Hunting
Search for the presence of or information about an adversary, or your organization, its employees, infrastructure, etc.
Within the defender's environments, hunting presupposes a failure of initial prevention or detection, and that an adversary has successfully penetrated a system. In this case defenders hunt for the presence of an adversary. Typically the hunt is informed by intelligence on adversary TTPs and infrastructure. Defenders also hunt adversaries outside the defended environment. Information about the adversary, including their skills, TTPs, and infrastructure can be used to improve defenses or promote better adversary engagement. Defenders also hunt for information about their organization that is available for free or for purchase. Actively researching organizational exposure or inclusion in password dumps, leaks, etc. helps defenders focus on specific detections and proactive countermeasures.
Opportunities
| ID | Description |
|---|---|
| DOS0002 | There is an opportunity to discover who or what is being targeting by an adversary. |
| DOS0245 | If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools. |
| DOS0252 | There is an opportunity to gain visibility into newly created or previously unknown adversary infrastructure |
Use Cases
| ID | Description |
|---|---|
| DUC0245 | A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner. |
| DUC0252 | A defender could use information about an adversary's TTPs in order to monitor for new adversary infrastructure and files. |
| DUC0259 | A defender can use a decoy persona to engage with online communities or to purchase/download information about their organization and review for exposure. |
Procedures
| ID | Description |
|---|---|
| DPR0039 | Pivot on Command and Control information to identify other infrastructure used by the same adversary. |
| DPR0065 | Use information about an adversary's TTPs to perform retroactive searches for any activity that have gone undetected. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1568 | Dynamic Resolution | Command and Control |
| T1583 | Acquire Infrastructure | Resource Development |
| T1596 | Search Open Technical Databases | Reconnaissance |
| T1597 | Search Closed Sources | Reconnaissance |