Volume 9, Issue 1 (January 2022), Pages: 8-19

----------------------------------------------

 Original Research Paper

 Title: Knowing the unknown: The hunting loop

 Author(s): Sultan Saud Alanazi ^1, *, Adwan Alowine Alanazi ²

 Affiliation(s):

 ¹College of Computer Science and Engineering, University of Ha'il, Ha'il, Saudi Arabia
 ²Department of Computer Science and Engineering, University of Ha'il, Ha'il, Saudi Arabia

  Full Text - PDF          XML

 * Corresponding Author. 

  Corresponding author's ORCID profile: https://orcid.org/0000-0002-8448-5273

 Digital Object Identifier: 

 https://doi.org/10.21833/ijaas.2022.01.002

 Abstract:

There are several ways to improve an organization’s cybersecurity protection against intruders. One of the ways is to proactively hunt for threats, i.e., threat hunting. Threat Hunting empowers organizations to detect the presence of intruders in their environment. It identifies and searches the tactics, techniques, and procedures (TTP) of the attackers to find them in the environment. To know what to look for in the collected data and environment, it is required to know and understand the attacker's TTPs. An attacker's TTPs information usually comes from signatures, indicators, and behavior observed in threat intelligence sources. Traditionally, threat hunting involves the analysis of collected logs for Indicator of Compromise (IOCs) through different tools. However, network and security infrastructure devices generate large volumes of logs and can be challenging to analyze thus leaving gaps in the detection process. Similarly, it is very difficult to identify the required IOCs and thus sometimes makes it difficult to hunt the threat which is one of the major drawbacks of the traditional threat hunting processes and frameworks. To address this issue, intelligent automated processes using machine learning can improve the threat hunting process, that will plug those gaps before an attacker can exploit them. This paper aims to propose a machine learning-based threat-hunting model that will be able to fill the gaps in the threat detection process and effectively detect the unknown adversaries by training the machine learning algorithms via extensive datasets of TTPs and normal behavior of the system and target environment. The model is comprised of five main stages. These are Hypotheses Development, Equip, Hunt, Respond and Feedback stages. This threat hunting model is a bit ahead of the traditional models and frameworks by employing machine learning algorithms. 

 © 2021 The Authors. Published by IASE.

 This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

 Keywords: Threat hunting, Threat response, Threat detection, Adversary detection, TTPs, Tactics, Techniques, Procedures, Indicator of compromise, IOCs

 Article History: Received 14 July 2021, Received in revised form 28 October 2021, Accepted 29 October 2021

 Acknowledgment 

No Acknowledgment.

 Compliance with ethical standards

 Conflict of interest: The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

 Citation:

 Alanazi SS and Alanazi AA (2022). Knowing the unknown: The hunting loop. International Journal of Advanced and Applied Sciences, 9(1): 8-19

 Permanent Link to this page

 Figures

 Fig. 1 Fig. 2 Fig. 3 Fig. 4 Fig. 5 Fig. 6 Fig. 7 Fig. 8 Fig. 9 Fig. 10 Fig. 11 

 Tables

 No Table   

----------------------------------------------    

 References (13)

1. Ajmal AB, Shah MA, Maple C, Asghar MN, and Islam SU (2021). Offensive security: Towards proactive threat hunting via adversary emulation. IEEE Access, 9: 126023-126033. https://doi.org/10.1109/ACCESS.2021.3104260   [Google Scholar]
2. Brooks C (2021). Alarming cybersecurity stats: What you need to know for 2021. Available online: https://www.forbes.com/sites/chuckbrooks/2021/03/02/alarming-cybersecurity-stats-------what-you-need-to-know-for-2021/?sh=2733f50858d3
3. Caltagirone S, Pendergast A, and Betz C (2013). The diamond model of intrusion analysis. Center for Cyber Intelligence Analysis and Threat Research, Hanover, USA.   [Google Scholar]
4. Daszczyszak R, Ellis DR, Luke S, and Whitley SM (2019). TTP-based hunting. Technical Papers, The MITRE Corporation, McLean, USA.   [Google Scholar]
5. FireEye (2019). Red team operations (RTO): Test your ability to protect your most critical assets from a real-world targeted attack. Available online at: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/pf/ms/ds-red-team-operations.pdf
6. Gunter D (2018). A practical model for conducting cyber threat hunting. SANS White Paper 38710. Available online at: https://www.sans.org/white-papers/38710/
7. Huang YT, Lin CY, Guo YR, Lo KC, Sun YS, and Chen MC (2021). Open source intelligence for malicious behavior discovery and interpretation. IEEE Transactions on Dependable and Secure Computing. https://doi.org/10.1109/TDSC.2021.3119008   [Google Scholar]
8. Mandiant (2019). Red team cyber security assessment. Available online at: https://www.fireeye.com/mandiant/red-team-assessment.html
9. Miazi MNS, Pritom MMA, Shehab M, Chu B, and Wei J (2017). The design of cyber threat hunting games: a case study. In the 26^th International Conference on Computer Communication and Networks, IEEE, Vancouver, Canada: 1-6. https://doi.org/10.1109/ICCCN.2017.8038527   [Google Scholar]
10. NAO (2018). Investigation: WannaCry cyber-attack and the NHS. National Audit Office, London, UK.   [Google Scholar]
11. Strom BE, Battaglia JA, Kemmerer MS, Kupersanin W, Miller DP, Wampler C, and Wolf RD (2017). Finding cyber threats with ATT&CK-based analytics. Technical Report No. MTR170202, The MITRE Corporation, Bedford, USA.   [Google Scholar]
12. TMI (2020). A constant state of flux: Trend micro 2020 annual cybersecurity report. Trend Micro Inc., Tokyo, Japan.   [Google Scholar]
13. Yadav T and Rao AM (2015). Technical aspects of cyber kill chain. In: Abawajy J, Mukherjea S, Thampi S, and Ruiz-Martínez A (Eds.), Security in computing and communications: 438–452. Springer International Publishing, Cham, Switzerland. https://doi.org/10.1007/978-3-319-22915-7_40   [Google Scholar]