Save $350 on Cyber Security Training at SANS Anaheim 2019. Ends 12/19!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Threat Hunting

Featuring 18 Papers as of November 29, 2018

  • A Practical Model for Conducting Cyber Threat Hunting by Dan Gunter and Marc Seitz - November 29, 2018 

    There remains a lack of definition and a formal model from which to base threat hunting operations and quantifying the success of said operations from the beginning of a threat hunt engagement to the end that also allows analysis of analytic rigor and completeness. The formal practice of threat hunting seeks to uncover the presence of attacker tactics, techniques, and procedures (TTP) within an environment not already discovered by existing detection technologies. This research outlines a practical and rigorous model to conduct a threat hunt to discover attacker presence by using six stages: purpose, scope, equip, plan review, execute, and feedback. This research defines threat hunting as the proactive, analyst-driven process to search for attacker TTP within an environment. The model was tested using a series of threat hunts with real-world datasets. Threat hunts conducted with and without the model observed the effectiveness and practicality of this research. Furthermore, this paper contains a walkthrough of the threat hunt model based on the information from the Ukraine 2016 electrical grid attacks in a simulated environment to demonstrate the model's impact on the threat hunt process. The outcome of this research provides an effective and repeatable process for threat hunting as well as quantifying the overall integrity, coverage, and rigor of the hunt.


  • Integrating Threat Intelligence into Endpoint Security: A Review of CrowdStrike Falcon X Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - November 26, 2018 

    While threat intelligence can transform an organization's security posture, it can be complex and costly for organizations to adopt and operationalize. With that in mind, SANS Analyst Dave Shackleford tested CrowdStrike Falcon X, which purportedly enables cybersecurity teams to automatically analyze malware found on endpoints, find related threats and enrich the results with customized threat intelligence. This review encapsulates his findings, and details how the solution can help SOC teams.


  • SANS 2018 Threat Hunting Survey Results Analyst Paper (requires membership in SANS.org community)
    by Robert M. Lee and Rob T. Lee - September 18, 2018 

    Our third survey on threat hunting looks at the maturity of hunting programs and where they are going, along with best practices being used in organizations to detect and remediate threats that would otherwise remain hidden. Read this report to learn how survey respondents answered questions that are immediately important to organizations conducting threat hunting.


  • The Need for Speed: Integrated Threat Response A SANS Whitepaper Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - September 10, 2018 

    This paper addresses the concepts of security automation and integration and provides recommendations on how to use technology to make your team faster and more efficient. It not only emphasizes the need for security automation and integration, but also shows how they are enhancements to, rather than replacements for, a security program.


  • Hunting with Rigor: Quantifying the Breadth, Depth and Threat Intelligence Coverage of a Threat Hunt in Industrial Control System Environments by Dan Gunter - July 23, 2018 

    Threat hunting provides an organization a proactive opportunity to discover hidden attackers and to evaluate and improve the security posture of the environment. While existing research focuses on technical methods for threat hunting, a way to assess the rigor and completeness of threat hunting activities remains unexplored. This research examines several methods that can be implemented/used to calculate coverage of threat hunts. Coverage calculation methods include kill chain coverage, attacker tactic, technique and procedure coverage and threat intelligence coverage. This research also explores how to automate the calculation of threat hunt coverage. By following the process outlined by this research, analysts can ensure that planned threat hunts remain relevant to the overall goal of the hunt and that these hunts can maximize the chance of adversary detection success.


  • AI Hunting with the Cybereason Platform: A SANS Review Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - July 23, 2018 

    SANS reviewed Cybereason's AI hunting platform, which offers a lightweight, behavior-focused model of host-based protection that can help intrusion analysis and investigations teams more rapidly and efficiently prevent, detect and analyze malicious behavior in their environments.


  • Hunting Threats Inside Packet Captures by Muhammad Alharmeel - May 23, 2018 

    Inspection of packet captures -PCAP- for signs of intrusions, is a typical everyday task for security analysts and an essential skill analysts should develop. Malwares have many ways to hide their activities on the system level (i.e. Rootkits), but at the end, they must leave a visible trace on the network level, regardless if it's obfuscated or encrypted. This paper guides the reader through a structured way to analyze a PCAP trace, dissect it using Bro Network Security Monitor (Bro) to facilitate active threat hunting in an efficient time to detect possible intrusions.


  • Stopping Advanced Malware, Pre- and Post-Execution: A SANS Review of enSilo's Comprehensive Endpoint Security Platform Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - March 20, 2018 

    Sophisticated malware is the new weapon of choice for criminals and nation states. A multilayered self-defending security solution--agnostic to operating systems, mitigating malware in real-time, enabling pre- and post-execution--is needed to defend against cyber attacks. In this review, SANS Instructor and Analyst Dave Shackleford tests enSilo's response against advanced malware and ransomware threats and explores how enSilo's features can alleviate burden on security staff.


  • The Effectiveness of Tools in Detecting the 'Maleficent Seven' Privileges in the Windows Environment STI Graduate Student Research
    by Tobais McCurry - December 5, 2017 

    Windows privileges add to the complexity of Windows user permissions. Each additional user added to a group could lead to a domain compromise if not evaluated. Privileges can override permission causing a gap of perceived effective permission. Currently, system administrators rely on tools such as Security Explorer, Permissions Analyzer for Active Directory, or Gold Finger help with this problem. An analysis of these three tools that are supposed to help with permissions is needed to provide administrators a window into these complex effective permissions. The results of this research discovered a gap in identifying users with privileges with the current tools available. This gap was filled by the author by using powershell.


  • Closing the Skills Gap with Analytics and Machine Learning Analyst Paper (requires membership in SANS.org community)
    by Ahmed Tantawy - October 30, 2017 

    It is important that IT departments leverage automated analytics and machine learning solutions that connect the dots between seemingly random events and provide much-needed context, visibility and actionable advice. In this paper, we explain how to utilize and integrate analytics and machine learning to reduce the load on security professionals, while increasing visibility and accurately predicting attackers' next steps.


  • Offensive Intrusion Analysis: Uncovering Insiders with Threat Hunting and Active Defense STI Graduate Student Research
    by Matthew Hosburgh - July 21, 2017 

    Today's adversaries are advanced and more capable than ever before. Passive defensive tactics are no longer viable for pursuing these attackers. To compound the issue, the existence of an insider threat creates a challenging problem for the passive defender. One of the largest breaches of classified information was carried out by an insider. Months after the incident had occurred, the Department of Defense (DoD) only began to realize the implications of the leak. The damage did not solely rest with the United States. A cascade of consequences was felt in many parts of the world, resulting from this breach. Techniques like Threat Hunting, attempt to diminish this problem by combating advanced threats with people, also known as Threat Hunters. Although Threat Hunting is proving to be invaluable for many organizations there remains a chasm between detection and disclosure. Offensive Countermeasure tools such as the Web Bug Server and Molehunt can be leveraged as a means to proactively hunt insider threats. To keep up with the continually evolving human adversary, defenders must employ these offensive tactics to annoy and attribute their adversaries.


  • The Hunter Strikes Back: The SANS 2017 Threat Hunting Survey Analyst Paper (requires membership in SANS.org community)
    by Rob Lee and Robert M. Lee - April 25, 2017 

    Threat hunting is a focused and iterative approach to searching out, identifying and understanding adversaries that have entered the defender’s networks. Results just in from our new SANS 2017 Threat Hunting Survey show that, for many organizations, hunting is still new and poorly defined from a process and organizational viewpoint.


  • The Importance of Business Information in Cyber Threat Intelligence (CTI), the information required and how to collect it by Deepak Bellani - April 20, 2017 

    Today most threat feeds are comprised of IOCs with each feed providing 1-10M IOCs per year. As the CTI platform adds more feeds , the ability to filter and prioritize threat information becomes a necessity. It is well known that the SOC, Incident Response, Risk and Compliance groups are the primary consumers of CTI. Generating CTI prioritized in order of relevance and importance is useful to help focus the efforts of these high-performance groups. Relevance and importance can be determined using business and technical context. Business context is organizational knowledge i.e. its processes, roles and responsibilities, underlying infrastructure and controls. Technical context is the footprint of malicious activity within the organization's networks, such as phishing activity, malware, and internal IOCs. In this paper, we will examine how business and technical information is used to filter and prioritize threat information.


  • Taking Action Against the Insider Threat Analyst Paper (requires membership in SANS.org community)
    by Eric Cole, PhD - October 5, 2016 

    Most organizations tend to focus on external threats, but insider threats are increasingly taking center stage. Insider threats come not only from the malicious insider, but also from infiltrators and unintentional insiders as well. Why are insider threats so common and why do they have such a significant impact? What is the difference between the different types of insider threats and the degree of risk they can constitute?


  • Threat Intelligence: What It Is, and How to Use It Effectively Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - September 19, 2016 

    In today’s cyber landscape, decision makers constantly question the value of their security investments, asking whether each dollar is helping secure the business. Meanwhile, cyber attackers are growing smarter and more capable every day. Today’s security teams often nd themselves falling behind, left to analyze artifacts from the past to try to determine the future. As organizations work to bridge this gap, threat intelligence (TI) is growing in popularity, usefulness and applicability.


  • Automated Analysis of “abuse” mailbox for employees with the help of Malzoo by Niels Heijmans - August 23, 2016 

    For most companies, e-mail is still the main form of communication, both internally and with customers. Unfortunately, e-mail is also used heavily by cyber criminals in the form of spam, phishing, spear-phishing, fraud or to deliver malicious software. Employees receive these kinds of messages on a daily basis, even though strict security measures are implemented. Sometimes an employee will fall for the scam but often they will know when it is a false e-mail, especially after good awareness programs. Instead of letting them delete the e-mail, let them share it with you to learn and see what is coming through your security measures or what employees see as "fishy". But what should you do with the e-mails that are forwarded to this special "abuse" mailbox? Malzoo can be used to analyze this mailbox by picking up the e-mails, parsing them and sharing the results with the CERT team. By using the collected data, you can find new spam runs, update spam filters, receive new malware and learn in what parts of the company awareness is highest (and lowest). This paper explains the benefits and drawbacks of letting employees have a central point to report suspicious e-mail and how Malzoo can be used to automate the analysis.


  • Generating Hypotheses for Successful Threat Hunting by Robert M. Lee and David Bianco - August 15, 2016 

    Threat hunting is a proactive and iterative approach to detecting threats. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated. One of the human’s key contributions to a hunt is the formulation of a hypotheses to guide the hunt. This paper explores three types of hypotheses and outlines how and when to formulate each of them.


  • The Who, What, Where, When, Why and How of Effective Threat Hunting Analyst Paper (requires membership in SANS.org community)
    by Robert M. Lee and Rob Lee - March 1, 2016 

    The chances are very high that hidden threats are already in your organization’s networks. Organizations can’t afford to believe that their security measures are perfect and impenetrable, no matter how thorough their security precautions might be. Having a perimeter and defending it are not enough because the perimeter has faded away as new technologies and interconnected devices have emerged. Prevention systems alone are insufficient to counter focused human adversaries who know how to get around most security and monitoring tools by, for example, making their attacks look like normal activity.


Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.