Cyber security threats are becoming increasingly sophisticated and more threats can get past the strongest cybersecurity control. As cybersecurity attacks happen more frequently and become increasingly disruptive, it’s important that people realize they’re more at risk for such events than they might think. Security professionals that are in charge of protecting systems and networks must remain ever vigilant for the next threat or vulnerability. Rather than simply trusting that the security solutions in place will provide sufficient protection and detect all potential threats, threat hunting can be another element that can be added to a layered security strategy, empowering organizations to go on the offensive looking for threats.
Cyber threat hunting is a proactive security practice where you conduct a search through networks, endpoints, and datasets to hunt for malicious, suspicious, or risky activities that have evaded detection by existing tools. Unlike traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox (computer security) and SIEM systems, which typically involve an investigation after there has been a warning of a potential threat or an incident has occurred, Threat Hunting actively hunts for undetected threats that may have penetrated your systems. The most dangerous attacks actually occur when the threat is undetected and sit inside your systems and network for a period of time before the malicious action is taken. Attackers, if successful, can often lurk for weeks, or even months, before discovery. They wait patiently to siphon off data and uncover enough confidential information or credentials to unlock further access, setting the stage for a significant data breach.
Types of threat hunting
Hunters begin with a hypothesis based on security data or a trigger. The hypothesis or trigger serve as springboards for a more in-depth investigation into potential risks. And these deeper investigations are structured, unstructured and situational hunting.
Structured hunting
A structured hunt is a more proactive approach whereas the search is based on common indicators of attack (IoA) and tactics, techniques and procedures (TTPs) of an attacker. All hunts are aligned and based on the TTP of the threat actors. Therefore, the hunter can usually identify a threat actor even before the attacker can cause damage to the environment. This hunting type uses the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK) framework (link resides outside of ibm.com), using both PRE-ATT&CK and enterprise frameworks.
Unstructured hunting
An unstructured hunt is often triggered as a reaction one of many indicators of compromise (IoC). When the hunter is triggered that the systems have been compromised, the hunter can immediately start to look for pre-and post-detection patterns. Guiding their approach, the hunter can research as far back as the data retention, and previously associated offences allow.
Situational or entity driven
A situational hypothesis comes from an enterprise’s internal risk assessment or a trends and vulnerabilities analysis unique to its IT environment. You can spend a lot of time using threat hunting techniques across all of your systems and network. Adversaries will typically target certain high value or high-risk assets or users in an organization (e.g., a server where R&D is kept, a domain controller, or a system administrator account). You can save a lot of time by focusing on the more important systems on your network and protecting the more important users on your network. Organizations can identify what these assets are before an adversary does it for them.
Threat hunting tools
There are a wide range of cyber threat hunting tools at our fingertips that can be used to examine both historical and current state details of what actions have transpired on systems and across the network. Each tool can be used to provide a different perspective on the captured data. Here are some examples of cyber threat hunting tools you will want to consider
- Security monitoring tools – Monitoring data from firewalls, endpoint protection, data loss prevention, network intrusion detection, insider threat detection, and other security tools all provide threat hunters with attack details that help paint a picture of the activities performed by an attacker still residing in the network. The goal is to collect event log data from as many sources as is possible to also provide context by correlating the various monitoring data sets.
- SIEM solutions – Most data colleted from your systems can be overwelming and hard to understand. Some of which can be irrelevent and act more like white noise which can make the more important information harder to find. Security Information Event Management (SIEM) solutions help threat hunters to automatically gather and make sense of the massive amount of log data from security monitoring tools and other sources, making it possible to identify previously unseen security threats.
- Analytics tools – Cyber threat hunters are human, so there’s only so much analysis and correlation the mind can come up with on its own. Analytics tools that do either statistical or intelligence analysis can be of great use. Tools offering statistical analysis use mathematical algorithms instead of human-defined rule sets to identify any data anomalies that may signify attack activity.
- Threat intelligence – Security research tends to be an insular process and rarely do individuals or groups share threat data with one another. This is due to lack of trust, internal policies, or simply the inability to get the information out to the masses. Threat hunters need a repository of data on known malicious IP addresses, malware hashes, IoC artifacts, etc. to help quickly identify potential threats This data can be found in both open source and subscription-based forms on the web, such as the Open Threat Exchange powered by AT&T Alien Labs.
Security teams today must look for threats before IoCs appear on security portals. By the time an Indicator of Compromise appears, it might be too late to stop severe damage to the organization. The most proactive companies are upping their game, including utilizing some form of threat hunting – which combines tools and people to monitor network endpoint data to find an unusual activity or evidence of ongoing attacks.The most recent report from Threat hunting is not something to do once and consider the job done. Continual iteration makes detection efforts more fruitful. Once threat hunters learn what constitutes normal activity, unusual events become more obvious. The more knowledge gained about an IT environment and network, the stronger an entity will be against attempted cyberattacks.
