Threat Hunting Explained
What is Cyber Threat Hunting?
Cyber threat hunting is the proactive complement to cyber threat detection. In general, cybersecurity strategies focused on threat detection attempt to identify an incoming or ongoing attack and then prevent or quickly remediate it. However, this approach has its issues as it assumes that all attacks can be detected and mitigated before any damage is done.
Cyber threat hunting involves proactively searching for unknown vulnerabilities and undetected attacks within an organization’s environment. Based on cyber threat intelligence, known attack techniques, and other information, threat hunters develop and test hypotheses about potential threats by collecting and analyzing data from various sources inside and outside of the organization.
Cyber threat hunting is designed to allow an organization to detect and respond to potential threats that it does not know exist and has not detected via other means. This provides the organization with more comprehensive protection against cyber threats and the ability to detect and mitigate attacks and security gaps that its existing security architecture has missed.
How to Perform a Threat HuntA threat hunting program should be designed to maximize the efficiency of the threat hunt and the value of the exercise to the organization. Accomplishing this requires using a threat hunting framework to plan threat hunting exercises, such as this five-step process.
Step 1 – HypothesisThreat hunting is designed to identify an unknown threat to an organization’s cybersecurity. Without a known attack or a particular threat to investigate, threat hunters need a starting point for their investigations. Threat hunting begins with a hypothesis about a potential risk to an organization. This could be a potential vulnerability in the company’s systems or the tactics, techniques, and procedures (TTPs) of a known threat actor. Based on this hypothesis, the threat hunter can then develop a strategy for identifying whether the suspected threat is present on the company’s systems.
Step 2 – Collect and Process Intelligence and DataIdentifying potential threats on an organization’s systems requires access to high-quality data and threat intelligence. Based on knowledge of the potential threat, the threat hunter can identify data sources that could help prove or disprove the hypothesis and a strategy for collecting and analyzing that data. With a plan in place, the threat hunter will collect and process the data required to prove or disprove their hypothesis. Collecting and analyzing data from internal and external sources often requires specialized tools, such as security information and event management (SIEM) and dark web monitoring solutions.
Step 3 – TriggerA threat hunting hypothesis is designed to define a means for a threat hunter to detect the presence of an unknown threat to the organization. After collecting and analyzing the required data, the threat hunter should be able to determine whether or not the hypothesis is correct. Proving the hypothesis just means that the threat hunter knows that a threat exists. After proving the existence of the threat, the hunter is ‘triggered’ to perform an in-depth investigation to determine the scope and details of the incident required for remediation.
Step 4 – InvestigationAfter proving their hypothesis, a threat hunter should perform an in-depth investigation into a potential incident. By identifying infected systems and determining details about how the attack was performed and its impacts, the threat hunter can determine what remediation steps are necessary. As in step 2, investigation requires a range of solutions and should incorporate both internal and external data sources. In addition to searching corporate systems for signs of infection, threat hunters should look on dark web marketplaces for stolen data or other information about the attack.
Step 5 – ResolutionBy the end of their investigation, the threat hunter should have a complete picture of how the attack was carried out, its objectives, and the impacts on the organization and its system. This information should inform the actions that the organization takes to remediate the incident. After infected systems have been remediated and restored to normal operation, the entire process should start over again looking for new threats to the organization.
Threat Hunting MethodologiesThreat hunters looking to perform manual or automated threat hunting need to start by selecting a target for the hunt. Several threat hunting methodologies exist for selecting the initial hypothesis to be proved or disproved by the hunt, including the following:
Adversary hunting involves searching for indications that a particular threat exists on an organization’s systems. Various organized crime groups and advanced persistent threats (APTs) are known to target organizations in different industries, geographic areas, etc. Based on this information and an organization’s threat intelligence, a threat hunter can determine which threat groups pose the greatest risk to an organization.
The threat hunter can then perform threat hunting to catch adversaries, looking for signs of that particular actor’s presence on corporate systems.
Different threat actors have known TTPs that they use across different attack campaigns. For example, a particular APT may be known for exploiting VPN vulnerabilities, so a threat hunt may be focused on identifying if VPNs are vulnerable or if unusual activity has been detected on VPN endpoints.
Threat hunters can develop a hypothesis that a particular threat actor is using one of their known TTPs within an enterprise environment. After performing this hunt, the exercise can be repeated for other known TTPs for the threat actor or for other potential threats.
All threat hunting is based on developing a hypothesis and testing it. This threat hunting method focuses on using certain methods to create these hypotheses, including:
- Data Analytics: Machine learning (ML) algorithms can analyze large volumes of security data and extract trends and anomalies from them. The results of these analytics can be used to develop hypotheses for use in threat hunting.
- Threat Intelligence: Companies can collect threat intelligence from a variety of internal and external sources such as malware analysis, dark web monitoring, and vulnerability scans. This threat intelligence can be used to identify probable threats that can be investigated via threat hunting.
- Risk Assessment: A corporate risk management program should identify an organization’s most valuable assets and the greatest threats to them. This information can be used to focus threat hunting on investigating the potential threats that pose the greatest risk to the organization.
Investigation Using Indicators of AttackVarious types of security incidents can be detected in various ways. Some resources, such as MITRE’s ATT&CK framework, provide in-depth information about the ways that an attacker can achieve a particular objective and how these techniques can be detected and mitigated. Tools like MITRE ATT&CK can be used as a framework for developing a threat hunting strategy. By searching for the different indicators of attack and compromise outlined within the ATT&CK frameworks, threat hunters can determine if their organization has been targeted by attackers using these techniques. This form of threat hunting is one of the most proactive because it allows threat hunters to systematically investigate potential attack vectors. Ideally, this helps to improve detection and prevention capabilities and might allow the organization to detect and terminate attacks using these techniques in the future.
Hybrid HuntingAdversary, hypotheses-based, and IOA-based threat hunting use varying methods to define a hypothesis to test via threat hunting. All three of these are valid means of developing a basis for a valuable threat hunt. However, these three methods for selecting and triaging different hunt targets are not mutually exclusive. Hybrid hunting involves combining several threat hunting methodologies to maximize the value and impact of the threat hunt.
Why Should You Utilize Threat Hunting?
Most organizations have a detection-focused security strategy; however, this is a reactive approach to managing cyber risk. Threat hunting is a proactive activity that complements threat detection and that enables security teams to accomplish critical goals, including:
- Detecting Intrusions: Proactive threat hunting is invaluable because it enables organizations to identify threats that were performed without being caught by existing defenses. By looking for undetected intrusions, a threat hunter can identify and remediate security incidents that place the company at risk.
- Identifying Vulnerabilities: Vulnerability management is a challenge for any organization due to the complexity of corporate IT environments and the sheer number of vulnerabilities detected in production software. Threat hunting can help with detecting and remediating previously unknown vulnerabilities within an organization’s systems.
- Quantify Risks: Risk management lies at the core of cybersecurity, and an effective risk management program requires good data on the effectiveness of the organization’s cyber defenses. Threat hunting can help to inform risk analysis by determining the company’s vulnerability to various cyber threats.
- Improving Defenses: No cybersecurity is perfect, and a company may not be collecting or analyzing the data required to detect various cyber threats. Threat hunting can help to identify detection gaps and develop strategies for building visibility into additional cyber threats.
- Streamline Threat Detection: Most security teams are overwhelmed with data, and data overload can slow threat detection and response. Threat hunters may identify more efficient ways to collect and analyze data to detect various threats, enabling them to streamline threat detection and eliminate the collection of unnecessary data.
Threat hunting should be a core component of every corporate security strategy. By collecting and analyzing data from various sources, threat hunters can identify critical visibility gaps and uncover unknown threats within corporate environments.
Threat Hunting Best PracticesThreat hunting can be a valuable tool for corporate cybersecurity but is only effective if the threat hunting program is designed and implemented properly. Some best practices for threat hunting include the following:
Define a Dedicated Threat Hunting TeamSecurity teams have several responsibilities. Standalone teams are responsible for securing the infrastructure, investigating alerts, and other activities. If the security and IT teams are the same team, then even more responsibilities are assigned to them. Threat hunting may seem less important because it focuses on hypotheticals rather than responding to known threats to the organization. However, these proactive investigations are vital to detecting more sophisticated and unknown threats. Defining a dedicated threat hunting role or a minimum number of hours to spend threat hunting each week is essential to ensuring that threat hunting is actually performed.
Develop the Right Skill SetsThreat hunting requires different skill sets. Threat hunters need to know how to develop and test hypotheses about potential threats to the organization. They also need in-depth knowledge and experience with the various platforms within an organization’s environment to perform these tests. The effectiveness of a threat hunting team depends heavily on the expertise available to it. Whenever possible, take steps to attract or train employees with the necessary skill sets to perform in-depth investigations of the corporate environment.
Acquire Specialized Hunting Tools
Efficient and effective threat hunting requires the ability to rapidly prove or disprove hypotheses about threats to the organization. This involves the ability to quickly gather and analyze data from a variety of sources both inside and outside of the organization.
While threat hunters can collect this information manually, it is time-consuming and requires significant knowledge and expertise. Investing in certain security solutions – such as a SIEM and dark web monitoring solution – can help to dramatically expedite the threat hunting process.
Prioritize Based on RiskThreat hunters can investigate varying potential threats to the organization. There are always more potential hypotheses to test than an organization has time and resources to investigate. When planning threat hunting investigations, it is important to prioritize them based on the potential risk to the organization. Different risks have different levels of probability and potential impact on the organization. Focusing on probable and high-risk threats helps to maximize the benefit of the threat hunt to the organization.
Automate When PossibleThe vast amount of data that threat hunters need to collect, aggregate, and process makes automation an invaluable tool. Threat hunters can use an assortment of specialized threat hunting platforms and tools to expedite and streamline the process. In addition to data collection, automation can also help with developing hypotheses and focusing the attention of threat hunters. For example, the use of artificial intelligence (AI) and user and entity behavior analytics (UEBA) can help with identifying abnormal events that deserve investigation.
What Are You Hunting For?
Threat hunters can focus their search on the following:
- Indicators of Compromise (IOCs): IOCs are data regarding a past security incident. This includes log files, forensic data, and similar information.
- Indicators of Attack (IOAs): IOAs are information about an ongoing attack. These are similar to IOAs but require real-time or near real-time access.
- Network Artifacts: Monitoring network traffic can help detect cyberattacks by looking for malware command and control (C2) traffic, attempted exploits of vulnerabilities, etc.
- Host Artifacts: Malware infections and other cybersecurity incidents can create artifacts on endpoints such as files, processes, registry entries, and more.
- Adversaries: Based on knowledge of threat actors’ motivations and TTPs, threat hunters can look for signs of their presence within an organization’s environment.
Which Threat Hunting Platform Types Are There?
An effective threat hunting team requires access to the right tools. Threat hunters need to be able to search through large amounts of data to identify trends and determine whether or not certain events have occurred. In many cases, the sheer volume of data involved makes doing so manually infeasible or impossible.
Threat hunters can use a variety of different tools as part of their duties. However, three of the most important types of threat hunting platforms include:
- Security Monitoring Tools: Threat hunters need security data to investigate and evaluate their hypotheses. Security monitoring tools like firewalls, antivirus, and similar solutions generate and collect this data.
- SIEM Solutions: Collecting and aggregating data across an organization’s entire security infrastructure can be overwhelming and unscalable. SIEMs automatically collect and aggregate this data into a single platform, making it easy to view and analyze.
- Analytics Tools: Access to security data is useless without the ability to extract insights from it. Data analytics tools help threat hunters to extract trends and outliers from their datasets.