Introduction to Threat Hunting - MITRE ATT&CK® Framework

MITRE ATT&CK® is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. This can be used as a tool reference for the IR and Hunt team to have the details of the current APTs techniques, tactiques and procedure that are targeting the industry that they are part with.

In this discussion, we will explore how to perform a hunt using MITRE ATT&CK and do some procedural to make our hunt approach as efficient and effective as possible.

From a hunter’s perspective, it is a must to have a hunt process, developing a structural and procedural approach when hunting can help the hunters performing the task stay on track and able the hunter’s to document throughout the whole process that can be used later when delivering report.

Scenario: Hunting APT38 Targeting Financial Sector

In this step, as a hunter we must identify who are those APT groups that are currently targeting your industry.

One way to do this is to effectively use a search engine: For example Google or DuckDuckGo

The image below is a result of a quick search for using “apt targeting financial sector” keyword.

Now, We landed on Mandiant[.]com APT list and use Find or Ctrl + F to speed up our search for APT of interest.

Then, we land on APT38:North Korea Threat Group that targets Financial Institutions World-Wide

#note: Steps on this discussion are similar approach when you search for specific APT that target different industries.

#note: To help you speed up the process look for “additional resources” tab on the blog posts you visit.

One great thing for hunters when hunting threat groups is that “they” are not alone, many organization and threat intelligence teams are in continuous pursuit to gather information about latest threats to be able to share it to the public that can be use by other teams for hunting.

To perform effectively as a hunter, we must look at this external sources as opportunity to expedite the process of our research.

The sample below is from Mandiant’s Threat Research Team, which gives us a full detail of how APT38 perform and structure their attack.

As a hunter, we can use this details to structure our hunt to correlate on their TTPs and for us to perform in a methodological approach.