threat hunting (noun) [Word Notes] - Hacking Humans

Summary5 min read

Podcast Summary: Hacking Humans – “Threat Hunting (noun) [Word Notes]”

Episode Details:

Title: Hacking Humans
Host/Author: N2K Networks
Description: Deception, influence, and social engineering in the world of cybercrime.
Episode Title: Threat Hunting (noun) [Word Notes]
Release Date: March 25, 2025

Introduction to Threat Hunting

In this episode of Hacking Humans, host Rick Hauer delves deep into the concept of threat hunting—a proactive approach in cybersecurity aimed at identifying and mitigating threats before they can cause harm. Unlike traditional security measures that rely on automated detection tools, threat hunting involves human expertise to anticipate and uncover sophisticated cyber threats that might evade standard defenses.

Defining Threat Hunting

At [00:58], Rick Hauer provides a comprehensive definition of threat hunting:

Rick Hauer: "The word is threat. Hunter spelled threat for security concern and hunting for searching and detecting. Definition the process of proactively searching through networks to detect and isolate security threats rather than relying on security solutions or services to detect those threats."

This proactive stance emphasizes the importance of human intuition and expertise in recognizing subtle indicators of malicious activity that automated systems might miss. Hauer underscores that threat hunting is not just about deploying tools but about actively seeking out vulnerabilities and potential breaches within an organization’s network.

Evolution and Origins of Threat Hunting

Hauer traces the origins of threat hunting back to the mid-2000s, highlighting key figures who have shaped its development:

Rick Hauer: "According to Tony Sager, he invented the threat hunting idea in the mid-2000s when he developed the unifying mission model for his NSA defensive called the Information Assurance Directorate."

This foundational work laid the groundwork for viewing cybersecurity as an active defense mechanism. Richard Batelick further expanded on these ideas in a 2011 essay for Infosecurity Magazine, where he elaborated on the concept of "hunter killers" within the Air Force. These teams not only monitored network data but also actively engaged systems to root out threats.

Hauer also discusses the transition of these aggressive military concepts into civilian cybersecurity practices, emphasizing how they have evolved to focus more on proactive rather than reactive measures.

Development of Threat Hunting Models

The episode outlines several pivotal models that have influenced threat hunting:

Strategic Intrusion Kill Chain (2010) – Lockheed Martin:
- This model shifted the cybersecurity focus from passive defense to proactive strategies based on adversary behaviors.
The Diamond Model (2013) – Caltagironi, Pendergrast, and Betts:
- Presented as an alternative strategic threat model, offering a different framework for understanding and mitigating cyber threats.
MITRE ATT&CK Framework (2013):
- An enhanced model that provided operational intelligence and detailed actions on objectives.
- Significantly impacted threat hunting by offering a globally accessible, standardized database of adversary behaviors derived from real-world observations.

Rick Hauer: "With a MITRE ATT&CK framework, threat hunters could now look specifically for known adversary behavior on their own networks."

The MITRE ATT&CK Framework emerged as a game-changer by enabling threat hunters to reference a comprehensive repository of known attack patterns and techniques, thereby streamlining the detection of malicious activities aligned with these behaviors. This framework also facilitated more effective red team exercises, allowing penetration testers to emulate realistic adversary tactics.

Insights from John Stoner: Enhancing Threat Hunting with MITRE ATT&CK

A significant portion of the episode features John Stoner, the principal security strategist at Splunk, who shares his personal insights and experiences with threat hunting.

At [04:27], Stoner recounts his revelation regarding the integration of the MITRE ATT&CK framework into threat hunting practices:

John Stoner: "Now, as this fine gentleman says, with great power comes great responsibility, and anytime you're dealing with a Matrix, you can't just dive into it, no matter what Keanu Reeves says, what do I want to do from modeling perspective?"

Stoner humorously references pop culture to illustrate the complexity of navigating cybersecurity frameworks but underscores the necessity of structured models like the MITRE ATT&CK framework in effective threat hunting.

He elaborates on his initial challenges with existing models:

John Stoner: "But I'm not really a super creative guy from a hunting perspective and I go, well, if I have a kill chain, I've got exploit, I could start hunting at the exploit stage. But what am I going to hunt for?"

This frustration highlights a common issue among cybersecurity professionals: knowing where to start within vast frameworks. Stoner found the MITRE ATT&CK framework particularly useful:

John Stoner: "I refer to it here as brain candy because if you're maybe not as creative as other folks, and I'll say I'm kind of one of those people. I've got all of these techniques and all of these tactics to sit there and go, oh yeah, let's go hunt for that."

By leveraging the detailed tactics and techniques outlined in the ATT&CK framework, Stoner was able to systematically identify and target specific adversary behaviors within his organization’s network. This methodical approach not only enhances the effectiveness of threat hunting efforts but also ensures that they are aligned with known attack patterns, thereby increasing the likelihood of early detection and mitigation.

Impact and Future of Threat Hunting

The integration of comprehensive frameworks like MITRE ATT&CK has democratized threat hunting, making it more accessible and standardized across the cybersecurity community. Hauer emphasizes that such frameworks provide a common language and reference point, enabling organizations to benchmark their threat hunting activities against recognized adversary behaviors.

Moreover, the episode suggests that as cyber threats continue to evolve in sophistication, the role of threat hunters will become increasingly critical. Proactive detection and mitigation will remain essential in staying ahead of cybercriminals who are constantly developing new tactics to breach defenses.

Conclusion

In this insightful episode of Hacking Humans, Rick Hauer and John Stoner explore the multifaceted world of threat hunting, highlighting its evolution from military concepts to a cornerstone of modern cybersecurity strategies. The discussion underscores the importance of proactive threat detection, the value of structured frameworks like MITRE ATT&CK, and the indispensable role of human expertise in safeguarding digital environments.

By combining historical context with practical insights, the episode serves as a valuable resource for cybersecurity professionals seeking to enhance their threat hunting capabilities and stay ahead in the ever-evolving landscape of cyber threats.

Notable Quotes:

Rick Hauer [00:58]: "The process of proactively searching through networks to detect and isolate security threats rather than relying on security solutions or services to detect those threats."
John Stoner [04:27]: "I've got all of these techniques and all of these tactics to sit there and go, oh yeah, let's go hunt for that."

Loading summary

Transcript7 lines

[00:02]
Maltego Representative
You're listening to the Cyberwire Network powered by N2K. Investigating is hard enough. Your tools shouldn't make it harder. Maltego brings all your intelligence into one platform and gives you curated data along with a full suite of tools to handle any digital investigation. Plus, with on demand courses and live training, you your team won't just install the platform, they'll actually use it and connect the dots so fast cybercriminals won't realize they're already in cuffs. Maltego is trusted by global law enforcement, financial institutions, and security teams worldwide. See it in action now@maltego.com.
[00:59]
Rick Hauer
The word is threat. Hunter spelled threat for security concern and hunting for searching and detecting. Definition the process of proactively searching through networks to detect and isolate security threats rather than relying on security solutions or services to detect those threats. Example sentence Changes in file systems in the Windows Registry are two places threat hunting expeditions can find stealthy adversary groups, Origin and context According to Tony Sager, he invented the threat hunting idea in the mid-2000s when he developed the unifying mission model for his NSA defensive called the Information Assurance Directorate. Richard Batelick put meat on the bones for cybersecurity, specifically in an essay he wrote for infosecurity magazine in 2011, when he was the GE cert director of Incident Response. And by the way, Balak is a Cybersecurity Canon hall of Fame winner for his book the Practice of Network Security Understanding Incident Detection and Response. In a passage from this article, though, he says this in the mid-2000s, the Air Force introduced the term hunter killer for missions whereby a team of security experts performed friendly force projection on their networks. They combed through data from systems and in some cases occupied the systems themselves in order to find advanced threats. The concept of hunting without the slightly more aggressive term killing is now gaining ground in the civilian world. In 2010, Lockheed Martin released its Strategic Intrusion kill chain model that refocused everybody from simply doing passive defense to forward thinking defenses based on adversary behavior. In 2013, Caltagironi, Pendergrast and Betts published their alternative strategic threat model called the Diamond Model. But in the same year, 2013, Mitre released the first version of its attack Framework, which did two it enhanced the strategic intrusion kill chain model with operational intelligence and added detail to the actions on the objective phase. The impact was that for the first time, intelligence analysts had access to a globally accessible knowledge base of known adversary behavior, derived from real world observations from both MITRE intelligence analysts and from the Cybersecurity Intelligence community at large. In other words, it was the most complete, free, open source, standardized database of adversary offensive playbook intelligence. With a mitre, ATT and CK framework, threat hunters could now look specifically for known adversary behavior on their own networks. Penetration testers can now do red team exercises where they emulated known adversary behavior. Nerd Reference as the principal security strategist at Splunk in 2019, John Stoner gave a presentation at the SANS Digital Forensics and Incident Response Summit about his aha moment for threat hunting. And John is a true nerd, a man completely after my own heart. In this clip he talks about Spider man and Neo from the movie the Matrix all in one sentence.
[04:28]
John Stoner
Now, as this fine gentleman says, with great power comes great responsibility, and anytime you're dealing with a Matrix, you can't just dive into it, no matter what Keanu Reeves says, what do I want to do from modeling perspective? And so you have the kill chain on the one side, the diamond model on the other side. They're both great, they're both lovely, they do a lot of good things to help describe things after I find them. But I'm not really a super creative guy from a hunting perspective and I go, well, if I have a kill chain, I've got exploit, I could start hunting at the exploit stage. But what am I going to hunt for? Or actions on objectives?
[05:04]
Rick Hauer
Great.
[05:05]
John Stoner
What do I hunt for? While I like the models to be able to overlay things that I find, it wasn't something that was really going to be impactful. And so I came to this small little thing called the mitre, ATT and CK framework. Maybe you've heard of it? I refer to it here as brain candy because if you're maybe not as creative as other folks, and I'll say I'm kind of one of those people. I've got all of these techniques and all of these tactics to sit there and go, oh yeah, let's go hunt for that.
[05:39]
Rick Hauer
Wordnotes is written by Nailah Genoe, executive produced by Peter Kilpe and edited by John Petrick and me, Rick Hauer. The mix, sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.
[06:11]
Maltego Representative
Looking for a career where innovation meets impact, Vanguard's technology team is shaping the future of financial services by solving complex challenges with cutting edge solutions. Whether your passion passionate about AI, cybersecurity or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas drive change. With career growth opportunities and a focus on work life balance, you'll have the flexibility to thrive both professionally and personally. Explore open cybersecurity and technology roles today@vanguardjobs.com.