Hunting Threats Across Web and Network Layers

Modern cyber adversaries exploit multiple attack vectors, often blending web and network tactics to bypass traditional security controls.

Proactive threat hunting across both web and network layers is essential for organizations aiming to detect and neutralize such threats before they escalate.

This article explores advanced methodologies, technical examples, and practical frameworks for effective multi-layer threat hunting.

Modern Threat Hunting Methodologies

Threat hunting is a proactive security process that assumes adversaries may already be present in the environment.

Instead of waiting for automated alerts, hunters actively search for subtle indicators of compromise across different technology layers.

Hypothesis-Driven Hunting

Hypothesis-driven hunting begins with an informed assumption about how an attacker might operate. For example:

• Hypothesis: Attackers may exploit web APIs to exfiltrate sensitive data.
• Action: Analysts examine web server logs for abnormal API requests, such as a spike in POST or PUT requests with unusually large payloads, or requests to rarely used endpoints.
• Cross-Layer Correlation: The hunter inspects network logs for corresponding outbound data spikes to unfamiliar IP addresses or geographic regions, indicating possible data exfiltration.

IoC and Behavioral Analytics

Combining indicators of compromise (IoCs) and behavioral analytics helps uncover both known and unknown threats.

• Example: DNS tunneling is a common method for covert data exfiltration. Hunters analyze DNS logs for:
  1. Domains with high entropy (random-looking subdomains like a9d8f7g6.example.com)
  2. Unusual query frequency or volume from a single host
  3. Consistent failed DNS responses (NXDOMAIN), which may indicate a domain generation algorithm (DGA) in use

Technical Examples in Web and Network Threat Hunting

Example 1: Detecting Malicious Web Shells

Scenario: An attacker uploads a web shell to a public-facing server.

• Web Layer: The hunter reviews HTTP logs for unusual requests, such as:
  1. Access to rarely used file extensions (.php, .asp, .jsp) in upload directories
  2. POST requests to files that typically only receive GET requests
  3. Requests with suspicious user agents (e.g., curl/7.68.0 or custom scripts)
• Network Layer: The hunter inspects outbound traffic from the web server. If the server starts making connections to IP addresses in regions where the organization has no business, this may indicate command-and-control (C2) communication.
• Outcome: By correlating these findings, the hunter uncovers a web shell used for lateral movement and data exfiltration.

Example 2: Lateral Movement via SMB

Scenario: Attackers use the SMB protocol to move laterally within the network.

• Network Layer: The hunter monitors for anomalous SMB traffic, such as:
  1. Workstations accessing administrative shares on multiple servers in rapid succession
  2. Unusual file access patterns (e.g., non-admin users accessing \\server\admin$)
• Endpoint Layer: Endpoint logs reveal that lsass.exe (a Windows process) is spawning network connections, which is atypical for standard operations.
• Outcome: The hunter discovers that a compromised user account is being used to propagate malware internally.

Example 3: C2 Beaconing with Encrypted Traffic

Scenario: Malware establishes encrypted C2 channels using custom TLS handshakes.

• Network Layer: The hunter employs JA4 fingerprinting (analyzing cryptographic handshake patterns) to detect devices using rare TLS cipher suites or self-signed certificates.
  1. For instance, multiple endpoints suddenly start using TLS_AES_256_GCM_SHA384 with certificates valid for only a few days.
• Web Layer: Proxy logs show these endpoints are making regular outbound HTTPS connections at precise intervals (e.g., every 10 minutes), a hallmark of beaconing.
• Outcome: The hunter identifies a cluster of endpoints infected with a Cobalt Strike beacon, using encrypted channels to communicate with a remote server.

Building an Integrated Threat Hunting Framework

Data Collection and Normalization

Effective threat hunting depends on comprehensive, normalized telemetry:

• Web Layer: Collect logs from web servers, proxies, web application firewalls, and API gateways.
• Network Layer: Leverage NetFlow data, packet captures, and advanced network sensors capable of decrypting SSL/TLS traffic for inspection.
• Endpoint Layer: Use endpoint detection and response (EDR) agents to monitor process activity, file changes, and registry modifications.

Automated and Human-Driven Analysis

Automation surfaces anomalies, while human analysts provide context and intuition.

• Automated Triage: Machine learning models flag DNS queries with high entropy or detect rare user agents in web logs.
• Human Investigation: Analysts pivot between layers starting with a suspicious web request, tracing it to network activity, and then to endpoint behavior.
• Case Study: A financial firm detects OAuth token abuse in web logs, correlates it with beaconing traffic to a known malicious network, and confirms memory-resident malware via endpoint telemetry.

Continuous Improvement

Findings from hunts should feed back into automated detection systems:

• Detection Engineering: New rules are written for SIEM and IDS/IPS systems based on discovered tactics, techniques, and procedures (TTPs).
• Threat Intelligence: Insights are shared with the broader security community and internal teams to inform future hunts.

By integrating hypothesis-driven hunting, cross-layer correlation, and technical tools like JA4 fingerprinting, organizations can uncover and neutralize advanced threats.

Real-world examples demonstrate that combining automated analytics with expert human investigation is essential for defending against modern adversaries.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates