Utilize Threat Modeling and Hunting Methodologies

Blue Team


Given a scenario, utilize threat intelligence to support organizational security.

Explain the importance of proactive threat hunting.

Intelligence-driven defense lends itself to proactive techniques for securing IT systems. Knowledge of adversary TTPs can be used for effective threat modeling, making risk and vulnerability assessment more efficient. You can also use threat intelligence to perform threat hunting, looking for signs of intrusion that have not been captured by routine security monitoring. As a CySA+ professional, you should be able to explain the importance of these techniques.


To understand the risks to an enterprise, a security professional must be able to analyze information systems to understand how they support business workflows and how the confidentiality, integrity, and availability of the systems are threatened. A number of different frameworks and processes have been established to assist this analysis. Although how you go about your analysis will differ with respect to what you’re analyzing, the following are some clarifying questions to ask when trying to quantify a risk:

  • How can an attack be performed? Can the attack be performed in the current network, and are the assets accessible?
  • What is the potential impact to the confidentiality, integrity, and reliability of the data?
  • How likely is the risk to manifest itself? How exploitable is the flaw? Is it theoretical, or does a working exploit exist?
  • What mitigating protections are already in place? How long will it take to put additional controls in place? Are those additional protections cost effective?

Threat modeling is designed to identify the principal risks and TTPs that a system may be subject to by evaluating the system both from an attacker’s point of view and from the defender’s point of view. For each scenario-based threat situation, the model asks whether defensive systems are sufficient to repel an attack perpetrated by an adversary with a given level of capability. Threat modeling can be used to assess risks against corporate networks and business systems generally and can also be performed against more specific targets, such as a website or software deployment. The outputs from threat modeling can be used to build use cases for security monitoring and detection systems. Threat modeling is typically a collaborative process, with inputs from a variety of stakeholders. As well as cybersecurity experts with knowledge of the relevant threat intelligence and research, stakeholders can include non-experts, such as users and customers, and persons with different priorities to the technical side, such as those who represent financial, marketing, and legal concerns.

** There are many threat-modeling methodologies. Two good starting points are NIST’s advice (csrc.nist.gov/CSRC/media/Publications/sp/800-154/draft/documents/sp800_154_draft.pdf) and a MITRE white paper (mitre.org/sites/default/files/publications/pr_18-1174-ngci-cyber-threat-modeling.pdf). **

Adversary Capability

One of the first stages of threat modeling is to identify threat sources. Threat actors can be classified as opportunistic or targeted, and as nation-state, organized crime, or hacktivist. You can use threat intelligence to determine how likely attacks from types of threat actors are. You can also use threat intelligence to determine adversary capabilities. You can then develop threat models based on different levels of adversary capability. Capability refers to a threat actor’s ability to craft novel exploit techniques and tools. For example, MITRE identifies the following levels of capability:

  • Acquired and augmented—Uses commodity malware and techniques only (acquired) or has some ability to customize existing tools (augmented).
  • Developed—Can identify and exploit zero-day vulnerabilities and can deploy significant human and financial resources to attack planning and execution.
  • Advanced—Can exploit supply chains to introduce vulnerabilities in proprietary and open-source products and plan campaigns that exploit suppliers and service providers.
  • Integrated—Can additionally use non-cyber tools, such as political or military assets.

Total Attack Surface

The attack surface is all the points at which an adversary could interact with the system and potentially compromise it. To determine the attack surface, you must inventory the assets deployed on your network and the processes that those assets support. Consider the following three threat-modeling scenarios:

  1. Corporate data network—Consider access by external users (VPN, email/VoIP, FTP/internally hosted website, Wi-Fi, building security) and internal users (switch port security, management channels, unlocked workstations, and so on).
  2. Website/cloud—Consider the web application used for the front end, but also ways to access the application programmatically via an application programming interface (API). You might also consider the possibility of compromise from within the service provider’s data center.
  3. Bespoke software apps—Forms and controls on the application’s user interface, interaction with other software via an API or file/data import process, and vulnerabilities from the host OS or platform.

Attack Vector

The attack vector is a specific means of exploiting some point on the attack surface. MITRE identifies three principal categories of attack vector:

  • Cyber—Use of a hardware or software IT system. Some examples of cyberattack vectors include email or social media messaging, USB storage, compromised user account, open network application port, rogue device, and so on.
  • Human—Use of social engineering to perpetrate an attack through coercion, impersonation, or force. Note that attackers may use cyber interfaces to human attack vectors, such as email or social media.
  • Physical—Gaining local access to premises in order to effect an intrusion or denial of service attack.


There are thousands or even millions of threat actors and adversary groups, many with the highest levels of capability. The resources required to resist an adversary with an integrated level of capability outstrip the assets of most businesses. Consequently, along with analysis of adversary capability and attack surface, there must be an assessment of risk. Risk is assessed by factoring the likelihood of an event and the impact of the event. Likelihood is measured as a probability or percentage, while impact is expressed as a cost (dollar) value. Risk assessment allows you to prioritize the outcomes and responses to the most critical threat models.

If, for example, your enterprise is a cloud provider with multiple sites worldwide, your analysis should focus on the chances of an attack succeeding, what an attack can compromise in terms of the data you host and its availability to your customers, and how exactly an attack can be performed. In this scenario, opportunistic attacks are unlikely to be able to defeat your existing security controls, so you won’t necessarily focus on that as you model new and changed threats. Likewise, you may be less concerned with the cost-effectiveness of any controls, since you have a considerable security budget.

If your organization is small and has primarily local customers, you’ll want to approach your analysis differently. Cost-effectiveness becomes a significant factor in security controls, as your budget will likely be limited. Also, you may want to focus more on the damage an attack will do to your own systems, since you’re unlikely to have the amount of redundancy that a large enterprise will. The point is, before you even begin your threat modeling, you should tailor it to your own situation to maximize its efficacy and dispense with irrelevant factors.

You can determine the likelihood of a threat by using the following methods:

  1. Discovering the threat’s motivation. What does an attacker stand to gain from conducting an attack?
  2. Conducting a trend analysis to identify emerging adversary capabilities and attack vectors. How effective are these attacks, and how have they been exploited before?
  3. Determining the threat’s annual rate of occurrence (ARO). How often does the threat successfully affect other enterprises?

Determining impact means calculating the dollar cost of the threat in terms of disrupted business workflows, data breach, fines and contract penalties, and loss of reputation and customer confidence.

Developing a Network Threat Model

Profiling – tactics, techniques, and procedures

  • Tactics, Techniques, and Procedures (TTP)

    • Describe the actions of the adversary group
    • The specific activity
      • DDoS attack / ransomware
      • Credential harvesting / APT
  • Indicator

    • How to recognize what the actions themselves look like
    • Specific patterns
      • C2 Infrastructure with IP address
      • Malware behaviour
      • Timestamps
      • MAC addresses

The Mitre CVE database

  • Many resources (vendor, government)
  • Common Vulnerabilities and Exposure (CVE)
    • Searchable database
    • Used by thousands of software projects and providers
      • nMap, Nessus, OpenVAS, Symantec, Microsoft, Oracle
    • Examples
      • CVE-2017-0143, 144, 145 (EternalBlue)
      • DNS – CVE-2017-3143
      • Apache Struts – CVE-2017-5638 (Equifax)
      • Heartbleed (2012 – 2014)
      • Shellshock (2014)



Threat hunting utilizes insights gained from threat research and threat modeling to proactively discover whether there is evidence of TTPs already present within the network or system. This contrasts with a reactive process that is only triggered when alert conditions are reported through an incident management system. You can also contrast threat hunting with penetration testing. Where a pen test attempts to achieve some sort of system intrusion or concrete demonstration of weakness, threat hunting is based only on analysis of data within the system. To that extent, it is less potentially disruptive than pen testing.

Establishing a Hypothesis

Combing log files and packet traces for evidence of TTPs is a fruitless task unless it is guided by some hypothesis of what to look for. Establishing a hypothesis will derive from threat modeling. If certain threats are deemed both high likelihood and high impact, they will be good cases for further investigation through threat hunting. For example, you might initiate a threat hunting project if your threat intelligence sources show that a new campaign type or adversary group has been identified, or that companies operating in similar markets have been hit by data breaches.

Profiling Threat Actors and Activities

We have already seen how threat intelligence can be used to categorize types of threat actors, such as insider, hacktivist, nation-state, or APT, and how these threat actors can be associated with TTPs. Threat modeling promotes the creation of scenarios that show how a prospective attacker might attempt an intrusion and what their objectives might be, in terms of compromising system integrity or availability or exfiltrating confidential data.

Threat Hunting Tactics

Threat hunting makes use of the tools developed for regular security monitoring and incident response. In many organizations, the relevant data will have been collected within a security information and event management (SIEM) database. In organizations without a SIEM, you will have to analyze log files, process information, and file system/Registry changes from individual hosts, plus packet captures from network sensors.

Existing security monitoring will be using filters and detection rules as the basis of an alerting system. When you are performing threat hunting, you need to assume that these existing rules have failed in some way. Perhaps a query does not capture the threat you are investigating, or perhaps a query returns relevant data but it is not tuned to prioritize the match as an alert. Threat hunting tactics are developed around an awareness of adversary TTPs. By assuming an attacker’s objectives and capabilities, you can try to predict the tactics and tools they might use to attempt a network intrusion.

For example, if threat intelligence reveals that Windows desktops in many companies are being infected with a new type of malware that is not being blocked by any current malware definitions, you might initiate the following threat-hunting plan to detect whether the malware is also infecting your systems:

  • Analyze network traffic to discover outgoing traffic to domains identified as suspect from threat research reputational databases. This should result in a list of infected hosts to investigate.
  • Analyze the executable process list on a suspect host, looking for the program or service that is opening that network connection.
  • Analyze other infected hosts to discover any similarities between the malicious process that can be used to automate detection and prevention.
  • Identify the method by which the malicious process was first executed, and block that attack vector against future compromise, such as blacklisting a vulnerable application until a patch is developed.


Threat hunting does consume considerable resources, most notably analyst time. Each project should demonstrate SMART (Specific, Measurable, Achievable, Realistic, Timely) objectives, and be accompanied by a review process to show how those objectives were or were not met. Threat hunting operations will need to demonstrate value if they are to be approved by budget managers. Assuming threat hunting operations do produce valuable results, compared to the purely reactive model of only investigating alerts, proactive threat hunting can provide many benefits:

  • Improving detection capabilities—Threat hunting gives analysts the chance to practice skills in a less-pressured environment than does incident response. There is the opportunity to acquire experience with techniques and tools, and to enhance tool use with customizations and additional scripting. The results from threat hunting can be used to improve signature-based detection engines and identify new sources for logging or other security information.
  • Integrated intelligence—Threat hunting is a prime use case for correlating external threat intelligence with the security intelligence drawn from internal logs and other sources. A threat hunting project can help to demonstrate how effectively these sources can be utilized to provide actionable intelligence.
  • Reducing the attack surface area and blocking attack vectors—If threat hunting identifies attack vectors that had not been previously suspected, or security controls that are failing to protect a port or interface, there is the opportunity to redesign systems to block that vector from future exploitation, thus reducing the attack surface.
  • Bundling critical assets—Identifying attacker motivations and strategies can clarify defensive options for critical systems and data assets. If threat hunting shows that these assets have been put at risk, additional layers of security controls can be implemented around asset bundles to improve monitoring and prevention capabilities.


You can begin assessing threats to the organization by focusing on stages in the kill chain. Reconnaissance is often the precursor to more direct attacks. Understanding reconnaissance techniques and applying them to your own company and networks will reveal how much useful information you’re unintentionally providing to malicious actors. You can also use reconnaissance as a tool for counterintelligence, to build up profiles of potential or actual adversaries.

Most companies and the individuals that work for them publish a huge amount of information about themselves on the Web and on social media sites. Some of this information is published intentionally; quite a lot is released unintentionally or can be exploited in ways that the company or individual could not foresee. An attacker can “cyberstalk” his or her victims to discover information about them via Google Search or by using other web or social media tools. Publicly available information and the tools for aggregating and searching it are referred to as open-source intelligence (OSINT).

** If an attacker is already thinking about covering their tracks, they will not use an account that can be linked back to them to perform this type of reconnaissance. This might mean the use of a public workstation, an anonymized proxy or VPN, or a compromised host. Another approach is to use false credentials to set up a temporary web server instance. There are “bulletproof” hosting providers and ISPs that specialize in providing “no questions asked, anonymity guaranteed” services. **

OSINT can allow an attacker to develop any number of strategies for compromising a target. Locating an employee on a dating site might expose opportunities for blackmail or entrapment; finding an employee looking for a second-hand laptop or mobile device on an auction site might allow an attacker to get a compromised device into the employee’s home or workplace. Knowing the target’s routine or present location might facilitate break-in or theft, or create an opportunity for some sort of social engineering.

Some sources of OSINT include:

  • Publicly available information—An attacker can harvest information from public repositories and web searches. Available information includes categories such as the IP addresses of an organization’s DNS servers; the range of addresses assigned to the organization; names, email addresses, and phone numbers of contacts within the organization; and the organization’s physical address. This data is publicly available through Whois records, Securities and Exchange Commission (SEC) filings, telephone directories, and more.
  • Social media—Attackers can use social media sites like Facebook and LinkedIn to mine for an organization’s information. Depending on how much an organization or an organization’s employees choose to share publicly, an attacker may find posts or user profiles that give away sensitive information or simply act as another vector or target for the attacker to take advantage of.
  • HTML code—The HTML code of an organization’s web page can provide information, such as IP addresses and names of web servers, operating system versions, file paths, and names of developers or administrators. The layout and organization of the code can reveal development practices, capabilities, and level of security awareness.
  • Metadata—Attackers can run metadata scans on publicly available documents using a tool like Fingerprinting Organizations with Collected Archives (FOCA). For example, Microsoft Office documents posted on the Internet may not directly divulge sensitive information about an organization, but an attacker could glean useful information from its metadata, including the names of authors or anyone that made a change to the document. By using search engines, FOCA (https://github.com/ElevenPaths/FOCA) can cross-reference files with other domains to find and extract metadata.


To perform “Google hacking” (meaning hacking information via Google Search rather than trying to hack Google’s servers) you will need to be familiar with the search engine’s advanced syntax, though you can also build queries using the advanced search page (google.com/advanced_search). Some of the most important operators are as follows:

  • Quotes—Use double quotes to specify an exact phrase and make a search more precise.
  • NOT—Use the minus sign in front of a word or quoted phrase to exclude results that contain that string.
  • AND/OR—Search strings use a logical OR between terms automatically. You can use the keyword AND to force results to contain both strings. You must type the operator in caps, or you can use the pipe (|) character for OR. You may also want to use the AND and OR keywords, but with parentheses. For example, compare:
  • user account password AND database
  • (user OR account) AND password AND database
  • Scope—A multitude of keywords can be used to target the search. Examples include site: (within a domain or TLD), filetype:, related: (return results from sites that Google identifies as similar to the one specified), and allintitle: / allinurl: / allinanchor: (match terms in a specific part of the page.)
  • URL modifiers—You can add these to the results page URL to affect the results returned. Some examples include &pws=0 (do not personalize), &filter=0 (do not filter), and &tbs=li:1 (do not autocorrect search terms.)

Google Hacking Database (GHDB)

As well as researching people, Google hacking can also be performed to identify vulnerable web servers and web applications or to obtain information from a web server that may not have been intended for publication. The Google Hacking Database (GHDB) maintained by Offensive Security (exploit-db.com/google-hacking-database) contains a list of search strings to locate such “Google Dorks” who are running vulnerable web application versions, have made files containing passwords available, or left a webcam publicly accessible. You can use this database to learn the search operators that return fruitful results.


Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type and version, plus vendor and ID information. It also gathers metadata, such as IP address, host name, and geographic location. As well as being a popular hacking tool for finding vulnerable Internet of Things (IoT) and industrial control system (ICS) devices, you can also use enterprise features of the site to monitor your own devices and networks.

Criminal IP

Criminal IP protects IT assets and businesses by analyzing all years of cyber threats and prediciting exploits. Criminal IP provides real-time intelligence to enhance cybersecurity competencies in all aspects.



The general purpose of email harvesting is to identify who works at a company. Most companies use real names for email addresses. This makes it possible for the attacker to identify social media or personal web accounts operated by an employee and from there try to identify an exploit. An attacker will also want to try to match email addresses to job roles. In many circumstances a company may just publish information about senior staff and their job roles on its website or in promotional material such as a shares prospectus or the information filed with regulatory authorities, such as the SEC’s Edgar database (sec.gov/edgar/searchedgar/companysearch.html).

There are many methods of email harvesting:

  • Trading lists from spammers or obtaining legitimate sales lead databases.
  • Use a Google search against *@target.foo or use an automated scraper tool that scans pages and social media for email addresses.
  • Test the email system for bounce backs against a dictionary of potentially valid addresses. Note that this is likely to alert the organization if they are running any sort of intrusion detection.

** theHarvester (tools.kali.org/information-gathering/theharvester) is a command-line tool for gathering subdomain information and email addresses included with the Kali pen testing Linux distribution. **

Once an attacker obtains a list of names of people that work at a company, they can set about using social media to build up a profile of each employee to determine whether there are any vulnerabilities to social engineering attempts. To obtain private information an attacker would need to become a contact or hack the account of one of the target’s existing contacts. Your online privacy may only be as good as your friends’ passwords.

** Remember that an indirect approach may also be fruitful. Rather than investigate a company directly, the attacker may identify a supplier or customer with weaker security controls and use them as a means of obtaining access to the target. **

Even without private access, an unwary user might have made a large amount of information about themselves publicly available, especially on a business networking site such as LinkedIn. Social media analytics and OSINT software (such as pipl.com, peekyou.com, or echosec.net) can aggregate and process the metadata from multiple sites to build up surprisingly detailed pictures of user’s interests and even their habits and geographic location at a particular point in time.


An attacker might be able to obtain useful information by examining a company’s domain registration records by running a whois lookup against the appropriate Registry.

An attacker may also test a network to find out if the DNS service is misconfigured. A misconfigured DNS may allow a zone transfer, which will give the attacker the complete records of every host in the domain, revealing a huge amount of information about the way the network is configured. You can use the nslookup command in interactive mode to attempt a zone transfer:

set type=anynslookup comptia.org

You can also use the dig command from a UNIX or Linux machine:

dig axfr NameServer Target

A zone transfer is often called an “axfr” after this switch sequence. For example, the following command queries the name server ns1.isp.foo for the zone records for the widget.foo domain:

dig axfr ns1.isp.foo widget.foo

If DNS harvesting is successful, you will obtain IP addresses for servers in the target domain. You can use a geolocation tool to identify the approximate geographic location of the servers.

** The netcraft.com site also contains a useful domain analysis tool. **

A website ripper (or copier) is a tool that caches the code behind a website. A tool such as httrack (httrack.com) recurses through each directory of the local site and can follow links to third-party sites to a specified depth. Analyzing the ripped site might reveal vulnerabilities in the code or the web application used to deliver the content. There might be old or forgotten orphaned pages with useful information. Website ripping is also a means of harvesting email addresses.

Front of Flashcard 1 of 3

Your organization is planning to transition from using local clients to provisioning desktop instances via cloud-based infrastructure. Your CISO has asked you to outline a threat modeling project to support selection and development of security controls to mitigate risks with this new service. What five methodologies should your outline contain?

Back of Flashcard 1 of 3

Adversary capability analysis, total attack surface analysis, attack vector analysis, impact analysis, and likelihood analysis.

Front of Flashcard 2 of 3

Following a serious data breach affecting a supplier company, your CEO wants assurance that your company is not exposed to the same risk. The supplier is willing to share threat data gathered about the breach with you. You advise a threat hunting program as the most appropriate tool to use. What should be the first step in this process?

Back of Flashcard 2 of 3

Establish a hypothesis. You already have the basic scenario of the data breach at the supplier company. This will require documenting and expanding on. You can then move on to profiling threat actors and activities and developing threat hunting tactics to query indicators from your own systems.

Front of Flashcard 3 of 3

As part of your threat hunting proposal, you need to identify benefits of the program. You have listed opportunities to close attack vectors, reduce the attack surface, bundle critical assets within additional layers of security controls. What other benefit or benefits does threat hunting offer?

Back of Flashcard 3 of 3

Firstly, threat hunting develops integrated intelligence capabilities, where you correlate cyber threat intelligence (CTI) with locally observed indicators. Secondly, the queries, filters, and tactics used can be redeployed to improve detection capabilities in conventional monitoring systems.Did you get it right?No Kinda Yes

Leave a Reply

Your email address will not be published. Required fields are marked *