top of page
Phil Venables

Threat Hunting: Real World vs. Cyber World

It’s puzzling that there aren’t more articles comparing and contrasting wildlife hunting techniques with cyber threat hunting, or maybe there is and I’ve missed it.


So, here is a shot (pun intended) at a comparison. This is meant to be a bit of fun not a rigorous treatise on cyber threat hunting. But perhaps this little thought experiment might be thought provoking. I’m not a real-world game hunter, but living in rural north New Jersey, I know plenty of people who are. 


1.Still Hunting

Still hunting is the process of hunting an animal by covertly entering their habitats and trying to spot them before they spot you. Part of this spotting them before they spot you is a combination of being able to spot their markers (scent, droppings, mating signs, tracks) while keeping yourself hidden (not revealing your scent, tracks, droppings or mating signs (!) where you might be detected). 


Cyber analogies:


  • Building an appropriate fake identity and being accepted into dark web or other forums to watch attacker behavior.

  • Breaking in (check with a lawyer) to staging points, compromised systems being used to relay attacks or otherwise observing attackers where they are or are traversing. 


2.Baiting

Baiting is using some food source, decoy, lure or scent that appeals to the target animal to attract them to the place you want them to be - where there might be a hunting stand. 


Cyber analogies:


  • The classic example here is the honeypot where some infrastructure is set up, perhaps with explicit weaknesses, designed to lure attackers into exploiting those or other vulnerabilities. The honeypots are instrumented to observe attacker behavior. A second order effect here is to possibly delay their exploitation of actual targets (see also Trapping).


  • There can be many variants of honeypots, from those in production environments to act as an early warning of attacks through to research environments purely for the aim of researching attacker behavior and techniques. 


3.Stand Hunting

Blind or stand hunting is waiting for animals in a concealed or elevated position. It’s when the hunter is stationary in one location and waits for the animal to come to them. This is often used with baiting (stand in a place where the bait is) or calling (standing and then calling to attract the animal to the stand).  


Cyber analogies:


  • Conventional intrusion detection, EDR/XDR or any of the other dressed-up variants of sitting around and consuming sensory information to determine if your target is nearby. 


  • The baiting angle is achieved by placing sensors in honey pots, or more usually constructing your sensory collection apparatus around your most critical potential targets or choke points (see also Driving). 


  • A variant of all of this is to use tipping and cueing to direct fine grained collection in response to coarser grained detections. 


4.Calling

Calling is the use of noises, like game calls, to drive or attract animals by replicating their sounds. This is most often effective during mating season when animals are attuned to the noises of others. 


Cyber analogies:


  • Lurking on dark web forums or other venues frequented by criminals or other attackers to lure them with offers of exploits, data, or intelligence. This is to ensnare or trap them into either revealing their TTPs, intents or slowing down their progress on other targets. 


  • This could also involve misdirecting them to a target that would lead to either further degradation of their capability, capture and neutralization of their TTPs and possibly arrest or other physical cost. 


5.Camouflage

Camouflage is self-concealment, to blend in with the environment to permit other hunting techniques to work well. 


Cyber analogies:


  • A big part of attacker TTPs is to maintain situational awareness of what the defenders are doing in response to attacks. This type of overwatch needs to be considered as a tactic for defenders to counter by ensuring their defensive activities are not seen, and especially not countered. 


  • This can include silent log collection, getting logs (or fused events) off target to a separate environment as fast as possible and maintaining isolated communications systems. For example, I’ve seen more and more organizations moving hunt / SOC comms off their primary e-mail system (typically Office 365) to Google Workspace or one of the various messaging apps, and even further to especially constructed incident response SaaS or on-premise applications. 


  • Another part of this camouflage is to do sensory collection at layers below where an attacker might be able to observe, such as the surrounding hardware environment or layers below the VM or VMM. 


6.Driving

Driving is the herding of animals in a particular direction toward hunters or in a particular direction, say, over a cliff. Noises, dogs or other techniques might be useful to do this. 


Cyber analogies:


  • We often talk about attackers only having to be right once, and defenders right all the time. I think you can reverse this in many respects. We should remember that defenders often have home-field advantage. In other words they control their own environment and can build choke points in their architecture (gateways, access control points, proxies and so on) to drive attackers through those points. And, of course, those points should be bristling with sensors and other capabilities.


7.Flushing

Flushing is scaring targets from concealed areas out into the open where they may be picked off or then driven to a place of hunting. 


Cyber analogies:


  • For attackers who might have sustained access, especially with living off the land techniques it is important to create some impetus to cause them to take some action - the equivalent of flushing them out so as to increase the likelihood they will be observed by other hunting techniques. 


  • This might include, for example, some periodic reset or revalidation of administrators credentials using seperate channels and then watch for anomalous activity in and around those identity and authentication systems for signs attackers might be trying to subvert that process to sustain or reacquire access. 


  • Similarly, for attackers using implants or other tools then periodic rebuilds of systems from trusted images to then observe subsequent changes can reveal attacker behavior. Again, flushing out their behavior driven by the need to reaquire access. 


8.Persistence Hunting

This is more akin to animal predation where one animal or group of animals will hunt or chase their prey to the point where they are exhausted and are then an easy target. 


Cyber analogies:


  • There could be multiple analogies here, but one that I’ve seen come up a few times in various environments is where attackers are repeatedly diverted to honey trap systems or other “research” environments (physical or virtual) that causes them to either give up on the target or to use less covert means of access that reveals more of their activities. 


  • Subsequently, the information in these revelations can be used to interdict attackers closer to their points of origin. 


9.Spotlighting

Spotlighting is the use of light to find or blind targets. This might also immobilize them. It also includes the use of IR rather than visible light. 


Cyber analogies:


  • Here we might be searching for specific indicators of compromise (IOC) to explicitly highlight one or more attacker TTPs. Naturally, knowing very specific IOCs from intelligence or other sources, is key to finding needles in haystacks, or even needles in needle stacks. 


  • Another technique, I’ve seen used is essentially reverse spotlighting. That is, turning off or down activity on device or on network to better reveal any attacker activity. Like, when the tide goes out you can see who has been swimming naked. Complete this analogy how you will. 


10.Scouting

Scouting is reconnaissance or broad area surveillance to find areas where animals will be to then use other techniques to get the target. 


Cyber analogies:


  • This might be similar to tipping and cueing in other aspects of intellegence collection and hunting. That is using coarse grain surveillance methods to look for, possibly low confidence, indications of attack and then deploying finer grained or higher fidelity mechanisms to more deeply hunt in that specific area. 


  • There are other analogous techniques here that are less passive sensory observation and more probing for unexpected channels where attackers might be. One of my favorites is the inside out network leakage test. Some of you may remember Lumeta and other vendors, and some open source tooling, that did this. Basically, this looks for unexpected network connectivity from the closed network to other networks, mostly the Internet. Doing this inside out rather than outside in is more likely to reveal unexpected paths. In a prior organization we once found an errant network administrator who had an unauthorized fixed line network connection to their house, which in turn bridged to a University network and in turn the Internet. Regular network scans didn’t find this, not least because the network admin was involved in those and disabled the unauthorized network connection during the test. This was caught when the security team covertly ran an inside out leak test and found this and some other problematic connections. 


11.Stalking and Tracking

Stalking is the practice of stealthy pursuit when tracking an animal. This is different from still hunting in that it typically involves following an animal over distance rather than to a point of habitat. To be successful, the hunter gets advantage from vantage points from where to spot game in open ground, which provides less concealment than forested areas.


Cyber analogies:


  • Stalking cyber threats / attackers is very similar, in some respects, to what threat intelligence analysts and other researchers are doing by correlating attacker TTPs across venues, extrapolating IOCs and other signatures and then hunting for them in other locations, forums, or previously captured sensory data. 


  • This all connotes stalking if we can collectively connect the dots between this tracking and the ability to then interdict or establish sensory traps, based on this intelligence, for future targets where the attackers are heading. 


12. Trapping

Trapping is the use of devices such as snares, traps, pits to capture or kill an animal. 


Cyber analogies:


  • This can be honey traps, tar pits, false information, or myriad of other techniques designed to slow down attackers’ actions on target or to pollute their results. 


Bottom line: as with many disciplines there are opportunities to look for lessons learnt in other fields to cross-apply. Hunting in all its form is, naturally, rich in such cross-overs. 

1,522 views0 comments

Recent Posts

See All

Comments


Commenting has been turned off.
bottom of page