Threat hunting, also referred to as cyberthreat hunting, is the proactive process of identifying unknown or unresolved threats within an organization’s network.
Why threat hunting is important
Threat hunting holds significant importance as it addresses the limitations of automated cybersecurity. While automated tools and tier 1 and 2 security operations center (SOC) analysts can handle about 80% of threats, the remaining 20% pose a heightened risk. This subset often comprises sophisticated threats capable of causing substantial harm. These threats, if left undetected, can infiltrate networks and evade discovery for an average of 280 days. Effective threat hunting plays a critical role in shortening the time from intrusion to detection, thereby minimizing the potential damage inflicted by attackers.
Attackers typically operate covertly for extended periods before being identified. During this time, they gather sensitive data and exploit vulnerabilities to gain deeper access, laying the groundwork for significant data breaches. The financial implications of such breaches are considerable; according to the Cost of a Data Breach report, the average cost of a breach amounts to almost USD 4 million for companies. Moreover, the repercussions of a breach can endure for years, with delayed responses leading to further financial losses for organizations.
ad
How threat hunting works
A successful threat hunting program relies on the richness of data within an environment. This means that an organization must first establish an enterprise security system that collects data. The information gathered from this system provides valuable insights for threat hunters.
Cyber threat hunters introduce a human element into enterprise security, complementing automated systems. They are skilled IT security professionals who actively search, log, monitor, and neutralize threats before they can escalate into serious problems. Ideally, these individuals are security analysts from within the company’s IT department who possess deep knowledge of its operations; however, they may also be external analysts.
The practice of threat hunting focuses on uncovering unknown elements within an environment. It extends beyond traditional detection technologies like security information and event management (SIEM), endpoint detection and response (EDR), and others. Threat hunters meticulously analyze security data, searching for hidden malware or attackers and identifying patterns of suspicious activity that may have been overlooked or incorrectly resolved by automated systems. Additionally, they assist in enhancing an enterprise’s security posture to prevent similar cyberattacks from recurring.
Types of threat hunting
The hunting process typically begins with a hypothesis derived from security data or a specific trigger. This hypothesis or trigger acts as a starting point for conducting a more thorough investigation into potential risks. These deeper investigations encompass structured, unstructured, and situational hunting approaches.
Structured Hunting
Structured hunting revolves around an Indicator of Attack (IoA) and the tactics, techniques, and procedures (TTPs) employed by attackers. All hunting activities are guided by and aligned with the TTPs of threat actors. Consequently, hunters can often identify a threat actor even before any damage is inflicted on the environment. This type of hunting relies on frameworks such as the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK), utilizing both the PRE-ATT&CK and enterprise frameworks.
Unstructured Hunting
Unstructured hunting is initiated based on triggers, which could be one of many indicators of compromise (IoC). These triggers prompt hunters to explore pre- and post-detection patterns. Guided by the trigger, hunters may investigate data retained for historical analysis and leverage information from previously associated incidents.
Situational or Entity-Driven Hunting
Situational hypotheses originate from internal risk assessments within an enterprise or analyses of trends and vulnerabilities specific to its IT environment. Entity-driven leads stem from the examination of crowd-sourced attack data, revealing the latest TTPs of contemporary cyberthreats. Threat hunters subsequently search for these specific behaviors within the environment.
Hunting Models
Intel-based hunting
Intel-based hunting is a reactive approach to hunting that relies on indicators of compromise (IoCs) sourced from threat intelligence platforms. This method follows predefined rules set by the Security Information and Event Management (SIEM) system and incorporates threat intelligence data.
In Intel-based hunts, IoCs such as hash values, IP addresses, domain names, networks, or host artifacts are obtained from intelligence-sharing platforms like computer emergency response teams (CERT). Automated alerts generated by these platforms can be exported and integrated into the SIEM using structured threat information expression (STIX) and trusted automated exchange of intelligence information (TAXII) protocols. Once the SIEM receives an alert based on an IoC, threat hunters investigate the associated malicious activity to identify any compromises within the environment.
Hypothesis hunting
Hypothesis hunting is a proactive hunting methodology that utilizes a threat hunting library and is aligned with the MITRE ATT&CK framework. It employs global detection playbooks to recognize advanced persistent threat groups and malware attacks.
In hypothesis-based hunts, threat hunters leverage indicators of attack (IoAs) and tactics, techniques, and procedures (TTPs) used by attackers. By analyzing the environment, domain, and attack behaviors, hunters formulate hypotheses aligned with the MITRE framework. Upon identifying a specific behavior, threat hunters monitor activity patterns to detect, identify, and isolate threats proactively. This approach enables hunters to preemptively detect threat actors before they can inflict damage on the environment.
Custom hunting
Custom hunting relies on situational awareness and industry-specific hunting methodologies to identify anomalies in SIEM and Endpoint Detection and Response (EDR) tools. It is tailored to meet customer requirements and can be adapted based on specific situations or events, such as geopolitical issues or targeted attacks.
Custom or situational hunts are designed according to customer needs or are proactively conducted in response to specific situations. These hunting activities may incorporate elements from both intel-based and hypothesis-based hunting models, utilizing information related to indicators of attack (IoAs) and indicators of compromise (IoCs).
Threat hunting tools
Hunters utilize data from Managed Detection and Response (MDR), Security Information and Event Management (SIEM), and security analytics tools as the cornerstone of their hunting efforts. They may also employ additional tools like packer analyzers for conducting network-based hunts. However, effective utilization of SIEM and MDR tools necessitates the integration of all essential sources and tools within the environment to ensure that indicators of attack (IoA) and indicators of compromise (IoC) offer sufficient guidance for hunting activities.
Managed Detection and Response (MDR)
MDR employs threat intelligence and proactive threat hunting to detect and mitigate advanced threats, thereby reducing attack dwell time and facilitating swift, decisive responses within the network.
Security Information and Event Management (SIEM)
SIEM integrates Security Information Management (SIM) and Security Event Management (SEM) for real-time monitoring, event analysis, and security data tracking/logging. SIEM can identify user behavior anomalies and other irregularities that serve as critical leads for deeper investigations.
Security Analytics
Security analytics extends beyond traditional SIEM capabilities to provide in-depth insights into security data. By leveraging big data from security technologies and employing advanced machine learning and AI, security analytics expedites threat investigations by offering detailed observability data for cyberthreat hunting.
What’s the difference between threat hunting and threat intelligence?
Threat intelligence refers to a collection of data concerning attempted or successful intrusions, typically gathered and analyzed by automated security systems equipped with machine learning and AI.
Threat hunting employs this intelligence to conduct comprehensive, organization-wide searches for malicious actors. In essence, threat hunting picks up where threat intelligence leaves off. Furthermore, a successful threat hunt can uncover threats that have not yet been observed in the wild.
Additionally, threat hunting utilizes threat indicators as cues or hypotheses for a hunt. These indicators are akin to virtual fingerprints left behind by malware or attackers, encompassing unusual IP addresses, phishing emails, or other abnormal network traffic.
Conclusion
In today’s dynamic cybersecurity landscape, threat hunting stands out as a vital strategy for organizations to proactively identify and neutralize evolving threats. By combining human expertise with advanced tools, such as Managed Detection and Response (MDR) and frameworks like MITRE ATT&CK, threat hunting enables organizations to stay ahead of sophisticated cyber adversaries. With its proactive approach, threat hunting enhances cybersecurity resilience, helping organizations defend against emerging threats effectively.
ad
Comments are closed.