Behind the Curtain: Hunting Leads Explained
Blog Article Published: 06/02/2023
Originally published by CrowdStrike.
Most hunting enthusiasts agree that the thrill of hunting lies in the chase. Equipped with experience and tools of their trade, hunters skillfully search for signs of prey — a broken twig, a track in the mud. Threat hunters are no different. They search for signs of their prey — of adversaries lurking in the dark — and these signs are called hunting leads.
The ability to discern these subtle markers of adversary activity is critical to staying ahead of the evolving threat landscape. Adversaries commonly attempt to blend in with routine operations, using the legitimate tools at their disposal to progress their objectives. In 2022, 71% of intrusions seen by CrowdStrike were malware-free. Unlike fully automated detections, hunting leads offer the nuance and finesse needed to uncover the stealthy operations that can bypass automation, algorithms and signatures.
What Is a Hunting Lead?
First and foremost, a hunting lead is not a detection and not an alert — it is merely a beacon or an indication of something that is possibly bad. Because hunting leads may have no malicious fidelity on their own, they must be correlated and contextualized to provide value.
Just like hunters in the physical realm, cyber threat hunters operate under the assumption that prey, or adversaries, exist in their habitat. Threat hunting is a proactive, ongoing search through data, environments and endpoints to discover adversary activities that evade detection from automated security tools. A hunting lead is any individual data point that provides threat hunters with context into behavior observed. Individually, these data points may not be suspicious or malicious, but combined with other indicators, hunting leads could become detections.
Using the analogy of an animal hunter, a low-fidelity hunting lead might be disturbed vegetation. This disturbance could indicate the presence of prey. A higher-fidelity clue might be a clump of deer hair. A hunter would require more context clues to determine the location of the hunted prey.
The fidelity of a hunting lead may be strengthened by further related events, such as the new user being added to the local Administrators group and then listing running processes. On their own, these events aren’t inherently malicious, but in combination, they constitute a pattern of behavior consistent with adversary activity.
By pulling this thread further, a hunter may uncover a compromised web server on the host, providing the crucial clue to confirm an adversary’s presence.
Life Cycle of a Hunting Lead
A Lead Is Born
The starting point for developing a hunting lead varies — a lead could be born from a concrete observation or a simple hunch based on experience gleaned through previous hunting operations. Hunters may observe a new potentially malicious event type while searching for anomalous events, investigating tradecraft seen in an intrusion, or reviewing the latest threat intelligence on adversary activity. Or, a hunter may ask probing questions about how an adversary might devise a workaround for automated protections or apply known tradecraft in a new and unexpected context.
From these starting points, threat hunters build on their ideas and test them against available datasets and telemetry.
What results are hunting leads — each one carefully curated and promptly delivered to a threat hunter’s view for further analysis.
This is where the human element of hunting begins. Threat hunters triage the hunting leads based on the contextualized information presented to them. Anything identified as suspicious moves from triage to investigation — where a hunter will dig deep into the victim’s environment to reconstruct any malicious activity surrounding the hunting lead.
For example, a hunting lead might surface interconnectivity among a number of workstations. This may be benign administrator activity, or it could indicate lateral movement by an adversary. The only way to know for sure is for a human to investigate.
Hunting leads are inherently noisy — if they were highly accurate and reliable, they would become automated detections. Management of the volume of hunting leads is an essential part of the threat hunting process. In fact, as threat hunting operations mature, they are likely to create more noise, which must be addressed to ensure that the signal ratio is always higher than the noise. As the library of patterns grows, hunters will develop more experimental patterns looking for the faintest signs of unusual and anomalous tradecraft.
Threat hunters continuously review and adjust hunting leads to improve their fidelity. Because of the ever-changing threat landscape, hunting leads categorized as high fidelity today may require revision over time based on observed events.
In some cases, hunters may identify high-fidelity hunting leads that are later turned into product detections. These detections improve the hunters’ visibility and efficiency in investigating other intrusions across our many customers.
Although hunting leads may mature, they rarely retire. This is because adversary tradecraft can go through cycles — particular techniques can go in and out of fashion and may be brought back in an entirely new context. Retaining hunting leads ensures that these cyclical trends aren’t missed.
Successful hunting requires practice, precision and experience — acute attention to environmental details such as terrain, wind and weather. Using calculated tracking techniques, a hunter will spot a target, often from afar, and stalk its every movement — hunting it as it hides.
Likewise, human-led threat hunting combines the exploration of hypotheses with the proactive pursuit of adversaries. Employing carefully crafted hunting leads, experienced threat hunters anticipate, track and uncover adversary activity.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.