TI) OR Hypothesis driven. Sources of tactical and strategic TI can be industry or company specific reports and/or information from previous incidents.
What is NOT Threat Hunting?
There is a lot of disinformation about Threat Hunting, so while defining Threat Hunting, it is also important to note what is not Threat Hunting:
- It does NOT replace existing security monitoring
- It is NOT a form of Pentest or Vulnerability Assessment
- It is NOT Security Monitoring
- It is NOT Incident Response – though it often triggers an Incident Response, when it uncoverssomething malicious
- It is NOT a process that has a guaranteed result
- It is NOT a process to check if security analysts in the monitoring team are doing their jobwell.
- It is NOT for the faint hearted. If Security Monitoring is too challenging, then you have milesto go, before you are mature enough for Threat Hunting.Why Threat Hunt? Benefits.
- Better ability to uncover hidden and established threats.
- The ability to detect threats before the attacker causes damage, hence reducing incident losses.
- A threat response process that effectively delivers "negative time" lag, and improvements beyondfast response.
- Improved knowledge of the IT environment, with a focus on the hiding places frequented byadvanced threat actors.
- A reduced attack surface resulting from discovered and removed vulnerabilities.
- Improved security incident response process.
- Identification of gaps in visibility necessary to detect and respond to attackers and their TTPs.
- Uncovering new threats and TTPs that can feed data back to Threat Intelligence.
- The ability to ensure system hygiene before a critical mission or business transaction, M&A activityetc.,
- A way to validate that the controls both preventative and detective are in proper shape and nothreat actors have established foothold within the environment.
Threat Hunting is a highly data driven process and requires detailed logs, which can be divided into Network Data and Endpoint Data. You also would need Threat Intelligence Data and knowledge of the environment you operate in, for a good Threat Hunt. Typically, it is easier to get access to Network Data than Endpoint Data. The higher the quality of data, the higher likelihood of success of Threat Hunts.

Good Actionable Threat Intelligence is very useful for Threat Hunting process. In most cases of Threat Hunt:
- Threat Intelligence is used as a starting point for hunting
- Threat Intelligence is also used for contextualizing and driving the hunt process
- Threat Hunt by itself results in generating new Threat Intelligence to be fed back intothe Threat Intelligence cycle.
You can also optionally (highly recommended) enrich the data with fields like IP reputation, Geo IP and Autonomous System Numbers (ASNs) to find evidence of potentially unwanted activity.
Tools allow you to perform various data transformations and manipulations for proper analysis. Visualizations and statistics used to display the change of values of specific fields over time, like frequency or entropy values are vital for investigations. Clustering, Stacking, Aggregating, grouping and/or frequency distribution techniques are most often used to look for outliers and detect anomalies.
The MITRE ATT&CK Framework can be used as input for potential attack vectors and techniques. MAF provides a wealth of technique information for hunters, guiding the hunt process with detection techniques. Though MAF is primarily used for Security Monitoring, it often acts as a great guide for Threat Hunters too.
Automation should be applied where possible to make the life of a Threat Hunter easier. This allows the team to be more productive. While it is not possible to automate all tasks completely, automation reduces the time to hunt and aides in scheduling and repeatability of Hunts.
Tools Role in Threat Hunt Example Scenario | | |
End Point Detection and Response (EDR) | Collect endpoint data and
search endpoints for evidence of attacker activity | Find all machines where svchost.exe is running but its path is not in Windows system directory |
User and En9ty Behavior Analy9cs (UEBA) | Analyze user activity data and
find anomalies that may indicate suspicious activity | Display the list of users that behave unusually regarding authenricarion activity |
Network Traffic Analysis (NTA) | Analyze and capture log data based on network traffic real ?me | Large File downloads/ Uploads taking place from a specific IP |
Network Behavior Anomaly Detection (NBAD) | Build Hypothesis Based on outcome of analysis of flow data via behavioral techniques such as machine learning in detecting anomalies | CnC/ Botnet communications |
Threat Intelligence (TI) | Deliver a list of threat indicators and threat actor TTPs for use as initial hunting clue | Gather all common persistence mechanisms reported to be used by threat groups looking for specific corporate data |
Security and Event Management Systems (SIEM) | Collect logs, enrich them and
enable the analysts to search them in context | Review rare events, rare event sequences and other log-related anomalies |
Threat Hun9ng Tool | Deliver a list of threat indicators and threat actor
TTPs for use as initial hunting clue | Gather all common persistence mechanisms reported to be used by threat groups looking for specific corporate data |
BluSapphire has brought down the dependency on people dramatically in performing a threat hunt activity within the environment by introducing ‘Threat Hunt via Agentless Framework’. In most Hun?ng exercises while network data is usually easily obtained, Endpoint Data is the most difficult to acquire.
BluSapphire’s agentless hunting capability has effectively addressed this problem allowing for Live On- Demand Threat Hunts, rather than relying on insufficient data or long deployment cycles.
Our Agentless Framework allows organizations and their security analysts to Hunt, Find, Analyze, Respond and Remediate all in one tool. This drastically reduces the Dwell Time and dramatically improves the analyst’s capabilities.
The framework supports indicators consumption via Threat Intelligence Feeds (STIX2.0) - Adapting indicators from identified threats OR as MITRE Tactics.
IOC’s identified during a Hunt can be exported On-Demand into STIX2.0 and shared with Threat Intelligence collection processes or external Threat Intel Agencies.
BluSapphire consumes Threat Intelligence from over 70 sources along with support for commercial feeds. The intelligence obtained is normalised. The normalised intelligence is utilised both on detection and in Threat Hunts.
Today, BluSapphire has the capability to hunt extensively based on the artifacts collected specific to Tactic ID of MITRE Matrix. Please read our MITRE Whitepaper for further details on our detection capability mapped against the MITRE ATT&CK Framework.
BluSapphire Hunt Capabiliries.
Observation Reason Data Potentially Hunt Coverage of Needed BluSapphire |