Hunting

Search for the presence of or information about an adversary, or your organization, its employees, infrastructure, etc.

Within the defender's environments, hunting presupposes a failure of initial prevention or detection, and that an adversary has successfully penetrated a system. In this case defenders hunt for the presence of an adversary. Typically the hunt is informed by intelligence on adversary TTPs and infrastructure. Defenders also hunt adversaries outside the defended environment. Information about the adversary, including their skills, TTPs, and infrastructure can be used to improve defenses or promote better adversary engagement. Defenders also hunt for information about their organization that is available for free or for purchase. Actively researching organizational exposure or inclusion in password dumps, leaks, etc. helps defenders focus on specific detections and proactive countermeasures.

Details
ID: DTE0021
Tactics:  Detect Collect

Opportunities

IDDescription
DOS0002 There is an opportunity to discover who or what is being targeting by an adversary.
DOS0245 If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools.
DOS0252 There is an opportunity to gain visibility into newly created or previously unknown adversary infrastructure

Use Cases

IDDescription
DUC0245 A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner.
DUC0252 A defender could use information about an adversary's TTPs in order to monitor for new adversary infrastructure and files.
DUC0259 A defender can use a decoy persona to engage with online communities or to purchase/download information about their organization and review for exposure.

Procedures

IDDescription
DPR0039 Pivot on Command and Control information to identify other infrastructure used by the same adversary.
DPR0065 Use information about an adversary's TTPs to perform retroactive searches for any activity that have gone undetected.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1568 Dynamic Resolution Command and Control
T1583 Acquire Infrastructure Resource Development
T1596 Search Open Technical Databases Reconnaissance
T1597 Search Closed Sources Reconnaissance