Mental Games: Threat Hunting Mental Models, Strategies, and Normal Behavior

In the cyber security market today, there is a lot of buzzwords, one of them is threat hunting.

Many tools and services claim they have threat hunting capabilities, but in most cases, this isn’t 100% true.

Threat hunting is an active detection technique that requires real knowledge, understanding, and availability of data. Threat hunting is not a rule, signature, alert, or machine learning AI magic.

In practice, the technique involves a lot more than indicators of compromise (IoC’s). Searching for IoC’s that are new or that were previously unknown is what most traditional threat hunting is today.

Mental Models

A mental model is a process your brain goes through to figure out how something works and make a connection and relationship of the steps involved. Your brain builds a map based on knowledge of what a solution appears to be.

Smarter Faster Better by Charles Duhigg discusses how to go through a checklist of what is normal in a given scenario. As you gain experience and knowledge in your field of expertise, you start to learn how things work, what failures have occurred, and what should be happening.

To develop a mental model, you must be flexible and ask the right questions. Keep it simple and find a way to apply the questions to your scenario. You probably aren’t consciously aware that you are using a mental model, but you are using them all the time.

Threat hunting takes real understanding.

• What is normal behavior on a network?
• Who should and shouldn’t be logging into something?
• How should an application act?
• Where should this data be allowed to go?

Sometimes intuition kicks in, and you may “feel” something is off. Sort of like the cybersecurity “force.”

Threat hunting can be frustrating but rewarding. Often threat hunting leads you down rabbit holes, which after hours of research, turns into a normal item. You often spend massive amounts of time threat hunting... to your own demise. The 80/20 rule surely applies as positive results from threat hunting are few and far between with a significant amount of effort spent finding them.

Here is an example of a real-life threat hunt that occurred. One of our analysts detected a random PowerShell connection with an interesting reverse shell banner on an odd port. Malicious right?

After an analyst dug through everything that the host had done for hours, viewing tons of encrypted traffic that wasn’t decryptable, tracing ports and connections, and doing OSINT searching, he found out it was an opensource patching platform which happens to use a program from a hacker toolkit kit to test connections to a PC before sending a patch. Seems crazy right? So then why bother threat hunting?

Attackers are always changing tactics, using evasion techniques and tools such as virus total to go undetected.

Threat hunters are the cyber CSI guys.

They live for finding the needle in the haystack. The thrill of tracking down an attacker or malware that is deployed and talking back to a C2 server that was unknown is thrilling. And it does pay off.

We have found many items through threat hunting such as malware, crypto miners, remote access, and data exfiltration as part of these exercises.

Using these techniques, my team has detected accessible PII, breached third parties, breached devices such as firewalls, f5’s, and Citrix NetScaler’s. (These are in clients with the latest Next-Gen AV, SMTP filters, IDS/IPS systems, and other tools.)

Nothing will be detected 100% of the time by tools. That’s why we use our knowledge and skills to build a mental model that helps to identify abnormalities to determine if you should go down the rabbit hole or not.

If you have questions about threat hunting and mental games, contact us today.