With the average cost for a data breach in the US rising to $9.44M, taking proactive measures to increase your cybersecurity posture is not optional. Threat hunting has become a particularly popular practice among organizations seeking to take a proactive approach to their risk mitigation strategies. But what is threat hunting in cyber security, and how does it work?
What Is Threat Hunting in Cyber Security?
Threat hunting, also called “incident response without the incident” sits in the ‘Active Defense’ phase of the sliding scale of cyber security. The National Cyber Security Strategy defines threat hunting as, “the proactive, iterative and human-centric identification of cyber threats that are internal to an IT network and have evaded existing security controls.”
Source: Detecting the Unknown – A Guide to Threat Hunting
When performed by skilled cybersecurity specialists, with the right tools, threat hunting allows organizations to better identify and remediate advanced persistent threats (APT), improving security posture and reducing their risk profile.
MITRE ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) is one of a handful of frameworks used to understand adversary behavior in cyberattacks (another being the Lockheed Martin Cyber Kill Chain®).
Essentially, the MITRE ATT&CK® framework is a knowledge base built from adversary techniques and tactics observed out in the real world. ATT&CK may be used to emulate adversary scenarios to test and verify defenses, run red team operations, assess suspicious behavior, and evaluate SOC effectiveness.
As normal practice, organizations mature their Architecture and Passive Defense (such as vulnerability management and technical controls) before partaking in threat hunting.
What’s the Difference Between Cyber Threat Hunting vs Cyber Threat Detection
Proactivity. Security operation center (SOC) teams usually adopt a reactive approach to threats: they respond to alerts issued by SIEM solutions, triaging the threat, and then escalating it to a specialized team for remediation.
Threat hunting, on the other hand, is pursued proactively and before the threat triggers monitoring solutions. Threat hunters are driven by their own hypotheses and expertise about potential threats. Hypotheses are open-ended, for want of a better word; threat hunters assess their network (or system domain), and investigations are guided by what they discover. That means malicious actors and malware can be detected before it can exploit the organization’s systems.
Reactive protection can only identify “known known” threats, while proactive threat hunting capabilities can identify “known unknown” and “unknown unknown” threats.
Who Needs Threat Hunting?
While any business can benefit from threat hunting security technology, there are some industries and circumstances that make it particularly important. For example, companies in heavily regulated industries such as healthcare, finance, and defense are often required by law to take proactive steps to ensure their systems have not been compromised.
Businesses that handle large amounts of sensitive customer data are also at a higher risk for attacks, and need to be extra vigilant in their threat hunting efforts.
SOC teams undertake active threat searches within the managed infrastructure, though these activities are usually informal and unstructured. The SANS 2017 Threat Hunting Survey found that of 306 organizations only 35.3% conducted regular threat hunts (and nearly half of them were government organizations). And only 4.6% were using guidance on conducting effective threat hunts.
Credit: Markus Spiske
Threat Hunting Framework
When hunting for threats, analysts typically use a combination of manual investigation and automated detection security tools. However, there are a number of different strategies that can be used to uncover malicious activity. Some of the most common include the following.
- Indicators of Compromise (IOC) Hunting: IOC hunting involves looking for specific patterns that are known to be associated with malicious activity. This can include things like unusual IP addresses, domain names, or file hashes.
- Behavioral Analysis: Behavioral analysis focuses on identifying changes in user behavior that could indicate an attack.
- Tactics Techniques and Procedures (TTPs): This involves understanding the techniques, tactics, and procedures (TTPs) that attackers use, and then looking for similar activity on the network.
Credit: Milan Malkomes
Threat Hunting Techniques and Tactics
The process of threat hunting itself can vary depending on the situation it’s used in. However, in most cases it follows a similar general structure that can be broken down into four key steps:
1. Hypothesis
A threat hunt begins with the hunter’s hypothesis about what threats may lurk in the infrastructure and how to go about uncovering them. The hypothesis includes the adversary’s tactics, techniques, and procedures (obtained from a threat hunting framework, such as MITRE ATT&CK®).
Hunters then use their own threat intelligence, knowledge of the environment, expertise, and creativity to build a path to detection.
2. Collecting and Processing Data
The next step is to take a closer look at the activity that’s been flagged as potentially threatening. This usually involves running additional tests and queries to determine whether or not the activity is actually malicious. For example, an analyst might check to see if a user who accessed sensitive data also accessed anomalous websites around the same time.
The organization’s SIEM software can provide insight and a record of activity in its systems.
3. Trigger
The trigger guides threat hunters to an area of the network or specific system for detailed investigation, when the detection tools potential malicious activity. Even a hypothesis on a new threat can become the trigger for hunting.
4. Investigation
During investigation, threat hunters rely on technologies such as Endpoint Detection and Response (EDR) to conduct detailed investigations into how a system may have been maliciously compromised. The investigation carries on, till it is determined the activity is not malicious or till a full picture of the malicious behavior is formed.
5. Take Action to Mitigate the Threat
Finally, the malicious activity is communicated to the security and operations team so they can mitigate threats. The data gathered (about both the malicious and benign activity) can be fed to automated security systems, enhancing their effectiveness and not requiring further human involvement.
Threat hunters may go one step ahead, determining the organization’s security trends and making predictions to help improve its security posture.
Effective Ways to Prepare for a Cyber Attack
Threat Hunting Tools
Managed threat hunting services use a range of detection technologies and hunting tools to uncover malicious activity, including:
- Security information and event management (SIEM): SIEM solutions collect data from all the different devices and systems on a network. This security data is then analyzed for patterns that could indicate an attack.
- User and entity behavior analytics (UEBA): UEBA security solutions use machine learning to detect anomalous user behavior. This can be helpful in identifying malicious activity that’s disguised as normal usage.
- Intrusion detection systems (IDS): IDS solutions monitor network traffic for signs of an attack. They typically work by comparing incoming traffic against a database of known malicious activity.
- Intrusion prevention systems (IPS): IPS solutions not only monitor for unusual traffic like an IDS, but also react to potential threats by restricting access to your networks according to defined rules.
Why Threat Hunting is Worth Investing In
Does your business operate within a high-risk sector? Does it handle lots of sensitive data? Are you a target for nation-state attackers? If you answered yes to any of these questions, then threat hunting is definitely something worth considering.
Cybersecurity threat hunting is a fast growing market in the U.S., as organizations look to take a more proactive role in their cybersecurity. Here are five reasons why your organization should consider investing in threat hunting:
1. Stay Ahead of the Curve
The world of cybersecurity is constantly changing, and new threats are emerging all the time. By investing in threat hunting, you can stay ahead of the curve and keep your security team one step ahead of attackers.
2. Proactive Approach to Security
Threat hunting is a proactive approach to security, which means it can help you identify and neutralize threats before they cause any damage. This is in contrast to a reactive approach, which only focuses on the incident response after attacks have already happened.
3. Reduce Your Attack Surface
Attackers always target the weakest point in an organization’s defenses. By investing in threat hunting, you can reduce your attack surface and make it harder for attackers to find a way in.
Taking a Holistic Approach to Network Security Monitoring
4. Improve Your Security Posture
Threat hunting can help you improve your overall security posture by giving you insights into the threats you’re facing and the weaknesses in your defenses. This threat intelligence can then be used to make appropriate changes and improve your security posture.
5. Save Money in the Long Run
Investing in threat hunting can actually help you save money in the long run. This is because it can help you avoid costly data breaches, which can have a major financial impact on an organization.
Get Started with Cyber Threat Hunting
Threat hunting is one of the most effective ways to mitigate cyber risks for any organization. That said, it is neither a one-time activity nor is it just a matter of implementing a “threat hunting solution”. The effectiveness of the hunt (and the results your organization sees) are directly related to the skills, experience, and expertise of your threat hunters.
It’s why some of the top American intelligence, defense, healthcare, insurance, and financial services providers rely on our security specialists for malware hunting.
Find out how our team of 30+ experts help organizations like yours stay ahead of cyber incidents, and provide impact analyses you can take to your board.
Featured image Credit: DepositPhotos