:: Threat Hunting :: Knowledge / Gyaan Shared by #NileshRoy
Dr. Nilesh Roy ???? - PhD, CCISO, CEH, CISSP, JNCIE-SEC, CISA
Award winning CyberSecurity TechLeader & Advisor | Big4 Exp | Proud Member of International Advisory Board for CCISO @ EC-Council | Executive Member of CyberEdBoard | PhD - IT, CCISO, CEH, CISSP, JNCIE-SEC, CISA.
:: Threat Hunting :: Knowledge / Gyaan Shared by #NileshRoy
?? What is Threat Hunting?
Threat hunting, also known as cyberthreat hunting, is a proactive strategy of finding previously undiscovered or unresolved risks within an organization's network. Cyber threat hunting digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defenses. An attacker can remain on a network for months after slipping in and silently collecting data, looking for confidential material, or obtaining login credentials that will allow them to move laterally throughout the environment. Once an attacker has succeeded in eluding detection and an assault has breached an organization's defences, many businesses lack the advanced detection skills required to prevent advanced persistent threats from remaining in the network. As a result, threat hunting is a vital component of any security strategy.
?? How does threat hunting work?
A successful threat hunting programme is built on an environment's data fertility. In other words, a firm must first have an enterprise security system in place that collects data. The information gathered from it provides valuable clues for threat hunters.
Cyber threat hunters add a human touch to company security, supplementing automated technologies. They are expert IT security professionals who seek for, log, monitor, and neutralize threats before they pose major problems. Ideally, they are security analysts from a company's IT department who are well-versed in its processes, but they can also be an outside analyst.
The art of threat hunting is the discovery of unknowns in the environment. It extends beyond typical detection solutions like SIEM, endpoint detection and response (EDR), and others. Threat hunters sift through security data. They check for hidden malware or attackers, as well as patterns of suspicious activity that a computer may have missed or considered to be resolved but isn't. They also aid in the patching of an enterprise's security system to avoid similar cyberattacks from occurring in the future.
?? Types of Threat Hunting
Structured Hunting
Unstructured Hunting
Situational or Entity Driven
. A situational hypothesis comes from an enterprise's internal risk assessment or a trends and vulnerabilities analysis unique to its IT environment.?
. Entity-oriented leads come from crowd-sourced attack data that, when reviewed, reveal the latest TTPs of current cyberthreats.?
. A threat hunter can then search for these specific behaviors within the environment.
?? Threat Hunting Steps
领英推荐
The process of proactive cyber threat hunting typically involves three steps: a trigger, an investigation and a resolution.
Step 1: The Trigger
A trigger points threat hunters to a specific system or area of the network for further investigation when advanced detection tools identify unusual actions that may indicate malicious activity. Often, a hypothesis about a new threat can be the trigger for proactive hunting. For example, a security team may search for advanced threats that use tools like fileless malware to evade existing defenses.
Step 2: Investigation
During the investigation phase, the threat hunter uses technology such as EDR (Endpoint Detection and Response) to take a deep dive into potential malicious compromise of a system. The investigation continues until either the activity is deemed benign or a complete picture of the malicious behavior has been created.
Step 3: Resolution
The resolution phase involves communicating relevant malicious activity intelligence to operations and security teams so they can respond to the incident and mitigate threats. The data gathered about both malicious and benign activity can be fed into automated technology to improve its effectiveness without further human intervention.
Throughout this process, cyber threat hunters gather as much information as possible about an attacker’s actions, methods and goals. They also analyze collected data to determine trends in an organization’s security environment, eliminate current vulnerabilities and make predictions to enhance security in the future.
?? Where Does Threat Hunting Fit?
Threat hunting is highly complementary to the standard process of incident detection, response, and remediation. As security technologies analyze the raw data to generate alerts, threat hunting is working in parallel - using queries and automation - to extract hunting leads out of the same data.
Hunting leads are then analyzed by human threat hunters, who are skilled in identifying the signs of adversary activity, which can then be managed through the same pipeline.?
?? GET TO KNOW THE AUTHOR
Nilesh Roy has about 27 years of progressive multi-industry and multi-geographic experience in the IT Infrastructure, Information Security and Cyber Security domain with a strong focus on optimizing workflows in the security operations center (SOC). In his current role, Nilesh works with Organizations across India to understand the biggest barriers to productivity and drive thought leadership on optimizing incident response and threat hunting. Nilesh is based in Mumbai, India.
Shared by #NileshRoy from #Mumbai (India) on #20April2023
#ThreatHunting #CyberThreat #CyberthreatHunting #ProactiveStrategy #Malicious #Attacker #Detection #DetectionElusion #DataFertility #Malware #SIEM #EDR #StructuredHunting #MITRE #ATT&CK #UnstructuredHunting #InformationSecurity #Consulting #InformationSecurityConsulting #SOC #SecurityOperationsCentre #ManagedSecurityServices #CyberSecurity #CyberSecuritySolutions