Threat Hunting

Threat hunting is a method of actively searching for undiscovered network threats lurking in a network. Threat hunting goes deeper than other investigative techniques to find evasive malicious actors who have managed to bypass an organization’s defences.

Once attackers have penetrated the network perimeter, they can quietly gather data, retrieve sensitive material, and obtain login credentials to move laterally across the environment. Attackers can operate secretly on a network for months.

few possible styles of threat hunting investigations

Unfortunately, most organizations lack advanced threat protection capabilities to completely prevent advanced persistent threats (APTs). Attackers will inevitably penetrate your defences, making threat hunting an essential part of any defence strategy.

Threat hunters start with assumptions based on security data or triggers they receive from the environment. Based on these inputs, they further investigate potential risks. Let’s review a few possible styles of threat hunting investigations.

Structured Hunting

Structured threat hunting is based on indicators of attack (IoA) and the attacker’s tactics, techniques, and procedures (TTP). Threat hunts are coordinated based on the TTPs discovered on the network. Using TTPs, threat hunters can identify threat actors during early attack stages before they do harm to the environment.

This type of threat hunting relies on threat intelligence sources such as the MITRE ATT&CK Framework, which provides detailed information about a wide variety of TTPs.

Unstructured Hunting

Unstructured threat hunting starts from a trigger or an indicator of compromise (IoC). The hunter searches the network for malicious patterns before and after the trigger or IoC. Threat hunters can investigate historical data as far as data retention limits permit. This type of threat hunting can discover new types of threats or threats that penetrated the environment in the past and are now dormant.

Situational or Entity-Driven

Situational or entity-driven threat hunting focuses on high-risk/high-value entities such as sensitive data or critical computing resources. Its main benefit is that it helps focus and prioritize threat hunting activity to improve its effectiveness.

Attackers commonly target specific high-value or high-risk assets or privileged users such as IT administrators, domain controllers, and development managers. Threat hunting helps identify these high-priority targets and conduct focused searches for relevant threats.

Threat Hunting Best Practices

The following best practices can help you perform threat hunting more effectively.

Maintain Internal Transparency

To identify anomalies, hunters need to understand all aspects of their environment. This includes architecture, communication flows, and user rights. A threat hunter needs to identify high-value data that could be the focus of an attack. It is important that hunters understand business practices as well as employee and customer behaviour.

The only way to identify an activity as abnormal is to know what is normal in the organization. It can be helpful to set standards or baselines of behaviour. For example, if there are few customers using a specific product feature, but there is a lot of traffic to that feature, this could indicate an attack.

An important aspect of transparency is access to system data, usually in log format. Logs should be collected centrally for easy analysis and collection using modern security tools. Tools such as network filters, firewalls, and intrusion prevention and detection systems can all provide useful information.

Use Up to Date Sources

To find attackers who have broken through security defences, threat hunters need to understand the latest attack methods, tools, and processes. Relying on common knowledge or outdated threat information is not enough.

In the past, threat hunting could be as simple as recognizing a known malware hash or a simple indicator of compromise (IoC), but today these obvious threats are already being blocked by existing security solutions. Modern threat hunting must go beyond the obvious, such as discovering zero-day exploits, or attacks that cut across security silos, for example combining account compromise with injection attacks or network attacks.

Leverage Existing Tools and Automation

Threat hunters do not need to replace the organization’s IT professionals or ongoing security teams. Security and IT experts can help them access and make effective use of cybersecurity tools and datasets. Threat hunters should have access to all the tools and processes already in use by the organization. They should also have access to all security datasets.

Threat hunting requires human creativity and intuition, but automated analytics capabilities can save manual work for threat hunters. Machine learning algorithms are currently inferior to humans in pattern recognition but can process more data at a faster rate. Successful threat hunters combine human ingenuity with automated analysis.

Supplement Threat Hunting with UEBA

User and Entity Behaviour Analysis (UEBA) enables automated analysis of security data from SIEM, cloud systems, and security tools. UEBA solutions monitor the behaviour of users, applications, and other entities on the network, analysing their interactions with data and systems to identify anomalous behaviour.

UEBA can complement signature-based and rule-based detection with behavioural analytics by examining the behavioural patterns of humans and machines. UEBA can more easily detect internal threats, targeted attacks, financial fraud, and other threats that do not match known attack patterns or malware signatures.

UEBA accelerates the threat hunter’s ability to identify suspicious and anomalous behaviour and can also help threat hunters form hypotheses about the threat. Combined with threat Intelligence, UEBA can help threat hunters quickly initiate searches to see if anomalies on the network match up to known TTPs.

Have any questions?

Book A Demo/Meeting with us