BTH: Behavior-Based Structured Threat Hunting Framework to Analyze and Detect Advanced Adversaries

Reviewer 1 Comments

Authors response

In this paper, the author has mainly focused on a unique threat hunting framework to improve Cyber threat detection using Behavior-based methodology. This research focuses on the behavior and habits of attackers that can provide better and long-lasting results when matching adversarial profiles instead of using just IoCs.

Author Response: Dear Reviewer, thank you for your positive response and we really appreciate your guidance and support for our research.

Changes performed: We accept your suggestions for changes and anticipate these will help enhance our paper a lot. 

1.      Why the proposed method is adequate? Needed to improve with more clarity!

Author Response: Dear Reviewer, thank you for raising the query on the proposed method for threat hunting.

Changes performed: Rather of depending solely on automated systems like SIEMs, threat hunting involves manual or machine-assisted techniques. Although alerting is critical, it cannot be the sole priority of a detection tool. Threat hunting increases automated detection by innovative manual and machine learning techniques that aid in identifying malicious and anomaly behaviors. These are translated into valuable information for detection and investigation of attacks. Different Threat hunting models adopted as

·       Intel-driven [6] reports and feeds ingested on emerging threat vectors, malware, or vulnerabilities. These are often tailored to validate compromise type of efforts based on targeted knowledge that is similar in the environment. This helps identify gaps.

·       Situational Awareness [7] is useful if the cyber-defense analyst has a deep understanding knowledge of internal risks and critical assets and has spent a long time in the organization. This can be gained if the teams are in the same environment long enough. These are often tailored to scenarios hypothesized around controls and processes that adversaries would exploit and utilize if they entered into the environment.

·       Analytics-driven [8] visualizes telemetry in the environment, baselining the environment knowing what is normal and what an anomaly is. These are tailored to abnormal human behavior changes and rabbit home tracing.

·       Hybrid [9] is the most mature level and this is a blend of all the above.

2.     The author’s technical contribution in this work is not so deep, it’s only a case study of the previous work! The technical contribution should be more significant to be considered for such a prestigious journal like Electronics.

Author Response: Dear Reviewer, we thank you for pointing out the technical contribution level.

Changes performed: The research setup involves hardware with a 4-Core CPU, 8 GB memory, and 50 GB disk running the 64-bit Ubuntu operating system. The software tools involved Elastic instance and Kibana services managed by Docker accessed over web browsers. After the hardware and software components were implemented to run the Elastic instance, threat logs are ingested using python code. The logs are initially verified in the Kibana instance for different data and time ranges. The hunting platform uses the MITRE attack framework to analyze the hunts in this research. The focus of this threat hunting research is to find IoCs based on behavior using the elastic instance searching from top-down searching for malicious documents being sent to senders as attachments in form of macro-enabled Microsoft Excel documents (.xlsm) embedded with VB script which pull and download payloads and executes them, which indicates a phishing attack. Apart from the above, Figure 3-15 illustrate the deep level of research work performed.

3.     The similarity index is 29% which is high for a reputed journal like Electronics! It should be below 15%. Correct it.

Author Response: Dear Reviewer, used Turnitin and the plagiarism report is under 15%.

Changes performed: Still we have removed any matching sentence or multiple words from the content. Few words might be similar which we cannot remove. We also found if the references are included in the plagiarism check, then the overall percentage is 29%. Kindly do not include the references, these are cited from MDPI, IEEE and other well-known journals as they have suggested.

4.      No significant comparison has been done with existing works. The author should add another section to show their improvement/advantage over the existing works accordingly.

Author Response: Dear Reviewer, thankyou for your suggestions sir.

Changes performed: Table 2 presents the comparison of the references from the literature survey for their research features

5.      5. The quality of the screen shot is not up to the mark! Need to improve.

Author Response: Dear Reviewer, we have ensured the figures are enhanced.

Changes performed: Figures have been enhanced as suggested, the few figures which seem blurred are from the tool directly, those have been enhanced as well. for example:

Figure 17: Email Log Review

Figure 19: Hunt Artifacts Uncovered

6.       Formatting/Organization of the tables need to update.

Author Response: Dear Reviewer, we have ensured all tables are updated as suggested.

Changes performed: Tables 1- 6 have been enhanced as suggested in the reearch paper.

Reviewer 2 Comments

Authors response

The paper proposes a behavior-based structured threat hunting framework to analyze and detect advanced adversaries by focusing on the behavior and habits of attackers that can provide better and long lasting results when matching adversarial profiles instead of using just Indicators of Compromise (IoCs). The topic is relevant for cybersecurity research from the context of understanding adversatial tactics using threat hunting framework research directions. Further, the manuscript used literature surveys to highlights how the framework assist to deliver rapid, consistent remediation against emerging threats and malware on the systems and networks.

Author Response: Dear Reviewer, thank you for your positive response and we really appreciate your guidance and support for our research.

Changes performed: We accept your suggestions for changes and anticipate these will help enhance our research paper. 

#1: Introduction

Too general. Authors should include a section that discuss a few/recent cyberattacks and how their behaviours indicates that there is a compromise from threat hunting perpectives. About 5 to 6 cyber attack papers will suffice to show an indept knowledge off cyberattack or APT concepts and the structures and unstructured hreat hunting.

#4. Behavour Based Threat Huntng is The concepts are not clear and not well structured and the implementation process is not well documented.

Author Response: Dear Reviewer, thank you for pointing out the anomaly.

Changes performed: We accept your suggestion for changes and have added definitions by two different security organizations that are working on Threat Hunting as – Creating adversarial profiles and activities requires good intelligence reports for mitigating and defending security strategies. Indicators of Compromise (IoCs) [1] is when data that suggests a cyber-attack may have compromised a computer is referred to as IOCs, which should exist in the report but start to depreciate from the time of the report or the compromise. As per IBM, Threat hunting is a proactive approach identifying non-remediated and unknown threats inside an organisation. CrowdStrike defines Threat hunting as the process of proactive search for cyber threats hiding undetected inside enterprise networks.

#5: Results

• Where is the Proposed Threat Hunting Framework as mentioned in the title?

• Where is the analysis in the results?

• Authors should improve on the manuscript and use a Matrix to discuss the analysis

Author Response: Dear Reviewer, thank you for your response queries, we really appreciate your guidance and support for our research. Section IV describes the proposed framework aptly named ‘Behavior-based Threat Hunting’.

Changes performed: Command & Control (C&C) server [28] using HTTP and ICMP protocols. On using standard security processes for identifying and analyzing the breach, no IoCs seem to match. This motivated the researchers to design and implement a behavior-based Threat hunting framework named BTH. The setup is configured to report Threat Hunting based on adversarial activity profiles to defend and build security strategies. IOCs in the threat intelligence reports start to depreciate from the time of report or the compromise. Consistent threat intelligence differs from report to report, so adversarial behavior related to their Standard operating procedures, skillset, and habits is focused on in this research.

The manuscript needs improving. It is very difficult to read and understate at its current state.

Author Response: Dear Reviewer, thank you for pointing out and helping us improve the research.

Changes performed: We accept your suggestion for changes and have used a professional service to help enhance the research from an English grammar and spelling perspective. Thank you for pointing out, our research paper looks much better now.