What is Threat Hunting?

At its essence, threat hunting is the act of proactively and iteratively searching through networks and datasets to detect threats that evade existing automated security solutions.

While automation and machine learning play a significant role in modern cybersecurity measures, they predominantly operate based on known threat patterns or signatures. Threat hunting, on the other hand, acknowledges an important fact: human adversaries are cunning, and often unpredictable. They create novel methods of infiltration and evasion that may not immediately match any known signatures.

Thus, threat hunting uses the combination of human intuition, expertise, and advanced analytical tools. It leverages human creativity and knowledge of tactics, techniques, and procedures (TTPs) employed by adversaries, allowing the hunter to anticipate and unearth covert activities.

The proactive nature of threat hunting extends beyond just networks. Threat hunters dive deep into endpoints, servers, logs, and databases, using a plethora of tools and tactics. Their activities are broad-ranging, from analyzing netflow data to scrutinizing binary files for potential malware. Each investigation is a potential journey down a rabbit hole.

In a nutshell, threat hunting is not merely an action but a mindset. It’s the adoption of an offensive posture in a traditionally defensive arena, an acknowledgment that, in the cyber landscape, merely responding is no longer sufficient. Threat hunters recognize the need to actively pursue, challenge, and preemptively engage with the cyber threats of today and tomorrow.

The Threat Hunting Process

1.?Formulate Hypotheses

The process begins with formulating hypotheses based on current threat intelligence, recent news, and an understanding of the organization’s assets and vulnerabilities. Threat hunters might ask questions like:

“Given our recent migration to cloud services, are there unmonitored entry points?”

“If I were an attacker, which high-value assets would I target, and how? These hypotheses guide the entire hunting process, narrowing down where to look and what to look for.”

2.?Data Collection

Armed with hypotheses, threat hunters gather relevant data. This data can be derived from various sources:

• Network data:?Captures communication patterns and can help in detecting suspicious lateral movements or data exfiltration attempts.
• Endpoint data:?Includes logs from workstations, servers, and other devices, instrumental in identifying malicious activities or software.
• Application logs:?Can reveal unauthorized access attempts or anomalies in user behavior.

3.?Analysis

This stage involves scrutinizing the collected data to confirm or refute the initial hypotheses. Advanced tools, including Security Information and Event Management (SIEM) systems, are employed to filter, correlate, and analyze the vast amount of data. Techniques such as pattern recognition, anomaly detection, and statistical analysis are used to identify indicators of compromise.

4.?Triage and Validation

Once potential threats are identified, they must be triaged to determine their severity and authenticity. This involves:

• Contextual Analysis:?How does this potential threat relate to the wider system or business operations?
• Environment Correlation:?Does this threat or pattern appear elsewhere in the organization?
• Threat Intelligence Correlation:?Comparing the findings with known threat intelligence to determine if there’s a match with known TTPs.

5.?Response

Once a legitimate threat is identified, it’s escalated to the incident response team. The response might include containment of the threat, eradication of malicious elements, and recovery of affected systems. The team also works to determine the threat’s origin, its objectives, and the extent of the compromise.

6.?Feedback Loop

Post-response, findings are documented and feedback is integrated into the organization’s cybersecurity policies, tools, and practices. This iterative process ensures continuous improvement, adapting to new threats, and refining hunting strategies.

The Advantages of Threat Hunting

In a cyber landscape that grows increasingly intricate with each passing day, it’s imperative to understand the dividends of incorporating a proactive strategy such as threat hunting. The question arises: Why invest time, resources, and expertise into this methodical hunt?

1.?Early Detection and Mitigation

Perhaps the most significant advantage is the early identification of threats. By actively seeking out anomalies and malicious activities, organizations can detect and address threats long before they escalate into full-blown breaches or incidents. Early detection often translates to reduced damage and cost.

2.?Reduced Attack Surface

Threat hunting helps organizations identify vulnerabilities in their infrastructure—loopholes they might not have been aware of. By pinpointing and addressing these weaknesses, the overall attack surface diminishes, making it harder for adversaries to find an entry point.

3.?Enhanced Incident Response

By continually engaging in threat hunting, incident response teams are better prepared when major incidents occur. The data and intelligence gathered during hunting expeditions can be invaluable in understanding the nature of an attack, potentially speeding up response times and recovery.

4.?Knowledge and Skill Development

Threat hunting is an iterative process, and with each cycle, the security team hones its skills. They become more adept at recognizing anomalies, understanding new attack vectors, and deploying countermeasures. This continuous learning strengthens the organization’s overall cybersecurity posture.

5.?Improved Security Posture

A proactive approach naturally bolsters the organization’s security stance. As potential vulnerabilities and threats are uncovered and addressed, security measures are refined and fortified, building a more robust defense mechanism over time.

6.?Stakeholder Confidence

In an era where data breaches and cyber incidents can erode stakeholder trust, having a proactive threat-hunting initiative showcases commitment to security. It can enhance the confidence of customers, partners, and investors, affirming that the organization is taking every measure to safeguard its digital assets.

7.?Regulatory Compliance

Many modern regulations and standards emphasize the importance of proactive security measures. Engaging in threat hunting can aid organizations in meeting compliance requirements, potentially avoiding legal repercussions and penalties.

Tools and Technologies: Amplifying the Threat Hunting Expedition

Threat Intelligence Platforms

These platforms gather, aggregate, and analyze information about emerging threats from various sources. They provide invaluable insights into current threat landscapes, potential vulnerabilities, and offer a consolidated view of myriad threats. Examples include Recorded Future, ThreatConnect, and AlienVault OTX.

2. Endpoint Detection and Response (EDR) Systems

EDR solutions continuously monitor, record, and store endpoint data. In doing so, they offer real-time analysis of security alerts. By gathering data from various endpoints, EDR tools can detect anomalous patterns, facilitating the hunter in spotting malicious activities. Popular EDR tools include CrowdStrike Falcon, Carbon Black, and SentinelOne.

3. Network Detection and Response (NDR) Tools

While EDR focuses on endpoints, NDR tools keep a vigilant eye on network traffic. They analyze network communication patterns, flagging suspicious activities or data transfers. Tools like Darktrace, Vectra Cognito, and ExtraHop Reveal(x) fall into this category.

4. Security Information and Event Management (SIEM) Systems

SIEM solutions are the nerve center for many threat-hunting activities. They aggregate log data produced by various network hardware and software entities and provide real-time analysis of security alerts generated by hardware and applications.

5. Sandboxing Solutions

To analyze suspicious files or URLs without affecting the primary infrastructure, sandboxing tools offer a safe environment. They can execute and observe malware behavior, revealing hidden malicious intent. Check Point’s Threat Emulation, Cuckoo Sandbox, and FireEye’s solutions exemplify this category.

6. Deep Packet Inspection (DPI) Tools

DPI allows threat hunters to inspect the content of network traffic at a granular level, not just headers. This depth offers insights into potential malicious payloads or covert communication channels. Tools such as Wireshark and Cisco’s Deep Packet Inspection are frequently employed.

7. Big Data Analytics Platforms

Given the sheer volume of data involved in threat hunting, big data solutions like Elasticsearch or Hadoop can play a pivotal role in storing, processing, and analyzing this data. They can sift through vast datasets swiftly, identifying patterns or correlations.

8. Automated Investigation and Response Tools

Post-detection, certain tools can automatically investigate alerts, pulling in contextual data, analyzing potential threat vectors, and even automating responses. This enhances the efficiency of the overall threat detection and response cycle.

"The idea behind threat hunting is what you don’t know can hurt you.? The cyber threats deployed a few months ago are not the focus of the hunt but rather the threats developed last month or last week.? Your security presence must always be evolving along with the threats and threat hunting allows us to do so continuously.?

To be successful you will follow a sequence similar to:

1. Fully understand your environment: endpoints, applications, servers; where are these located, and how does one get access to them.?
2. Prioritize these based on risk to the business and plan your hunt accordingly.? A hunt should always be reproducible and well-documented.?
3. Select the tool(s) most appropriate to that hunt
4. Execute

Evaluate the results and start planning for your next hunt.? The cyber war is never-ending.

Part of a comprehensive cybersecurity defense is deploying threat hunting.? A good threat-hunting capability will seek out the highest potential threats in a systematic manner.? To be constantly engaged in being one step ahead of the bad guys." - David Williamson CIO at Abenza

?