Adrian's KB

Threat Hunting & Incident Response

3 min read

Threat Hunting

Info

Threat hunting is a proactive cybersecurity process aimed at identifying Indicators of Compromise (IOCs) and uncovering gaps in Tactics, Techniques, and Procedures (TTPs) before they are exploited.

MITRE ATT&CK TTPs for Threat Hunting

The MITRE ATT&CK framework is central to modern threat hunting and categorizes adversary behavior into:

  • Tactics: The adversary’s goal or objective (e.g., Initial Access, Execution, Persistence).
  • Techniques: The method used to achieve a tactic (e.g., Spearphishing Attachment, Credential Dumping).
  • Sub-techniques: More granular descriptions that provide detail under each technique (e.g., LSASS Memory for Credential Dumping).
  • Procedures: The specific implementation of a technique, such as using a particular malware or exploiting a known vulnerability.

Tip

Map your security controls to MITRE ATT&CK to systematically identify and close coverage gaps across tactics and techniques.

ATT&CK in Practice

  • Initial Access: Techniques like Phishing (T1566), Drive-by Compromise (T1189), and Valid Accounts (T1078).
  • Persistence: Techniques such as Scheduled Task/Job (T1053), Boot or Logon Autostart Execution (T1547).
  • Privilege Escalation: Includes Exploitation for Privilege Escalation (T1068), and Bypass User Account Control (T1548).
  • Defense Evasion: Techniques such as Obfuscated Files or Information (T1027), and Indicator Removal on Host (T1070).

Example

If your SIEM lacks rules to detect Scheduled Task creation (T1053), this represents a detection gap under Persistence.

MITRE ATT&CK Tactic Overview Table

Tactic (Why)# TechniquesExamples (linked)
Reconnaissance10T1595 Active Scanning, T1598 Phishing for Info
Resource Development8T1583 Acquire Infrastructure, T1590 Gather Network Info
Initial Access10T1566 Phishing, T1078 Valid Accounts
Execution14T1059 Command & Scripting Interpreter, T1204 User Execution
Persistence20T1053 Scheduled Task/Job, T1547 Autostart Execution
Privilege Escalation14T1068 Exploitation for Privilege Escalation, T1548 Bypass UAC
Defense Evasion43T1027 Obfuscated Files/Info, T1070 Indicator Removal on Host
Credential Access17T1003 OS Credential Dumping, T1555 Credentials from Password Stores
Discovery32T1082 System Information Discovery, T1046 Network Service Discovery
Lateral Movement9T1021 Remote Services, T1563 Remote Service
Collection17T1005 Data from Local System, T1056 Input Capture
Command & Control17T1071 Application Layer Protocol, T1090 Proxy
Exfiltration9T1041 Exfiltration Over C2, T1567 Exfiltration Over Web Service
Impact14T1486 Data Encrypted for Impact, T1490 Inhibit System Recovery

Info

Full framework and interactive matrix available at: MITRE ATT&CK Enterprise Matrix

Tools & Resources

  • ATT&CK Navigator: Visual tool for mapping and overlaying ATT&CK data.
  • Atomic Red Team: Provides tests to simulate ATT&CK techniques.
  • Sigma Rules: Community-driven detection rule format that maps to ATT&CK techniques.

Summary

  • Use ATT&CK to guide threat hunting investigations.
  • Focus on detecting IOCs tied to known and emerging TTPs.
  • Continuously validate your detection capabilities against mapped techniques.
  • Integrate ATT&CK resources to enhance detection engineering and red team operations.

Note

Consider using ATT&CK Navigator or similar visualization tools to overlay detection rules and red/blue team findings for enhanced coverage insight.

Incident Response

View the NIST Incident Response Framework for more details.

Stay sharp and hunt on, Penguin! 🐧

Graph View

Backlinks