Detecting The Unknown A Guide To Threat Hunting v2.0
Detecting The Unknown A Guide To Threat Hunting v2.0
Executive Summary
The National Cyber Security Strategy 2016-2021 details the UK government’s investment in cyber
security, with the vision for 2021 that the UK will be secure and resilient to cyber threats while
prosperous and confident in the digital world. To achieve this, government departments are currently
investing in improvements to their own cyber security to meet the Minimum Cyber Security Standard
(MCSS), published by the Cabinet Office in June 2018; however, departments should take the
opportunity to start investing in the mobilisation and development of their Threat Hunting capabilities.
Threat Hunting, often referred to as Incident Response without the Incident, is an emergent activity
that comprises the proactive, iterative, and human-centric identification of cyber threats that are
internal to an Information Technology network and have evaded existing security controls.
Departments that operate a Threat Hunting capability will improve their security posture and hence
reduce risk, as malicious activity can be identified earlier on in an attack, thereby minimising the
opportunity for adversaries to disrupt, damage or steal.
Departments must create an enabling environment for their Threat Hunting function, by providing
enablers such as Cyber Threat Intelligence, relevant data from across the estate, and appropriate
investment in people, processes and tools. A joined-up approach to Threat Hunting should be taken
across HM Government, where collaboration ensures that the improvements to our collective cyber
security from Threat Hunting are greater than that of each department’s own efforts, while helping to
develop the next generation of the UK’s defenders.
This guide, produced via a literature review and engagements with public and private sector
organisations, provides recommendations for Security Operations Centres (SOCs), government
departments, and across HM Government, to detect unknown malicious activity through
development of Threat Hunting as both a capability and a profession.
Operate a SOC-based Threat Hunting capability to reduce risk, via the appointment of a
Threat Hunting Lead, implementation of a formalised process such as our Extended Hunting
Loop, and adoption of our Capability Maturity Model to aid development
Enable the Threat Hunting function to improve the Return on Security Investment, via
adoption of a standardised framework such as MITRE’s ATT&CK™ for Enterprise, by
appropriately investing in the development of people, and by providing essential data visibility
3
Detecting the Unknown: A Guide to Threat Hunting
Table of Contents
1 Introduction ............................................................................................................................ 6
6 Conclusion ........................................................................................................................... 41
6.1 Operate a SOC-based Threat Hunting Capability to Reduce Risk .................................. 41
6.2 Enable the Threat Hunting Function to Improve the ROSI .............................................. 42
6.3 Leverage HM Government to Develop the Threat Hunter Role ....................................... 42
7 Appendices .......................................................................................................................... 44
7.1 Appendix I – Contributors ............................................................................................... 44
7.2 Appendix II – NCSP Funded Publications ....................................................................... 45
7.3 Appendix III – Bibliography ............................................................................................. 47
4
Detecting the Unknown: A Guide to Threat Hunting
List of Figures
Figure 1 – The SANS Sliding Scale of Cyber Security .................................................................... 6
Figure 2 – The Lockheed Martin Cyber Kill Chain® ......................................................................... 8
Figure 3 – The Pyramid of Pain ...................................................................................................... 9
Figure 4 – Threat Hunting Capability Maturity Model .................................................................... 13
Figure 5 – The Hunting Loop ........................................................................................................ 17
Figure 6 – The Diamond Model .................................................................................................... 19
Figure 7 – The Extended Hunting Loop ........................................................................................ 22
Figure 8 – Hunt Tracking .............................................................................................................. 24
Figure 9 – The Threat Intelligence Lifecycle ................................................................................. 25
Figure 10 – MITRE’s Cyber Attack Lifecycle and ATT&CK Matrix for Enterprise*......................... 29
Figure 11 – Capability Scope Comparison ................................................................................... 46
List of Tables
Table 1 – Adversary Tactics ......................................................................................................... 27
Table 2 – Data Sources ................................................................................................................ 30
Table 3 – Example Threat Hunting Metrics ................................................................................... 34
5
Detecting the Unknown: A Guide to Threat Hunting
1 Introduction
The National Cyber Security Strategy (NCSS) 2016-2021 (1) details the UK government’s
investment in cyber security, with the vision for 2021 that the UK will be secure and resilient to cyber
threats while prosperous and confident in the digital world. To achieve this, the UK needs to: defend
against cyber threats and respond to incidents; deter hostile action in cyberspace; develop the cyber
security industry and talent required to overcome future threats and challenges; and pursue
international action to shape cyberspace. This is underpinned by the creation of the National Cyber
Security Centre (NCSC) (2) in 2016 to act as the authority on the UK’s cyber security, as well as
investment of £1.9 billion over the five years of the NCSS as laid out in the Strategic Defence and
Security Review 2015 (3).
Government departments are currently investing in improvements to their own cyber security to meet
the Minimum Cyber Security Standard (MCSS) (4) published by Cabinet Office in June 2018; this is
the cyber security baseline that the government expects departments to adhere to and exceed
wherever possible. Much of this investment is into the development of Security Operations Centres
(SOCs) that are responsible for: detecting and responding to threats; increasing resilience;
identifying and addressing negligent or criminal behaviours; and deriving business intelligence about
user behaviours (5). Investment is also being targeted at developing Cyber Threat Intelligence (CTI)
capabilities that can provide the organisation with actionable (i.e. accurate, relevant and timely)
intelligence on threat actor’s targets, motivations, infrastructure, and capabilities.
To complicate development of these SOCs and CTI functions, many of the departments have
complex and ageing Information Technology (IT) estates with high levels of technical debt. For
example, investment is often sunk into legacy systems to extend their lifespan, or sub-optimal
architectural design choices are made to work around the constraints of these systems
SOC activities and CTI functions fall into the Active Defence and Intelligence categories respectively,
of SANS’ Sliding Scale of Cyber Security (6). Shown in Figure 1, the Sliding Scale is a model to
visualise the continuum of actions and investments that contribute to cyber security. Generally,
investment should be prioritised starting on the left of the scale, before moving along to the right.
6
Detecting the Unknown: A Guide to Threat Hunting
Threat Hunting, often described as Incident Response without the Incident, sits within the Active
Defence phase of the Sliding Scale. As Threat Hunting is an Active Defence, departments first need
to sufficiently mature their Architecture (e.g. Vulnerability Management), Passive Defence (e.g.
Technical Controls such as firewalls) and other Active Defences (e.g. Protective Monitoring), while
operating a mature Intelligence capability will add value to and enable Threat Hunting.
Many SOC analysts already actively search for threats within their network, albeit often in an
unstructured and informal manner, but according to the SANS 2017 Threat Hunting Survey (7), only
35.3% of the 306 organisations surveyed (of which 14.4% were government) hunted on a continuous
basis. This rose to 43.2% of the 600 organisations surveyed in the SANS 2018 Threat Hunting
Survey (8). Additionally, in the 2017 survey, only 4.6% of respondents were using externally
published guidance, suggesting little existed in terms of industry good practice for Threat Hunting.
Structured Threat Hunting performed on a frequent basis provides an effective means of reducing
risk across the organisation, and this report proposes a Capability Maturity Model (CMM) to track
and prioritise areas for development.
This guide has been produced via a literature review and engagements with public and private sector
organisations (listed in Appendix I) and will outline good practice Threat Hunting for government
departments, to aid with the mobilisation and subsequent development of their Threat Hunting
capabilities. Our recommendations are targeted for SOCs, departments, and HM Government as a
whole, with the report structured as follows:
Section 2 provides and overview of Threat Hunting as a capability and introduces key
concepts for the remainder of the report
Section 3 is targeted for security managers, such as heads of SOCs, and outlines the
capability required from people, processes and tools for a government department’s SOC to
operate a basic but competent Threat Hunting capability and hence reduce risk
7
Detecting the Unknown: A Guide to Threat Hunting
“the proactive, iterative and human-centric identification of cyber threats that are internal to
an IT network and have evaded existing security controls.”
When performed by skilled people who are equipped with the necessary enablers, processes and
tools, departments that implement a Threat Hunting capability will be better able to identify and
remediate threats, therefore improving their security posture and risk profile.
Proactivity is the key difference between Threat Hunting and other security activities such as
Protective Monitoring. SOC analysts tend to take a reactive approach, responding to alerts raised
by Security Information and Event Management (SIEM) solutions, before following set triage
workflows and then handing over to the appropriate team for remediation e.g. Incident Response
(IR) or Vulnerability Management. Threat hunters, on the other hand, are driven by their own curiosity
and intuition to hypothesise about potential threats. These hypotheses are then tested within their
network, with threat hunters pivoting off each discovery, following wherever their investigation takes
them (within their scope). Detailed further in Section 3.3, this process of hypothesis generation and
testing is iterated: if a hunt hypothesis is not proven true, then the hunters can move on to test new
hypotheses; if the hunt hypothesis is proven true, then the IR process takes over to contain and
remediate the threat. Following that, details of any novel adversary activity discovered should be
provided to the CTI team, while the successful hunting procedure itself should then be automated or
codified for future use, for example as a SIEM detection rule. An unproven hypothesis does not
necessarily confirm the absence of malicious activity; instead, further data or analytic functionality
may be required, so relevant hypotheses should be re-tested as the capability matures.
The Lockheed Martin Cyber Kill Chain® (9), as depicted in Figure 2, is a representation of the phases
of a cyber-attack, starting with reconnaissance of the target e.g. by analysing their digital footprint,
and resulting with actions on objectives, e.g. stealing, disrupting or destroying assets, which may
result in financial and/or reputational damage to the target. By adopting a proactive approach,
adversaries can be detected from the delivery phase of the Cyber Kill Chain onwards, as this is the
point that the network has been breached. Additionally, reactive Protective Monitoring capabilities
can only identify “known known” 1 threats, while proactive Threat Hunting capabilities can identify
“known unknown” and “unknown unknown” threats posed by Advanced Persistent Threats (APTs).
8
Detecting the Unknown: A Guide to Threat Hunting
FireEye’s M-Trends 2018 (31) Indicators of Compromise (IOCs) are the artefacts that if
detected on a network suggest malicious activity has
➢ Global median dwell time in occurred – these are the “known knowns”. Tactics,
2017 was 101 days Techniques and Procedures (TTPs) are the abstract
descriptions of adversary behaviour that IOCs indicate, so
➢ Range of less than 7 days to are the “known unknowns”, as the methodology is
over 2,000 days understood, but any subsequent IOCs are not known prior
to the attack. Zero-day exploits2 would therefore be the
➢ Median is 175 days within
“unknown unknowns”.
Europe, the Middle East and
Africa (EMEA) Detection of adversary activity earlier in the Cyber Kill Chain
can be tracked as dwell time (time from compromise to
➢ Only 62% of intrusions initially detection), which is a key metric for Threat Hunting. Shorter
detected by the organisations
dwell times reduce the possibility of adversaries damaging
themselves the Confidentiality, Integrity or Availability (CIA Triad) of the
organisation’s information systems.
Most automated network and endpoint security controls utilise signature and rule-based alerting for
IOCs, which only detect the “known knowns” such as previously described malware hashes for
example; however, while easy to detect, it is trivial for adversaries to overcome (e.g. by changing a
single bit in the malware binary file). Targeting TTPs is significantly more difficult, but very tough for
adversaries to overcome as it would require them to use an entirely different methodology. This
concept of ease of detection vs. difficulty caused for the adversary can be represented in the Pyramid
of Pain (POP), as defined by David Bianco (10), shown in Figure 3. Whilst hunters can benefit from
leveraging automation during their hunts, the reliance of current technology on rules and signatures
means it is not possible to fully automate Threat Hunting.
9
Detecting the Unknown: A Guide to Threat Hunting
This CMM can be used to assess the maturity of an organisation’s Threat Hunting capability at a
given point in time and aid the prioritisation of efforts to continuously improve. However, it should not
be used to compare maturity between organisations, as each will have its own unique circumstances
and context.3
As Threat Hunting is not implemented as a formal capability, little exists in terms of recruitment or
training plans, performance management, or career development. Hypothesis generation is
unstructured, and little or no documentation is recorded. Data visibility is minimal, with a lack of
understanding of the current data and the subsequent gaps in coverage.
3 https://www.ncsc.gov.uk/blog-post/maturity-models-cyber-security-whats-happening-iamm
10
Detecting the Unknown: A Guide to Threat Hunting
Recruitment, training, performance and career development are all informally managed. Hypotheses
are prioritised by the lead and only basic documentation is recorded, using standard office suite
functionality (e.g. Microsoft Word and Excel). Data visibility is moderate for key areas, with a basic
understanding of the data available.
Plans for recruitment, training and career development are all formally documented, with
performance expectations defined. Hypothesis and hunt information is recorded in a central
knowledge repository, and workflow management tools are used to track workloads and progression.
Data visibility includes key sources and types. Successful hunt procedures are automated, where
possible, while identified IOCs are provided to the CTI and Protective Monitoring functions for the
development of the subsequent SIEM detection rules.
At this level, succession plans are in place for key roles, and performance is tracked at a team level
using metrics. Manual risk scoring techniques e.g. Crown Jewel Analysis (CJA) are used to aid
hypothesis generation, and dashboards are utilised to aid collaboration and reporting. Data visibility
is moderate across all relevant areas of the estate, and there is a good level of understanding.
11
Detecting the Unknown: A Guide to Threat Hunting
Automated risk scoring is leveraged using machine learning, with horizon scanning maintained for
future technological developments. Hunts are occurring continuously, with successful analytics and
discovered IOCs shared across the community, while the knowledge repository and workflows are
integrated with the wider SOC. Data visibility is high across all relevant areas of the estate and is
very well understood.
The Threat Hunting team is recognised as a great place to work and is seen as a leader in the field
by other organisations.
12
Detecting the Unknown: A Guide to Threat Hunting
13
Detecting the Unknown: A Guide to Threat Hunting
3.2 People
A mindset of curiosity
These core security operations skills give the hunters knowledge of the capabilities and limitations
of the security controls on their network such as Intrusion Detection Systems (IDS) and Intrusion
Prevention Systems (IPS), knowledge of log types and collection sources, and an applied
understanding of core information security concepts such as the CIA Triad.
Understanding of CTI and the associated threat landscape adds benefit by allowing hunters to ingest
intelligence and focus their effort where the threat is greatest, enabling the generation of good
hypotheses to test. Threat hunters that understand the threats they face will also be able to feed
requirements back into the CTI function, helping to ensure all received intelligence is actionable.
Furthermore, hunters should have self-awareness of common cognitive biases4 such as confirmation
bias, to prevent effort being wasted or incorrect conclusions being drawn.
At a more advanced level, hunters require Digital Forensic and Incident Response (DFIR) skills and
experience that would overlap with those required for IR. These skills allow for complex
investigations involving live data, or data held in memory, on endpoints and across the network,
rather than simply analysing collected logs. DFIR skills include:
Endpoint forensics
Network forensics
Malware analysis
14
Detecting the Unknown: A Guide to Threat Hunting
Endpoint forensics, also called computer forensics, follows a process of acquisition, examination,
and analysis of the endpoint, before reporting on the facts and providing an opinion of the data; this
can aid hunters in finding and documenting evidence of threats on specific endpoints and storage
media. If specific guidelines that protect the authenticity and integrity of digital media are followed,
then any evidence can be admissible in court if later required.
Network forensics is the analysis of network traffic to identify signs of intrusion within the network,
such as artefacts created during lateral movement or data exfiltration activities undertaken by the
adversary. While endpoint forensics looks at acquired images, so can be performed reactively,
network data is often lost once transmitted so network forensics needs to be performed proactively
to ensure the required data is captured. Advanced Persistent Threats (APT) may have the skills to
hide evidence of their intrusion on endpoints via destruction or tampering of logs, meaning that
network forensics may be the only analysis capable of detecting these threats.
Malware analysis is a highly specialised skill that aims to determine the origin and purpose of an
identified instance of malware. This analysis is usually either static, where the binary file is reverse
engineered without executing it, or dynamic, where the malware is executed in a sandbox
environment to observe its behaviour. Malware analysis is of most benefit when investigating novel
malware, as previously identified malware will likely have IOCs available that should be provided to
the defensive teams by the CTI function. As a highly specialised skill, it may be necessary to
outsource malware analysis to a commercial provider of these services.
Finally, top tier threat hunters would possess situational awareness5 that allows them to actively
defend against adversaries by perceiving threats and vulnerabilities in context. This is often
expressed as a hunch that something “just doesn’t look right” on their network and therefore warrants
further investigation. True situational awareness is gained from years of experience and empowers
hunters to make timely and accurate decisions.
This struggle to recruit cyber security staff was echoed by the organisations we engaged with,
particularly for specialist roles such as threat hunters. Staff retention is also an issue faced by many
organisations. Research by the Cyentia Institute (11) found that 1 in 4 SOC analysts are dissatisfied
with their job, while 1 in 3 are actively looking for other job opportunities. One of the reasons cited
was a disconnect between expectations of working in a SOC and the day-to-day reality, with
examples such as unclear career paths and tedious or repetitive duties.
15
Detecting the Unknown: A Guide to Threat Hunting
Correspondingly, Protective Monitoring was found to be the most time-consuming activity performed,
in contrast to Threat Hunting, which was one of the least commonly performed activities.
As a Threat Hunting capability develops in maturity, an increasingly greater proportion of the SOC
analysts will be taking a proactive rather than reactive stance, which will provide the variety and
challenge clearly sought by these skilled individuals.
The first step to resourcing a Threat Hunting team and moving from the initial level towards a more
managed approach should be the recruitment or training of a dedicated Threat Hunting lead. This
lead role is essential in providing direction and technical expertise to other SOC staff that will allow
them to start hunting in a structured manner. For example, SOC analysts can hunt on an occasional
basis e.g. during any periods of low activity, under the direction and guidance of the lead. As a varied,
challenging and enjoyable activity, this will help to improve morale within the SOC, while
simultaneously improving the analysts’ understanding of the network and adversary behaviour.
After recruiting a Threat Hunting lead, the next step of maturity is to form a team of fully dedicated
hunters, who will have the necessary skills and experience to focus on proactive hunting for threats,
without the time-consuming distraction of alert triaging. Further benefit is gained by rotating other
SOC staff into the Threat Hunting team either on a short-term basis e.g. SOC analysts for a month
at a time, or simply when available due to workload. In this manner, Threat Hunting can be used as
a tool to train and engage staff. Threat Hunting was ranked as the most enjoyable of 12 common
SOC activities and was perceived highly on the level of expertise required, the value gained for the
organisation, and the variation within the activity; Protective Monitoring was perceived lower in these
fields (11). Another example is utilising incident responders when they are not dealing with an
incident, seeing as the skills required for IR and Threat Hunting are similar.
RECOMMENDATION 3: Rotate SOC analysts into the Threat Hunting team for learning and
development purposes.
16
Detecting the Unknown: A Guide to Threat Hunting
3.3 Process
While skilled threat hunters are key to a successful Threat Hunting capability, it is also important that
a formal hunting process is followed to ensure consistency and efficiency across all hunts. A widely
accepted approach to the process underlining Threat Hunting is Sqrrl’s Hunting Loop (12), which
has four stages that define the iterative method to be taken. Efficiently iterating through the loop
enable hunts to be quickly automated so that hunters can focus on testing the next hypothesis. The
following subsection will provide further detail on the activities within each stage.
Hypotheses generally tend to focus on detecting either a specific threat actor, tool, or technique.
Examples for each are shown in the box opposite.
Examples of hypotheses that can be drawn from IOCs include the locations that they may be found
on the network, or methods that threat actors may use to obfuscate their activities. While IOCs can
assist in quickly generating hypotheses, the goal should be to base hypotheses on TTPs with further
context provided by assessments of the geopolitical and threat landscapes.
17
Detecting the Unknown: A Guide to Threat Hunting
Example Hypotheses
Threat Actor:
An organisational threat assessment identified Lazarus Group as a high priority threat.
Techniques attributed to this threat actor are detailed within MITRE’s ATT&CK Navigator.
We therefore hypothesis that if this threat actor is present in our network, we would be able to
detect evidence of multiple techniques being deployed, in a manner consistent with their known
attack paths.
Tool:
CTI and our situational awareness suggests that our organisation is currently vulnerable to a
variant of the WannaCry ransomware, as SMBv1 is still used.
We therefore hypothesis that if our network is infected with WannaCry, we will see an increase in
the rate of file renaming.
Technique:
Lateral Movement, via Exploitation of Remote Services, can be performed by exploiting
vulnerability MS17-10. Specifically, this can be done via the Metasploit framework with a module
that uses a Server Message Block (SMB) request of a specific size to attempt compromise.
We therefore hypothesise that we can see evidence of this technique being used by isolating this
SMB request in our network logs.
18
Detecting the Unknown: A Guide to Threat Hunting
As the hunters conduct hunts and develop their skills, they should ensure the knowledge gained and
lessons identified are appropriately documented in a centralised repository, described further in
Section 3.4.2, so that this information is available across the function for other hunters to consume
and learn from. This can also be shared across the government community to improve the collective
security.
Existing SOC tooling, such as a SIEM platform, can be used to query the data, from basic searching
to more advanced data science techniques, while visualisation can aid threat hunters in identifying
anomalies and anomalous patterns. Linked Data (16) is a method for publishing structured data so
that it can become interlinked and searched using semantic queries6. Both raw and Linked Data
Analysis techniques should be used to identify patterns across disparate data sets to aid detection
of adversary activity.
19
Detecting the Unknown: A Guide to Threat Hunting
Hunters can also make use of lab environments to aid the testing of hypotheses. This allows the
hunters to emulate adversaries and use their tools and techniques to better understand how they
can detect them - which would of course be potentially damaging on production systems with live
data. This lab environment can also be used for the learning and development of junior analysts
within the SOC.
Searching is the most basic method of querying the collected data. The search criteria should
be specific enough so that the results returned are not unmanageable, while also general
enough so that no adversary activities are missed. Characters such as wildcards (*) can be
utilised within queries as required.
Clustering is a form of statistical analysis that separates groups (clusters) of similar data points
from a larger set based on specific characteristics, whereas grouping identifies when multiple
unique data points appear together based on specific criteria, for example, multiple events
occurring in a specific time window. The main difference is that grouping requires an explicit set
of data points as input. Both are useful for outlier detection.
Stack counting, or stacking, is the application of frequency analysis to large sets of data to
identify outliers. FireEye provide a good overview of the technique with worked examples (32).
Machine learning uses algorithms and statistical models to progressively improve performance
of a specific task; for Hunting, that is identifying anomalous data that could indicate adversary
activities. In supervised machine learning, a set of training data is fed into the algorithm with
each data point labelled with the desired output e.g. both normal and anomalous data labelled
as such. Unsupervised machine learning is provided with unlabelled data, so the algorithm uses
techniques like clustering and grouping to categorise the outputs instead.
When a hypothesis is proven, and malicious activity is identified, the Computer Security Incident
Response Team (CSIRT) should be notified and the incident management process takes over. At
this point, assuming the two teams are different entities, the Threat Hunting team would assist the
CSIRT with their investigation; once remediated, the threat hunters can then move onto refining and
automating their successful procedure, such as with new detection analytics for a SIEM platform.
Whether or not the hypothesis is proven, non-malicious but suspicious or risky configurations or
behaviours may be identified, such as unpatched or misconfigured systems, or logging blind spots.
This information can be passed onto the relevant teams e.g. Vulnerability Management for
remediation.
20
Detecting the Unknown: A Guide to Threat Hunting
Care should be taken to ensure that any automated hunts are reliable and continue to add value.
Once automated, each analytic should be tested for its accuracy and precision, which can be done
in several ways, such as a red team7 performing the technique in question and checking that the
analytic reliably detects their activity.
The analytics, once live, should be monitored for any issues for a limited period with the hunters on-
hand to support, before being formally handed over to the Protective Monitoring team to own.
However, the analytics should be assessed periodically to ensure they still add value and are
relevant to the organisation e.g. whether any changes to the organisational architecture means that
some analytics are testing for TTPs that are no longer possible.
Inputs for Threat Hunting, such as the observations required for hypothesis generation
The activities performed by the Threat Hunting lead, such as prioritising hypotheses for
testing and making decisions on resourcing
Additional outcomes of hypothesis testing i.e. hypothesis not unproven, and non-malicious
but suspicious/risky behaviour identified
21
Detecting the Unknown: A Guide to Threat Hunting
22
Detecting the Unknown: A Guide to Threat Hunting
3.4 Tools
While skilled people and effective processes are the critical factors for a successful Threat Hunting
capability, tooling is of course still required to collect and interrogate data, automate analytics, and
work collaboratively.
One example of a workflow management view is that of Epics and Stories. Epics are bodies of work
that can be broken down into specific tasks, which are the Stories. The use of these concepts helps
structure workloads, and progress can then be tracked via the use of a Kanban board8 for each Story
type, as seen in Figure 8 opposite. In the context of Threat Hunting, each Epic could be a tactic from
MITRE’s Adversarial Tactics, Techniques and Common Knowledge (ATT&CK™) for Enterprise (17)
(discussed further in Section 4.2), with Story types of hypotheses and associated hunts. Individual
Hypothesis Stories can then be tracked through a Hypothesis Kanban with example stages such as:
Initial, for basic hypothesis ideas; Development, for adding detail and assessing the scope and
dependencies; Production, for hypotheses ready for testing; and Retired, for hypotheses that are no
longer relevant. Hypothesis Stories in Production could then lead to the creation of an associated
Hunt Story that progresses through To-Do, In-Progress, and Outcome. Additionally, many of these
tools produce visual dashboards to aid reporting, which can be utilised by the Threat Hunting team
to track performance and prove their value. Metrics are discussed in Section 4.4.
Alongside the workflow management view, a collaborative knowledge repository would, for example,
allow hunters to share ideas, discuss hunt procedures and challenges, and share analytics.
Integration of these tools with other teams will allow effective handover from discovering malicious
behaviour, or suspicious/risky activity, to the appropriate teams for remediation.
23
Detecting the Unknown: A Guide to Threat Hunting
Note that the process described in Figure 8 closely relates with the rules and analytics development
process that supports reactive monitoring solutions. Care should be taken to liaise with the teams
developing these rules and use cases to minimise any overlap of effort.
24
Detecting the Unknown: A Guide to Threat Hunting
While the Threat Hunting team may have little involvement in the Collection, Processing and Analysis
phases (as these would fall into the responsibilities of the CTI team), they should be involved in the
Direction and Dissemination phases; as customers of the CTI function the Threat Hunting team
should provide them with direction and requirements to ensure that the intelligence received is
actionable.
CTI falls into three categories, these being Strategic, Operational and Tactical. Strategic CTI is high-
level and normally details threat trends or campaigns at a geo-political level. Operational CTI details
specific threat actors and their TTPs, while tactical CTI is more technical in nature and consists of
IOCs. Threat hunters will benefit most from operational CTI, as the detail on adversaries’ TTPs and
tools will enable the hunters to generate hypotheses. Strategic CTI is aimed at assisting business
decisions, while tactical CTI ingestion should be automated by a Threat Intelligence Platform (TIP)
and subsequently matched against logs to detect known attacks.
25
Detecting the Unknown: A Guide to Threat Hunting
A good source of operational CTI is the Alerts and Advisories group on the Cyber Security
Information Sharing Partnership (CiSP), discussed in Section 5.1.2, where organisations share
knowledge about TTPs they are currently observing; this in turn aids hunters to generate associated
hypotheses relevant to their organisation.
RECOMMENDATION 8: Provide threat hunters with the actionable Cyber Threat Intelligence
they require to generate relevant and testable hypotheses.
26
Detecting the Unknown: A Guide to Threat Hunting
27
Detecting the Unknown: A Guide to Threat Hunting
MITRE’s ATT&CK Matrix loosely maps to the latter stages of MITRE’s version of the Cyber Kill
Chain®, called the Cyber Attack Lifecycle (18), also shown in Figure 10. ATT&CK was widely adopted
across all organisations we engaged with and has also been formally adopted by the Cross-
Government CTI Working Group to provide a consistent terminology and framework.
Aside from providing a common framework, the ATT&CK Matrix can be of great use to hunters by
encouraging them to ask questions such as “Can we currently detect the Drive-by Compromise
technique within the Initial Access tactic if used against us by an adversary?” Exercises can be used
here to assess whether any given technique can be detected or not, with the blue team9 (i.e. hunters)
requesting the red team to perform a specific technique, or alternatively the red team can perform a
set of techniques without the blue team’s knowledge to see what they can detect. MITRE provides
detection information for each technique that can be used to aid hypothesis generation, and data
source information that can be used to check whether the existing data visibility is sufficient, and if
not, then provide focus and justification for subsequent data collection efforts and any associated
cost.
Additionally, the ATT&CK matrix can be of use when assessing data visibility – 50 data sources are
required to enable detection of all 223 currently described techniques. Table 2 lists the data sources
and the number of techniques that each source contributes to detection of (in a necessary but not
sufficient manner i.e. most techniques require multiple data sources). This can help prioritise the
organisation’s data collection efforts, for example, look to ensure Process monitoring data is
collected across the whole estate before expending effort to collect WMI Objects data. However,
consideration also needs to be given to the scope of collection and the individual systems in question.
For example, Process monitoring data can be collected with relative ease from in-house systems
but would be more challenging to collect from outsourced systems e.g. Software-as-a-Service
(SaaS) or third-party organisations within the supply chain.
28
Detecting the Unknown: A Guide to Threat Hunting
Figure 10 – MITRE’s Cyber Attack Lifecycle and ATT&CK Matrix for Enterprise*
* Accurate at time of writing – see https://attack.mitre.org/ for the most current version
29
Detecting the Unknown: A Guide to Threat Hunting
A visual method of representing current data visibility is via the use of a heatmap, with a good
instructional example detailed in a blogpost by Roberto Rodriguez (aka Cyb3rWard0g) (19). That
example scores each technique based on the amount of data collected, quality of the data collected,
data science techniques used, etc. To track this, MITRE’s ATT&CK Navigator10 can be utilised. The
Navigator is an interactive view of the Matrix that allows each technique to be colour-coded, and the
output can be exported to Excel or as JavaScript Object Notation (JSON).
While the Threat Hunting team should fully adopt the ATT&CK Matrix and embed it into all aspects
of their Threat Hunting process, they (or even the SOC in general) will likely have only limited
influence over what data and logs they receive, as this will often fall under the remit of the individual
System Owners. Therefore, the organisation should adopt a policy that all new systems will send
logs to the SOC’s central repository, and then on-board logs from existing systems, perhaps by
standing up a centrally-funded on-boarding project as necessary. This can incentivise the business
units to assist the data collection effort, as they would only need to fund the Business-as-Usual
(BAU) costs, rather than the more expensive on-boarding costs.
10 https://mitre-attack.github.io/attack-navigator/enterprise/
30
Detecting the Unknown: A Guide to Threat Hunting
As a worked example of a heatmap, take for instance an organisation that only collects the top ten
data sources listed in Table 2. We will use a slightly simpler scoring system than Cyb3rWard0g,
shown below, which is mapped from our CMM. Each technique is scored based on the Hunting
team’s visibility of the required data sources.
The table below shows the data sources required for each technique within the Initial Access tactic.
Let’s assume the organisation has visibility of the top five sources from across the estate (bold) but
that they only have visibility of the other five sources from key areas within the estate (italics). Each
technique would then be given a relevant detection maturity level and associated colour.
31
Detecting the Unknown: A Guide to Threat Hunting
For Threat Hunting, the priority of investing in people was echoed by the organisations we engaged
with, and is reflected in the SANS 2018 Threat Hunting Survey, where 29.9% of respondents
prioritised staffing, and 19.8% prioritised training, meaning 49.7% prioritised investment in people
(8) over services or technology.
While this paper has not assessed any specific training courses, care should be taken to ensure any
training procured delivers specific Threat Hunting knowledge, as opposed to re-branded blue
teaming or CSIRT courses – while these would still add value to your Threat Hunting team, they
would not necessarily explore the specific processes or playbooks required. At the time of writing,
the authors of this paper are aware of only a limited number of Threat Hunting-specific courses, but
offerings on the market should be continuously assessed. Additionally, the benefit gained from on-
the-job training, or internally developed courses, should not be ignored.
RECOMMENDATION 11: Prioritise the recruitment and training of skilled threat hunters.
The logical result of focusing investment on your people is that less investment is then available for
tools. However, the organisations we engaged with were predominantly leveraging existing tools –
both commercially procured and Free and Open Source Software (FOSS). Again, this is reflected by
the SANS 2018 Threat Hunting Survey, with 90.3% of organisations using existing infrastructure
tools, 61.9% developing tools in-house, 47.8% using FOSS hunting tools, and only 32.5% procuring
commercially available Threat Hunting tools (8). This represents the maturity of the Threat Hunting
tools and services on offer by security vendors within the market. While this paper has not assessed
any specific tools, care should be taken to properly understand the features on offer rather than
taking any sales or marketing material at face-value, ensuring the solutions are designed with a
proactive stance at their core, rather than merely being reactive offerings re-branded as ‘Threat
Hunting’.
32
Detecting the Unknown: A Guide to Threat Hunting
None of the organisations we engaged with were utilising Threat Hunting-specific tooling, highlighting
that the market is fairly immature at the time of writing; however, technology develops rapidly and
horizon scanning (systematically investigating evidence about future trends) should be maintained
to benefit from future advances.
RECOMMENDATION 13: Maintain horizon scanning for future tooling e.g. machine learning
solutions.
Of the organisations we engaged with, those that did wish to invest in tooling were primarily focused
on solutions that improve data visibility to better enable Threat Hunting, rather than Threat Hunting-
specific tooling itself. A priority we repeatedly heard was for the deployment of Endpoint Detection
and Response (EDR) solutions that allow greater visibility into endpoint data. This reiterates the
earlier discussion that data visibility is key for effective Threat Hunting to occur.
By assessing the current data visibility and identifying detection gaps, the SOC can then start to build
a business case for investment in additional tooling e.g. EDR solutions, with metrics from Hunting
being used to highlight the benefits of a proactive approach.
Taking machine learning for example – as of July 2018, Gartner included it in their Hype Cycle
for Data Science and Machine Learning (33) in the ‘Peak of Inflated Expectations’ stage,
represented below, predicting 2-5 years until it reaches the ‘Plateau of Productivity’. Essentially
this means that machine learning has now been implemented by early adopters, with mixed
success, and the prediction is that it will be 2-5 years until it is widely implemented, and its
application and benefits are well understood.
33
Detecting the Unknown: A Guide to Threat Hunting
4.4 Metrics
Most of the organisations we engaged with did not have any metrics for their Threat Hunting
capability, either due to a difficulty in identifying metrics of value, or through a belief that as Threat
Hunting needs to be a flexible process, metrics in general were not suitable. However, there are
useful metrics that can provide a measurement of performance to help drive improvements and can
also evidence the ROSI to senior managers within the organisation, helping to build the business
case for further investment (financial and time) in your people and tools. Below is an example set of
metrics that could be adopted:
Ultimately, the value of any metric is how useful it is to the recipient, often a senior manager such as
a CISO, so all metrics should be developed in collaboration between the Threat Hunting team and
relevant senior managers.
34
Detecting the Unknown: A Guide to Threat Hunting
5 Leveraging HM Government
This section is targeted at decision makers within cross-government functions, and outlines steps
that can be taken across HM Government to improve collaboration, set a common baseline, and
professionalise the threat hunter role and hence improve our collective security.
5.1 Collaboration
Many of the Threat Hunting teams we engaged with operated in the isolation of their own
organisation. Instead, greater collaboration should be encouraged between organisations so that the
community can collectively benefit from each other’s experiences and lessons learnt, to better
defend against malicious threats.
Each CSU is responsible for defining a set of ➢ Make better use of data
security service offerings that can then be
➢ Create, operate, iterate and embed good
adopted and rolled out by all CSUs to their use of shared platforms and reusable
customers. Currently, the service offerings are business capabilities to speed up
more generally focused on physical security, transformation
with plans to explore a full cyber catalogue in
the future. We recommend that GSG include Threat Hunting as a future cyber security offering for
development and delivery by the CSUs, as this is an ideal existing mechanism to collaborate, define
good practice and implement Threat Hunting across government.
RECOMMENDATION 15: When defining the full cyber catalogue, the GSG should include
Threat Hunting as a security service offering from the CSUs.
12 Cluster 1 is led by HM Revenue and Customs (HMRC); Cluster 2 is led by the Home Office (HO); Cluster 3
is led by the Department for Work and Pensions (DWP); and Cluster 4 is jointly led by the Ministry of Defence
(MOD) and the Foreign and Commonwealth Office (FCO).
35
Detecting the Unknown: A Guide to Threat Hunting
Launched in March 2013, CiSP is an online sharing portal described as "a joint industry and
government initiative set up to exchange cyber threat information in real time, in a secure,
confidential and dynamic environment, increasing situational awareness and reducing the impact on
UK business."
Aside from CTI, we would also encourage organisations to share their hunt hypotheses, procedures,
playbooks and analytics with each other. While a specific hypothesis or analytic may not be of direct
use from one organisation to the next due to differences in estate architecture, threat landscape,
etc., it may help to stimulate discussion and produce new hypotheses or hunt ideas.
RECOMMENDATION 16: Share relevant CTI and knowledge gained from Threat Hunting
across the community.
RECOMMENDATION 17: Set up a Cross-Government Working Group for Threat Hunting and
run hackathon-type events.
13 https://www.ncsc.gov.uk/cisp
36
Detecting the Unknown: A Guide to Threat Hunting
While the MCSS details outcomes, rather than specific implementations, Standard 8 (DETECT),
subsection a) states that “As a minimum, Departments shall capture events that could be combined
with common threat intelligence sources e.g. Cyber Security Information Sharing Partnership (CISP)
to detect known threats.”, while subsection d) states that “Attackers attempting to use common
cyber-attack techniques should not be able to gain access to data or any control of technology
services without being detected.” The references to ‘known threats’ and ‘common cyber-attack
techniques’ implies a reactive stance searching for IOCs that is better suited for Protective
Monitoring, as opposed to the proactive searching for advanced unknown threats that is better suited
to Threat Hunting.
Currently, only a small number of organisations are performing Threat Hunting at a competent
maturity; this is reflected within the MCSS as it does not reference Threat Hunting either in name or
principle. However, as Threat Hunting across departments matures, its outcomes (such as reduced
dwell time through a proactive approach) should be included in a future iteration of the MCSS.
Departments must however, be given sufficient sight of this to allow them to prepare.
RECOMMENDATION 18: Include the outcomes from Threat Hunting in a future iteration of the
MCSS.
14 https://www.cyberessentials.ncsc.gov.uk/. Cyber Essentials helps guard against the most common cyber
threats and demonstrates a commitment to cyber security.
37
Detecting the Unknown: A Guide to Threat Hunting
The CAF is broken down into four objectives, A to D, with each detailing Indicators of Good Practice
(IGP). Objective C (detecting cyber security incidents) is broken down into two principles (24):
C1. Security monitoring: The organisation monitors the security status of the networks and
systems supporting the delivery of essential services to detect potential security problems
and to track the ongoing effectiveness of protective security measures
C2. Proactive security event discovery: The organisation detects, within networks and
information systems, malicious activity affecting, or with the potential to affect, the delivery of
essential services, even when the activity evades standard signature-based security
prevent/detect solutions, or when it is not possible to use signature-based detection, for some
reason
Like the MCSS, the CAF details outcomes rather than specific implementations. C1 takes a reactive
stance, focusing on the monitoring coverage, security of logs, the generation of alerts, the
identification of security incidents, and the monitoring tools and skills required. However, C2 takes a
proactive stance and very much alludes to Threat Hunting in principle, even if not by name. C2.a
(system abnormalities for attack detection) covers defining examples of the abnormalities in systems’
behaviour to aid detection of malicious activity – this can effectively be achieved via adoption of
MITRE’s ATT&CK framework and via ingestion of relevant CTI. C2.b (proactive attack discovery)
covers the understanding of sophisticated attack methods and normal system behaviour to
proactively search for malicious activity – effectively performing Threat Hunting.
In the UK, it is up to each sector’s CA to decide if and how the CAF is implemented, as the NCSC
has no regulatory role under NIS. To broaden implementation of Threat Hunting as a capability, we
recommend that the CAs implement the CAF (and specifically Objective C) where possible, and that
other organisations not bound by NIS look to CAF as an example of a proactive standard.
38
Detecting the Unknown: A Guide to Threat Hunting
We would recommend that any government organisation that looks to outsource their SOC should
include requirements for a Threat Hunting capability and use our CMM, or similar, to appropriately
define this in the commercial documentation. Any lessons learnt from such a process should then
be shared across the community, such as via CiSP.
Future engagement with the Crown Commercial Service (CCS) could be considered if a significant
number of public organisations wish to procure outsourced SOC functions that provide Threat
Hunting capabilities, to define the best commercial framework/approach to facilitate this.
RECOMMENDATION 22: Work with the CCS to define the best route to market for outsourced
SOC functions that provide Threat Hunting capabilities.
Finally, commercial arrangements should be in place with suppliers that manage infrastructure on
behalf of your organisation e.g. Software/Platform/Infrastructure as a Service providers, to ensure
they provide the appropriate data sources and visibility to the SOC, allowing the Threat Hunting team
to operate within these systems.
RECOMMENDATION 23: Include commercial requirements for service providers to supply the
SOC with the necessary data visibility required for Threat Hunting.
39
Detecting the Unknown: A Guide to Threat Hunting
Delivery of these objectives would be driven by a new and independent UK Cyber Security Council.
The consultation closed in August 2018, and in December 2018 DCMS issued a Request for
Proposal for the design and delivery of this council (27). Applications are due in February 2019, with
working aiming to commence in May 2019.
We recommend that the teams developing the CyBOK and of the UK Cyber Security Council engage
with Threat Hunting teams across government to ensure that Threat Hunting as a distinct capability
is appropriately represented within the Cyber Security Profession, including via the adoption of this
papers recommendations.
RECOMMENDATION 24: The teams developing the CyBOK and the UK Cyber Security
Council should consider recognising Threat Hunting as a distinct domain.
RECOMMENDATION 25: The GSPU should define threat hunter as a distinct role within the
Operational Security job family.
40
Detecting the Unknown: A Guide to Threat Hunting
6 Conclusion
In an ever increasingly digital and connected world, the cyber threat facing most organisations is
growing. While the threat profile is different for each organisation, UK government departments will
undoubtedly have their defences tested by advanced and persistent threat actors, which may not be
detected or prevented by technical controls and reactive monitoring.
To detect these unknown and advanced threats, departments should now start moving towards a
proactive stance by operating a Threat Hunting capability, and hence improve their security posture
and reduce their cyber risk. This capability enables malicious activity to be identified earlier on in an
attack, thereby minimising the opportunity for adversaries to disrupt, damage or steal.
To research this guide, we conducted an extensive literature review and held engagements with nine
government bodies, including the NCSC, and three industry partners. This allowed us to understand
the current capability across HM Government, and define a target capability through our Capability
Maturity Model.
This guide provides recommendations for SOCs, government departments, and across HM
Government, to detect unknown malicious activity through development of Threat Hunting
as both a capability and a profession.
Before operating a proactive detection capability, government departments must create an enabling
environment by ensuring they meet the requirements of the MCSS, and by providing the necessary
enablers for their Threat Hunting function such as actionable Cyber Threat Intelligence, relevant data
from across the estate, and appropriate investment in people, processes and tools.
To aid assessment of organisational performance and identify areas for improvement, adopt
a standard framework such as our Threat Hunting Capability Maturity Model
Rotate SOC analysts into the Threat Hunting team for learning and development purposes
Adopt a formalised process, such as our Extended Hunting Loop, to aid operationalisation of
mature Threat Hunting processes
41
Detecting the Unknown: A Guide to Threat Hunting
Adopt MITRE’s ATT&CK™ Matrix for Enterprise to aid hypothesis generation and data
visibility tracking
Take steps at the enterprise-level, such as policy enforcement, to ensure the Threat Hunting
team has the data visibility required to defend the organisation
Apply caution to Threat Hunting tooling investment, instead leveraging existing tools and free
and open source software
Maintain horizon scanning for future tooling e.g. machine learning solutions
Adopt organisationally-relevant metrics, such as our example set, to drive improvements and
evidence the return on security investment over time
Provide threat hunters with the actionable Cyber Threat Intelligence they require to generate
relevant and testable hypotheses
When defining the full cyber catalogue, the Government Security Group should include
Threat Hunting as a security service offering from the Cluster Security Units
Share relevant Cyber Threat Intelligence and knowledge gained from Threat Hunting across
the community
Set up a Cross-Government Working Group for Threat Hunting and run hackathon-type
events
Include the outcomes from Threat Hunting in a future iteration of the Minimum Cyber Security
Standard
Include requirements for Threat Hunting in future commercial arrangements for outsourced
SOC functions, and share the lessons learnt
Work with the Crown Commercial Service to define the best route to market for outsourced
SOC functions that provide Threat Hunting capabilities
42
Detecting the Unknown: A Guide to Threat Hunting
Include commercial requirements for service providers to supply the SOC with the necessary
data visibility required for Threat Hunting
The teams developing the Cyber Security Body of Knowledge and the UK Cyber Security
Council should consider recognising Threat Hunting as a distinct domain
The Government Security Professional Unit could define threat hunter as a distinct role within
the Operational Security job family
Coordinated investment in Threat Hunting across SOCs, departments, and HM Government can
lead to improvements in our collective security, while helping to develop the next generation of the
UK’s defenders.
43
Detecting the Unknown: A Guide to Threat Hunting
7 Appendices
Bank of England
BT
Cabinet Office
Home Office
44
Detecting the Unknown: A Guide to Threat Hunting
This guide is one of three documents being published as part of NCSP funded projects, each of
which are mutually complementary. They are as follows:
This guide provides an overview for UK government departments and organisations on how to
deliver a CTI capability. This covers how to set a CTI strategy, what a CTI function should deliver,
how that content should be delivered and how to effectively resource a capability.
This guide, produced via a literature review and engagements with public and private sector
organisations, provides recommendations for SOCs, government departments, and across HM
Government, to detect unknown malicious activity through development of Threat Hunting as both a
capability and a profession.
This paper provides recommendations as to how and why government departments and HM
Government as a whole, can better understand and control their digital footprint through developing
a Digital Risk and Intelligence capability. Recommendations are provided at three levels; threat
intelligence team level, government department level, and cross-government function level. These
recommendations are also provided in the context of short, medium and long-term goals.
45
Detecting the Unknown: A Guide to Threat Hunting
Each of the areas covered by these papers cover different elements of MITRE’s Cyber Attack
Lifecycle:
Clearly there are overlaps in the focus of the distinct functions, for example in the reconnaissance
phase – whilst CTI and DR&I have different objectives, there is a similarity in content and
focus. Depending on business requirements, there may be other areas where further integration
can be of benefit, but fundamentally adoption of each capability needs to be based on its cost versus
business benefit.
All three capabilities are subservient to each of the outcomes described in the Minimum
Cyber Security Standard. If the minimum standard is not met, it is highly likely that investment
in those areas will be more beneficial than these capabilities
Access to data and visibility of data is critical to all functions, both internally and externally.
We would recommend that the specific pre-requisites for data access in your organisation
are understood prior to investment – other organisations consulted have made significant
investments, and subsequently failed to realise the benefit due to a lack of data access
A nascent CTI and Threat Hunting capability should grow together as they have
complementary requirements. A mature Threat Hunting capability that has no CTI capability
to feed it intelligence will be limited, and likewise a CTI capability feeding information to a
CSOC with no threat hunters is likewise limited in value
For further details on each of these points, please refer to each of the guides specifically.
46
Detecting the Unknown: A Guide to Threat Hunting
2. National Cyber Security Centre. The National Cyber Security Centre. NCSC.GOV.UK. [Online]
https://www.ncsc.gov.uk/.
3. HM Government. National Security Strategy and Strategic Defence and Security Review 2015.
GOV.UK. [Online] 23 November 2015. https://www.gov.uk/government/publications/national-
security-strategy-and-strategic-defence-and-security-review-2015.
4. Cabinet Office. Minimum Cyber Security Standard. Gov.UK. [Online] June 2018.
https://www.gov.uk/government/publications/the-minimum-cyber-security-standard.
5. National Cyber Security Centre. Security operations centre (SOC) buyers guide.
NCSC.GOV.UK. [Online] 24 September 2016. https://www.ncsc.gov.uk/guidance/security-
operations-centre-soc-buyers-guide.
6. The Sliding Scale of Cyber Security. Lee, Robert M. s.l. : SANS Institute, 2015.
7. The Hunter Strikes Back: The SANS 2017 Threat Hunting Survey. Lee, Rob and Lee, Robert
M. s.l. : SANS Institute, 2017.
8. SANS 2018 Threat Hunting Survey Results. Lee, Robert M. and Lee, Rob T. s.l. : SANS
Institute, 2018.
10. Joint Committee on the National Security Strategy. Cyber Security Skills and the UK's
Critical National Infrastructure. s.l. : House of Lords and House of Commons, 2018.
13. Lee, Robert. M and Bianco, David. Generating Hypotheses for Successful Threat Hunting.
s.l. : SANS Institute, 2016.
15. The Diamond Model of Intrusion Analysis. Caltagirone, Sergio, Pendergast, Andrew and
Betz, Christopher. 2013.
17. Strom, Blake E., et al. MITRE ATT&CK: Design and Philosophy. s.l. : The MITRE Corporation,
2018.
19. Rodriguez, Roberto. How Hot Is Your Hunt Team? Cyber Wardog Lab. [Online] July 2017.
https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html.
20. Cabinet Office. Government Transformation Strategy 2017 to 2020. s.l. : Gov.UK, 2017.
22. T, Kevin. Introducing the Cyber Assessment Framework v2.0. National Cyber Security Centre.
[Online] October 2018. https://www.ncsc.gov.uk/blog-post/introducing-cyber-assessment-
framework-v20.
23. Department for Digital, Culture, Media & Support. Security of Network and Information
Systems. Guidance for Competent Authorities. 2018.
24. National Cyber Security Centre. CAF - Objective C. National Cyber Security Centre. [Online]
April 2018. https://www.ncsc.gov.uk/guidance/caf-objective-c.
25. Department for Digital, Culture, Media & Sport. Implementing the National Cyber Security
Strategy - Developing the Cyber Security Profession in the UK. 2018.
26. University of Bristol. The Cyber Security Body of Knowledge. CyBOK.org. [Online]
https://www.cybok.org/.
27. Department for Digital, Culture, Media & Sport. Request for Proposals - A New UK Cyber
Security Council. Annex A - Application Process and Guidance for Applicants. 2018.
29. Krensky, Peter and Hare, Jim. Hype Cycle for Data Science and Machine Learning, 2018.
s.l. : Gartner, 2018.
30. Threat Hunting: Open Season on the Adversary. Cole, Eric. s.l. : SANS Institute, 2016.
31. Bianco, David. The Pyramid of Pain. Endpoint Detection & Response. [Online] March 2013.
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html.
34. FireEye. An In-Depth Look Into Data Stacking. FireEye. [Online] 2012.
https://www.fireeye.com/blog/threat-research/2012/11/indepth-data-stacking.html.
48
Detecting the Unknown: A Guide to Threat Hunting
[BLANK PAGE]
49
Detecting the Unknown: A Guide to Threat Hunting
This publication is licensed under the terms of the Open Government Licence v3.0 except where
otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-
licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9
4DU, or email: [email protected].
Where we have identified any third-party copyright information you will need to obtain permission
from the copyright holders concerned.
50