I've had something in my mind now for a few years, but I never published it. So today, you're getting a short thread on "How to Prepare for #ThreatHunting Using the ABLE Framework".
1/9
1/9
Good threat hunting starts with a hypothesis. This is, loosely, an educated guess at a type of malicious activity which may be happening. @RobertMLee and I wrote a whitepaper on this, called "Generating Hypotheses for Successful Threat Hunting": sans.org/reading-room/w…
2/9
2/9
Once you have the hypothesis, though, then what? That's where the ABLE framework comes in.
There are four key pieces of information you need to know to be ABLE (Ha! Get it?) to hunt. They are:
- The ACTOR
- The BEHAVIOR
- The LOCATION
- The EVIDENCE
3/9
There are four key pieces of information you need to know to be ABLE (Ha! Get it?) to hunt. They are:
- The ACTOR
- The BEHAVIOR
- The LOCATION
- The EVIDENCE
3/9
ACTOR (if applicable):
Is the behavior you're hunting for associated with a specific threat actor or type of threat actor? If so, knowing more about the actor and how they operate may give you clues that can help you more easily identify the activity you're looking for.
4/9
Is the behavior you're hunting for associated with a specific threat actor or type of threat actor? If so, knowing more about the actor and how they operate may give you clues that can help you more easily identify the activity you're looking for.
4/9
ACTOR (continued):
In many cases, you won't have a specific actor or type of actor in mind. That's OK. Some adversary techniques are widely used by many different groups and types of actors. But if you DO have this additional context, it can make things much easier.
5/9
In many cases, you won't have a specific actor or type of actor in mind. That's OK. Some adversary techniques are widely used by many different groups and types of actors. But if you DO have this additional context, it can make things much easier.
5/9
BEHAVIOR:
What specific action(s) are you trying to detect? Often called "TTPs", tactics or techniques. Instead of trying to find the entire Kill Chain's worth of adversary actions, focus on a specific piece of their activity.
6/9
What specific action(s) are you trying to detect? Often called "TTPs", tactics or techniques. Instead of trying to find the entire Kill Chain's worth of adversary actions, focus on a specific piece of their activity.
6/9
LOCATION:
Different behaviors tend to occur on different parts of your network, usually based on where the attacked asset resides or where they will be most effective. If you want to find data exfiltration, look at your network perimeter and not on your user subnet.
7/9
Different behaviors tend to occur on different parts of your network, usually based on where the attacked asset resides or where they will be most effective. If you want to find data exfiltration, look at your network perimeter and not on your user subnet.
7/9
EVIDENCE:
If the activity you are trying to find is present, in which data source(s) would you find traces of it, and what would those traces look like? You'll use this information both to make your log collection plan and your data analysis strategy.
8/9
If the activity you are trying to find is present, in which data source(s) would you find traces of it, and what would those traces look like? You'll use this information both to make your log collection plan and your data analysis strategy.
8/9
Think of ABLE as the step between hypothesis generation and analysis planning. So something like:
- Generate Hypothesis
- ABLE framework
- Choose the data analysis technique(s) necessary to validate the hypothesis
- Collect the data
- Analyze
- Repeat as necessary
9/9
- Generate Hypothesis
- ABLE framework
- Choose the data analysis technique(s) necessary to validate the hypothesis
- Collect the data
- Analyze
- Repeat as necessary
9/9
• • •
Missing some Tweet in this thread? You can try to
force a refresh
