5 Best Practices for Threat Hunting
It takes an average of 279 days to identify and contain a data breach, according to a 2019 Ponemon Institute study. The average attacker then has almost a year to cause damage to your system and steal your data. It’s not worth the risk to wait until these attackers are uncovered by accident or revealed by improvements in technology. A better solution requires being proactive and hunting down possible threats.
In this article, you’ll learn what threat hunting is and how it can improve your system security. You’ll also learn some best practices for making your hunts as efficient and effective as possible.
What Is Threat Hunting?
Threat hunting is a security process in which you proactively search for cyber attackers in your system. It is used in particular to locate Advanced Persistent Threats (APTs). APTs are attacks that continue over a long period of time, with attackers remaining in your system throughout. These attacks are used to exfiltrate large amounts of data, obtain credentials for lateral movement within a system, and monitor for confidential information. APTs are often carried out by state-sponsored groups or nation-states.
Threat hunters assume that attackers have bypassed security measures and are already in your system. They, typically do not respond directly to threats, instead, they collect information on attacks and track attackers down.
Response and identification of attacks are left to your Incident Response team. Threat hunters can be a part of this team and assist in threat response but don’t have to be. Threat hunting is not meant to replace threat detection or response. It is meant to be a proactive complement to threat detection, which is passive and can catch most threats.
5 Best Practices for Threat Hunting
Threat hunting takes significant expertise and organization to perform effectively. To maximize your threat hunting efforts, consider adopting the following best practices.
1.Take Time to Plan
Threat hunting is most effective when you systematically search your systems. Hunting without an orderly and defined plan means you’re more likely to overlook evidence or systems. Jumping from place to place or looking for abnormalities without direction makes your hunt more difficult and time-consuming. It also makes it harder to correlate evidence.
When planning which threats to hunt, pick clear signs or types of threats to scan for. Doing so can guide you on where to start. Methodically work your way through relevant areas. If you fully investigate a part of your system, you create a benchmark if you need to reinvestigate later. For example, if you know you’ve already analyzed logs up to a certain date or time, you likely don’t need to reanalyze them.
2. Maintain Internal Transparency
To accurately identify anomalies, hunters need to understand every aspect of your environment. This includes architecture, communication flow, and user permissions. They should be aware of high priority data that is more likely to be the focus of an attack. It is also helpful for them to know business practices and customers.
The only way to identify an activity as abnormal is if you know what normal looks like. Establishing baselines of behavior can help. Baselines give you a standard to work from. Some user and system behavior is only suspicious when placed in context. For example, if you have no customers in a certain region but there is a lot of traffic to that region, it could indicate an attack.
A large part of transparency is access to system data, usually in the form of logging. You should be collecting logs with your current security tools and centralizing them for easier analysis. Tools such as network filters, firewalls, and intrusion prevention and detection systems can all provide useful information.
3. Use Up to Date Sources
To find attackers that have slipped past security you need to understand the most up to date attack techniques, tools, and processes. Relying on old or well-known threat information isn’t as helpful. You’ve likely already incorporated known malware hashes and Indicators of Compromise (IOCs) or Indicators of Attack (IOA) into your tools. These threats are already being blocked.
Effective threat hunting focuses on those attacks that can not yet be automatically blocked. For example, zero-day exploits. Zero-day exploits are vulnerabilities that attackers use before you have a chance to patch them. Tracking vulnerability reports as they are made public gives you a better idea of how you might be attacked. Sources like the Open Web Application Security Project (OWASP) are a good place to start.
4. Collaborate With Your Systems
Threat hunters are not intended to replace traditional IT professionals or systems. Hunters often rely on day to day security professionals to help them take advantage of cybersecurity solutions. To threat hunt efficiently, you need to use the data from tools and processes you are already using. When threat activity is identified, but attackers aren’t found, you can use security data to narrow your scope.
Threat hunting requires human creativity and intuition, in addition to technology. Many security tools have features for analysis that you can take advantage of to automate some of your searches. Machine learning and artificial intelligence aren’t as good at pattern recognition as humans. However, these technologies can process significantly more data, significantly faster. The combination of human effort and technology makes for a powerful security tool.
5. Use Hunt Feedback
Regardless of whether your hunt uncovers an attacker, you should make sure to document your process and any evidence. Evidence found during hunts can help improve security systems and practices. It can be used to strengthen security protocols and fine-tune where you direct your efforts. Hunt processes can be evaluated and refined to make future hunts more successful.
As an added benefit, documentation of proactive threat hunting can improve your overall security posture. It can show a dedication to security practices and a commitment to keeping customer data safe. It can also be used to prove to auditors that compliance is being treated seriously.
Conclusion
Threat hunting can be a challenge to implement. One that takes time and resources. Threat hunting without basic security measures in place wastes your efforts. Basic defenses can automatically block most attacks. You should already have robust and comprehensive security measures in place before implementing this practice.
Once you’ve taken full steps to secure your systems, try adding threat hunting practices periodically. You can enable your current security professionals to work at threat hunting part time. This way, even if you don’t have dedicated security personnel, you can benefit from these practices.