The Art of Cyber Threat Hunting

The Wing Chun Kung Fu Way

Dan Sherman
9 min readFeb 21, 2023

Introduction to Cyber Threat Hunting Kung Fu

Threat hunting has become an essential activity for any organization that wants to protect its digital assets from cybercriminals. With the increasing frequency and complexity of cyber attacks, organizations need to be proactive in detecting and mitigating threats to their networks, systems, and data.

I have always had an interest in applying some principles from martial arts to cybersecurity, specifically from Wing Chun Kung Fu. In this post, we will explore how the Wing Chun Kung Fu forms can be applied to the cyber threat hunting process. We will examine each of all of the Wing Chun forms and their corresponding applications to cyber threat hunting: Siu Nim Tao (Little Idea), Chum Kiu (Building the Bridge), Bui Jee (Emergency Hands), Muk Yan Jong (Wooden Dummy), Luk Dim Boon Kwan (Six-and-One-Half-Point Pole), and Baat Jaam Do (8 Slashing Knives). We will also discuss how the TaHiTI (Targeted Hunting integrating Threat Intelligence) threat hunting process¹ aligns with the scientific method and how the teachings of IP Man² and Moy Yat³ can be applied to cybersecurity.

The TaHiTI threat hunting process is a framework for proactively searching for cyber threats in a network by combining threat intelligence and advanced hunting techniques. It was developed by members of the Dutch financial sector in collaboration with the Dutch National Police, the Netherlands Forensic Institute, and cybersecurity companies.

Wing Chun Kung Fu is a type of Chinese martial art that emphasizes close-range combat and quick, precise movements. Unlike karate, which often involves using large, sweeping motions, Wing Chun focuses on smaller, more efficient movements that are designed to take down an opponent quickly and efficiently.

Let’s dig a little deeper into the Art of Threat Hunting the Kung Fu way!

Siu Nim Tao (Little Idea) — Developing a Strong Foundation

Siu Nim Tao is the first form and is the foundation of Wing Chun Kung Fu. It teaches practitioners the fundamental principles of the art, including structure, balance, and coordination. In cybersecurity, developing a strong foundation is essential to becoming a successful threat hunter. The TaHiTI threat hunting process is an effective framework that can help build this foundation. The TaHiTI process includes the following three phases broken down into five steps:

Initiate — Phase 1:

  • Step 1 — Trigger Hunt
  • Step 2 — Create investigation abstract

Hunt — Phase 2:

  • Step 3 — Define / refine
  • Step 4 — Execute

Finalize — Phase 3:

  • Step 5 — Document findings

The TaHiTI process aligns with the scientific method, which involves developing a hypothesis, testing it, and modifying it as needed based on the results. By following the TaHiTI process, threat hunters can develop a solid foundation for their work and learn to identify threats in a systematic way.

The core principles of Siu Nim Tao include posture, relaxation, and focus, and these principles can be applied to cybersecurity in the following ways:

Posture — Maintaining documented and properly parsed telemetry is essential for effective threat hunting. As a threat hunter, you need to have a solid understanding of the posture of your organization’s network and infrastructure. This means having a clear understanding of the network’s topology, traffic patterns, various endpoints and devices connected to it.

Relaxation — In Wing Chun Kung Fu, relaxation is essential to maintain fluidity and efficiency in movements. Similarly, in cybersecurity, it is important to remain calm and relaxed when responding to a potential threat. By maintaining a relaxed and focused state of mind, you can make more effective decisions and take the necessary steps to address the issue.

Focus — Wing Chun emphasizes focus and concentration, and this is also critical in the context of cybersecurity. As a threat hunter, it is important to have a clear focus and purpose in your work. This means having a well-defined set of objectives and being able to prioritize your actions based on their potential impact on the organization.

Beginners must not use strength. — Grandmaster IP Man⁴

Chum Kiu (Building the Bridge) — Bridging the Gap Between Data and Action

Chum Kiu is the second form in Wing Chun Kung Fu. It builds upon the foundation established in Siu Nim Tao by teaching practitioners how to move and coordinate their bodies to generate power and force. In cybersecurity, Chum Kiu can be thought of as the bridge between the data collected in the TaHiTI process and the actions taken to mitigate threats.

To bridge this gap, threat hunters must be able to interpret the data collected during the TaHiTI process and identify potential threats. This requires a deep understanding of the environment being monitored and the ability to recognize patterns and anomalies in the data. It also requires the ability to communicate effectively with other members of the cybersecurity team and to translate technical information into actionable steps.

The core principles of Chum Kiu include:

Balance — In Chum Kiu, balance is essential to maintain a stable and solid foundation. Similarly, in cybersecurity, balance is important in terms of balancing your efforts between proactive measures like prevention and reactive measures like incident response.

Connectivity — Chum Kiu emphasizes the importance of connectivity, and this is also crucial in cybersecurity. As a threat hunter, you need to have a clear understanding of the connections and relationships between different elements of your network, including users, devices, and applications.

Coordination — Chum Kiu stresses the importance of coordination and the ability to move in sync with your opponent. Similarly, in cybersecurity, coordination is essential to responding to a threat effectively. This means having a clear and coordinated response plan in place and ensuring that all members of the team are on the same page.

Bui Jee (Emergency Hands) — Reacting to Threats

Bui Jee is the third form in the Wing Chun Kung Fu system. It is designed to help practitioners develop the ability to react quickly and effectively to unexpected situations. In cybersecurity, the ability to react quickly to threats is essential to minimizing the damage caused by an attack.

Threat hunters must be able to react quickly to potential threats and take decisive action to mitigate them. This requires the ability to stay calm under pressure and to think on your feet. It also requires the ability to communicate effectively with other members of the team and to coordinate efforts to respond to an attack.

Muk Yan Jong (Wooden Dummy) — Developing Muscle Memory

The Muk Yan Jong is the forth form in the system is a training tool used in Wing Chun Kung Fu to develop muscle memory and hone techniques. In cybersecurity, developing muscle memory (automation and/or scripts) is essential to responding quickly and effectively to threats.

Wing Chun Wooden Dummy used for Kung Fu practice.
Photo by Wu Dae on Unsplash

Threat hunters must be able to respond to threats quickly as the threat landscape in constantly changing. This requires the ability to perform tasks and execute techniques automatically, without conscious thought. With regular training and practice, threat hunters can be better prepared to respond quickly and effectively to threats as they arise.

Luk Dim Boon Kwan (Six-and-One-Half-Point Pole) — Extending Your Reach

The Luk Dim Boon Kwan is the fifth form in the system and is a weapon used in Wing Chun Kung Fu to extend the reach of the practitioner. In cybersecurity, the equivalent of the Pole is the use of the right tools and techniques to extend the reach of the threat hunter.

Tools, such as threat intelligence, logs, and vulnerability scanners, can help threat hunters identify potential vulnerabilities and threats that may be hidden from view. They can also help automate certain aspects of the threat hunting process when used to enrich data in a SIEM or log aggregator, allowing threat hunters to focus on more complex tasks over time.

In Wing Chun Kung Fu, the six-and-one-half-point pole is used to keep an opponent at a distance while allowing the practitioner to attack. Similarly, in cyber threat hunting, we must keep attackers at a distance while allowing authorized users to access the system. If the defense system is too lax, it may fail to keep attackers out, and if it is too strict, it may prevent authorized users from accessing the system. As cyber security practitioners, we must strike the correct balance for your organization.

Baat Jaam Do (Eight Slashing Swords) — Taking a Multi-Dimensional Approach

Baat Jaam Do the sixth and final form is a set of swords used in Wing Chun Kung Fu. They are designed to be used in a multi-dimensional approach, attacking from multiple angles and in multiple directions. In cybersecurity, taking a multi-dimensional approach is essential to effective threat hunting.

Threat hunters must be able to approach the threat hunting process from multiple angles, using a range of techniques and strategies to identify potential threats and mitigate them. This requires a strong understanding of the organization’s network, applications, and data, as well as the ability to think creatively and outside the box.

In cyber threat hunting, the eight slashing swords can be seen as a metaphor for threat intelligence. Threat intelligence is the process of collecting and analyzing data to understand potential threats and to develop strategies to mitigate those threats.

The Baat Jaam Do represent the eight different types of threat intelligence that are used to combat cyber threats. These include:

  1. Technical intelligence — This involves the analysis of technical information to understand the nature of the threat.
  2. Tactical intelligence — This involves analyzing the tactics used by attackers to understand how they operate.
  3. Operational intelligence — This involves analyzing the operations of the attacker to understand the nature of their operations.
  4. Strategic intelligence — This involves analyzing the overall strategy of the attacker to understand their goals and objectives.
  5. Counter intelligence — This involves using deception to mislead the attacker proactively and protect the network.
  6. Human intelligence — This involves gathering information from human sources to understand the motivations and intentions of the attacker.
  7. Signals intelligence — This involves the interception of communications to gather intelligence.
  8. Open-source intelligence — This involves the collection and analysis of publicly available information to understand potential threats.

Like the eight slashing knives, threat intelligence must be wielded with precision and skill. A threat hunter must be able to gather and analyze all types of threat intelligence to gain a complete understanding of potential threats. By doing so, a threat hunter can develop effective strategies to mitigate the threat and protect the network.

Daniel Sherman Wing Chun Baat Jaam Do
Photo by Dan Sherman — Baat Jaam Do

Applying the Scientific Method to Cyber Threat Hunting

In addition to the forms of Wing Chun Kung Fu, the scientific method can also be applied to the threat hunting process. The scientific method is a systematic approach to problem-solving that involves making observations, forming hypotheses, and testing those hypotheses through experimentation and analysis.

In the context of cyber threat hunting, the scientific method can be applied by making observations about the organization’s network, applications, and data, forming hypotheses about potential threats, and testing those hypotheses through experimentation and analysis. This requires a commitment to ongoing data collection and analysis, as well as a willingness to adapt and evolve as new threats emerge.

The Teachings of Grandmasters’ IP Man, Moy Yat and Bruce Lee

IP Man and Moy Yat were two of the most influential teachers in the Wing Chun Kung Fu system. Their teachings emphasize the importance of developing a strong foundation, staying focused and disciplined, and adapting to changing circumstances.

These teachings are highly relevant to the cybersecurity field, where developing a strong foundation, staying focused and disciplined, and adapting to changing threats are all essential to effective threat hunting.

Image of Bruce Lee, Grandmaster IP Man’s student and Grandmaster Moy Yat’s Kung Fu Brother.
Photo by Man Chung on Unsplash — Statue of Bruce Lee

You must be shapeless, formless, like water. When you pour water in a cup, it becomes the cup. When you pour water in a bottle, it becomes the bottle. When you pour water in a teapot, it becomes the teapot. Water can drip and it can crash. Become like water my friend. — Bruce Lee⁵

Conclusion

By incorporating the TaHiTI threat hunting process, the scientific method, and the teachings of IP Man and Moy Yat, cybersecurity professionals can develop the skills and techniques needed to identify and mitigate potential threats quickly and effectively. With these tools, techniques and processes organizations can stay ahead of evolving threats and protect their networks, applications, and data from daily cyber attacks and/or misconfigurations.

--

--

Dan Sherman

I enjoy threat hunting and incident response in cloud environments, software, platforms and systems.