What is cyber threat hunting?
Threat Hunting is a security function that combines proactive methodology, innovative technology, and threat intelligence to find and stop malicious activities.
Types of Threat Hunting
Security hunting is performed based on an indicator of attack (IoA), as well as the tactics, techniques, and procedures (TTPs) used by attackers.
Here threat hunting is performed based on a trigger or indicator of compromise (IoC), threat hunters use unstructured hunting to search for any anomalies or patterns throughout the system.
Here, situational hypotheses are designed from circumstances, such as vulnerabilities discovered during a network risk assessment. Entity-oriented leads are used from crowd-sourced attack data which consists of the latest TTPs of current cyber security threats. A threat hunter can then search for these specific behaviors within the test system.
What are the benefits of threat hunting?
Threat hunting strengthens an organization’s cybersecurity posture by moving from a reactive to a proactive approach to reducing risk.
- Identify a greater number of threats: 44% of attacks bypass traditional security defenses. Threat-hunting teams are trained to find these risks.
- Ensure earlier detection of threats: The longer the dwell time, the greater the risk. Threat hunters use behavioral analysis to find malware and attackers faster.
- Improve incident response: A SOC team will be focused on the incident at hand. Threat hunters look for the plan B and support the team with greater insight.
The Key Elements of Threat Hunting
The goal of threat hunting is to monitor everyday activities and traffic across the network and investigate possible anomalies to find any yet-to-be-discovered malicious activities that could lead to a full-blown breach. To achieve this level of early detection, threat hunting incorporates four equally important components:
- Methodology: To be successful at threat hunting, companies must commit to a proactive, full-time approach that is ongoing and ever-evolving. A reactive, ad hoc, “when we have time” perspective will be self-defeating and net only minimal results.
- Technology: Most companies already have comprehensive endpoint security solutions with automated detection in place. Threat hunting works in addition to these and adds advanced technologies to find anomalies, unusual patterns, and other traces of attackers that shouldn’t be in systems and files. New cloud-native endpoint protection platforms (EPP) that leverage big data analytics can capture and analyze large volumes of unfiltered endpoint data, while behavioral analytics and artificial intelligence can provide extensive, high-speed visibility into malicious behaviors that seem normal at the outset.
- Highly skilled, dedicated personnel: Threat hunters, or cybersecurity threat analysts, are a breed of their own. These experts not only know how to use the security technology mentioned, but they also combine a relentless aspiration to go on the offensive with intuitive problem-solving forensic capabilities to uncover and mitigate hidden threats.
- Threat intelligence: Having access to evidence-based global intelligence from experts around the world further enhances and expedites the hunt for already existing IOCs. Hunters are aided by information such as attack classifications for malware and threat group identification, as well as advanced threat indicators that can help zero in on malicious IOCs.
How Does Cyber Threat Hunting Work?
One key point to be noticed is that Cyber Threat Hunting is a data-driven activity. It depends on the availability of data generated out of endpoint monitoring tools. Threat hunting goes beyond a regular SIEM (Security information and event management) and EDR (endpoint detection and response) methodology and adds a human intelligence layer. Threat hunters go through these event logs/data to identify any new security attack patterns based on their drafted hunting models.
Steps to Cyber Threat Hunting
The process of the proactive cyber hunt for threats generally involves these steps:
Developing Hypothesis Cyber hunt typically begins with developing a threat hypothesis based on previously known threats, vulnerabilities, or from third-party threat intelligence sources including the latest attacker’s TTP (tactics, techniques, and procedure). This hypothesis development is crucial to identify patterns and anomalies that can lead to potential threat detection.
- Collect and Process Intelligence and Data
To process the data using derived hypotheses, it becomes equally important to collect data from various endpoints in the system. Data is then processed to see if it has anomalies and can invoke a trigger.
- Identifying Triggers
A trigger refers to a specific case where need for further investigation is required for eg. when threat detection tools identify unusual actions that may indicate malicious activity. Often, a hypothesis about a new attack or threat can be the trigger for proactive cyber threat hunting.
Once a trigger has been identified, the next step is to analyze the anomaly condition which can then be converted into an IoC (Indicator of Compromise) or an IoA (Indicator of Attack). In this phase, the threat hunter used security datasets from different tool sources like EDR (Endpoint Detection and Response), and SIEM (Security information and event management) to identify any lurking malicious threat in the system.
This is the final and most critical phase after the identification of a political Indicator of Attack (IoA) or Indicator of Compromise (IoC). Here the threat hunter communicates the security threat with all other stakeholders like the operations team to deploy an apt incident response solution at the earliest.
What’s required to Start Threat Hunting?
- Human Hunters (Cyber Security Experts)
An effective cyber threat-hunting program needs seasoned cyber security personnel on security hunting. Human effort helps get to a complex resolution much quicker and with better accuracy. Generally, a cyber security expert with proper cyber security knowledge and certification can be considered a good fit for this role.
- Organizational Model
Every organization must design its best-suited threat-hunting model for its threat-hunting process. Models should be based on an organization’s unique threat-hunting use cases.
- Tools & Technology
Many organizations use endpoint security solutions for detection response and investigations, security monitoring, and management tools often used by their threat hunters for further analysis. For example, SIEM services.
Data is the most key part for establishing a baseline of a system’s behavior. It can also be used to develop a baseline of expected and authorized events which can be later used to identify anomalies.
Top Challenges of Cyber Security Hunting
So far we have seen what cyber threat hunting is and how it works. It is worth noting that since threat hunting is a proactive activity, it comes with its own set of challenges. Let us see some of the common challenges an organization gets when implementing such security activities:
- Deploying Seasoned Cyber Threat Hunters
The human capital involved with cyber threat hunting is arguably the most difficult part. It is a constant challenge for any organization to find and keep skilled cyber threat hunters.
- Data Generation and Management
To efficiently identify hidden cyber threats, it is most critical to gather security data (both current and historical data) that provides visibility across an entire system. Such kind of data collection always involves dependencies on commercial third-party tools and the same is needed to generate useful data points for threat hunting.
- Staying up-to-date With Threat Intelligence
Threat hunters must be equipped with the most up-to-date attacker’s TTP (tactics, techniques, and procedure), and threat intelligence, enabling them to analyze current cyber attack trends with organization security data. This is very important in generating an effective threat-hunting hypothesis model.
Need for Automation in Threat Hunting
One can easily get overwhelmed by the above description of cyber threat hunting and its working. Cyber Threat hunting does add human intelligence to our existing threat identification techniques, but there are many scopes to automate certain activities. Let’s talk about a few areas where automation can help make cyber hunting more efficient and sustainable.
- Data Collection
Cyber threat hunting investigations involve collecting many categories and data from a variety of endpoint sources. If done manually, it can take numerous hours to maintain, sort, and parse these data into a normalized usable format. Here, deploying automated solutions or utilities can greatly reduce the amount of time required for collection, sorting, and maintenance.
- Investigation Process
A constant high volume of cyber threat alerts can easily overwhelm even the most experienced and well-staffed SOC. Automation can help reduce unwanted false positives or noise by quickly categorizing which threats is high, medium, and low risk, thus helping security teams in prioritizing their effort and allowing them to efficiently address remediation.
- Response Process
As discussed above, there are many commercial Incident response solutions/ tools that can be configured with pre-defined remediation steps. Automated responses can counter the smaller, more routine attacks, such as deleting custom scripts to isolate a compromised endpoint, deleting malicious files after isolation, and automatically using backup info to restore data compromised in an attack.
Tips and Best Practices to Improve Threat Hunting
- Identify your Organization’s “normal”
This means we should baseline first what is a normal expected behavior of our organization systems and then work on identifying anomalies.
- Observe, Orient, Decide, Act (OODA)
This can be seen as a workflow for a successful threat-hunting practice. First, observe for anomalies, then structure the identified risks, then decide the required actions to mend those anomalies, and finally execute your actions.
- Have Appropriate and Sufficient Resources
To carry out all the above actions effectively and efficiently, we need to have access to required resources like trained human professionals and analytical software tools.
Why hunt threats?
Threat hunting is important. Effective threat hunting helps reduce the time from intrusion to discovery, minimizing the damage done by attackers. The longer the time lapse between system failure and response, the more damage the organization suffers during an attack.
Additionally, threat hunting can help you:
- Find previously undetected threats and reduce dwell time (infection to detection).
- Understand your security environment to enhance the speed and accuracy of response. This will provide you with a considerable advantage over an attacker.
- Improve overall organizational posture. Don’t wait for an alert to go through your security information and event management (SIEM) tool. Find misconfigurations, identify gaps, and help reduce attack surfaces quickly.
Nothing is more valuable than learning from real-life situations and years of hands-on experience. If you’ve been in security for a couple of years, you know how difficult it is to get security analysts, architects, and threat hunters to share their knowledge. Black hat hackers use underground forums to exchange their insights all the time. That’s how they evolve and improve their tactics. So why can’t we, a force for good, get into that habit?
The rules of threat hunting
Do you know what to look for and where to look? Here are five rules for threat-hunting success:
- Collect logs from key areas.
Logs are critical to threat hunting. Collect logs from your key areas, including switches, routers, firewalls, proxies, web servers, applications, operating system events, Power Shell commands, audits, and EMETs. You don’t have to send them to your SIEM but at least consider writing them to disk.
- Monitor network data.
Know your environment’s data ingress and egress points. Know how your subnet roles are set up and establish directionality. Do full packet capture with a minimum of three days raw and two months of metadata.
- Analyze endpoint behavioral data.
Inventory all processes, scheduled tasks, unexpected services, registry access, and file and network data. Make sure you are hunting Amcache and Shimcache — gold mines of interesting data. Understanding what looks normal will help you identify when an anomaly occurs.
- Practice situational awareness.
After you aggregate all that data, what do you do? You use situational awareness.
- Understand what normal looks like on your hosts and network. Create a baseline for comparison.
- Become aware of what is normal so that when an anomaly occurs, it sticks out like a sore thumb.
- Outliers are always interesting though not always evil. Every time you see something, it doesn’t mean it’s an attacker. But you’ll learn something from that experience.
5 Leave preconceived notions at the door.
Threat hunting isn’t magic. Spend time getting better at what you do. Don’t start with an IOC. Start with a question: if data were leaving the environment, where’s the most likely place it would go? How would I get in from the outside if I were an attacker?