Threat Hunting, IRL

While I worked for one company, I did a lot of public speaking on the value of threat hunting. During these events, I met a lot of folks who were interested to learn what “threat hunting” was, and how it could be of value to them.


I live in a very rural area, on just shy of 19 acres. One neighbor has 15 acres up front and another 20 in the back, and he adjoins a large property with just a trailer. My neighbor on the other side has 19 acres of…just 19 acres. We have animals, as well as more than a few visitors, which makes for a great analogy for threat hunting.

Within the borders of my property, we have three horses and a mini-donkey, and we have different paddocks and fields for them. We can restrict them to certain areas, or allow them to roam freely. We do this at different times of the year, depending upon weather, availability of hay, etc. For example, in the spring, when the grass is coming in really well, we don’t want the horses on it too soon or for too long, because they can colic (which is a bad thing). And we may want to cut the grass (do maintenance), so we’ll restrict the horses from that area.

I understand the normal comings and goings of the horses, because I have full visibility. I can not only see most of the areas (albeit not all) from the house, but I get out and walk around the property. I am familiar with the normal habits of the horses, and understand how they respond to various “events”. I also know when something is amiss, simply by watching the horses. This is my “infrastructure”.

Like most horse owners, we provide them with salt and mineral licks, in the form of 40 lb blocks. We make this available to them year-round, replacing blocks as they get diminished. Even so, we’ve also notices that the horses will scratch at certain spots on the ground, and then spend a good bit of time happily licking the ground. Knowing this, we try to keep up on “pasture maintenance”; we pick up the poop, or drag the field, so that the horses don’t get worms. We also know what the spots look like, and that they’re different from where the horses like to roll. Where they scrape and lick, the ground is bare, and there are usually rounded marks where their hoof initially contacts the ground, before they drag it across the ground to break up the earth. Where they roll, there is usually still some semblance of grass left, and there’s also hair left. In addition, the marks from their hoofs, where the horses circle before laying down and then when they get back up, are different from where they scrape the ground. All in all, this is normal, expected “user behavior”. 

Walking the dog around the property this year, I noticed something I haven’t seen before…there are bare spots on the trails where the leaves and grass have been scraped away and the ground exposed. This seems very similar to what I’ve seen the horses do, however, there are differences. First, these spots are in areas that the horses do not usually frequent unless we’re riding them. Second, instead of rounded hoof marks, there are distinct two-toed marks in the ground. Third, these exposed areas are usually much smaller than what I’ve seen associated with the horses. From what I’ve observed, these are deer doing the same thing as the horses, and if the only IOC someone shared with me was “bare spot on the ground”, I would assume that it was most likely from the horses (i.e., normal user activity). However, if I look beyond the IOC, and look at the specifics of the activity (i.e., TTPs), I’d then be able to clearly differentiate between “normal user activity” and “potentially unwanted/malicious activity”. 

My neighbors recently shared “threat intel”…they’d seen a bear on their property. Now, they’d done more than just stated, “hey, we saw a bear!” That’s right…they did more than just share an IOC. In fact, they took a picture, indicated the time of day, and the picture gave an indication of where the bear was located on their property. So we had other things to consider than just “a bear”…size, color, type, direction of movement, etc. As a result, I’m now on the look-out for these TTPs, as well as others known to be associated with this particular threat; scat, claw marks on trees, etc. We have persimmon trees in the area, and while I have seen scat from various animals that contains persimmon seeds, I have yet to see bear scat. But I am aware of the “threat”, and looking for clear indications of that threat.

My neighbors did more than just share an IOC, they shared clear TTPs, and enough of it such that I could search for indications of that threat within my infrastructure.

We’ve lived on this property for more than 4 1/2 yrs, and it’s only been in the past year that I’ve found two turkey eggs. In both cases, they’ve been broken, and based on the condition of the eggs, I can’t tell if the chick hatched, or if the egg was a meal for a raccoon. Regardless, it does tell me that there are very likely turkeys in the area. While we are knowledgeable and understand the nature of turkeys and the “risk” they bring to the “infrastructure”, the horses have a completely different view. To the horses, a turkey scurrying through the underbrush may as well be a velociraptor released from it’s cage, right out of Jurrasic Park. While sitting in my office, a turkey is not a threat to me; however, while I am on horseback, a turkey could be a “threat”, in that spooking the horse I am riding might have a severely negative impact on my day. I have another threat that I’m aware of, and because I have detailed visibility of my environment, and because I understand the nature of the threat, I understand the risk.

For me, it’s interesting to take a step back and look at how my IRL life parallels my work life. Or, maybe my IRL life is being viewed through the lens of my work life. Either way, I thought that there were some interesting parallels.

Article Link: Windows Incident Response: Threat Hunting, IRL