Threat Hunting

Turns out, Turngate is a pretty great product for Threat Hunting. It's fast, easy to use, and you can pivot rapidly through data as you continually test hypothesis. That's cool and all, but what actually is "threat hunting?"

Threat Hunting Philosophy

Threat Hunting (henceforth just "hunting" b/c that's a lot of letters to type) is sort of the cousin of security investigations.

The mindset is largely the same. You (the analyst) has a hypothesis of something that may or may not be occurring and you want to see if it's true. The underlying tooling is often identical, but the initiating event is different.

You may start a hunt because of a new threat that has been announced, you have an upcoming audit, you are doing a periodic review, or even just because you have some spare time.

Threat Hunting Frameworks

While randomly stumbling through your logs and alerts can be fun, it's useful to have some structure to what you're doing. There are a few publicly available frameworks that can help with that.

PEAK Framework (Splunk) - Each PEAK hunt follows a three-stage process: Prepare, Execute, and Act. In the Prepare phase, hunters select topics, conduct research, and generally plan out their hunt. The Execute phase involves diving deep into data and analysis, while the Act phase focuses on documentation, automation, and communication.

TaHiTI (Targeted Hunting Integrating Threat Intelligence) - This model builds on the Sqrrl model by generating new threat intelligence from hunting activities, which then feeds back into the threat intelligence feed for adversary analysis and hunting exercises

MITRE ATT&CK - While not exclusively a hunting framework, MITRE ATT&CK incorporates hundreds of known adversarial tactics and techniques. It's foundational for hypothesis-driven hunting and many other security frameworks rely on it.

These are great frameworks and regardless if you're casually threat hunting or building a formal program, they're required reading. To that end, we're not going to duplicate them here. Go read them, then come back and learn how to use Turngate to hunt in your SaaS environment.