Threat hunting helps organisations identify security threats that could or are infiltrating their initial security defences. Typically, organisations have a defensive strategy when dealing with cyber threats, implementing solutions like firewalls, endpoint protection, email security, web security, etc. However, organisations have started to proactively hypothesise and identify cyber threats that may lie lurking in their networks, this is known as cyber threat hunting.
How does Threat Hunting work?
Due to the current cyber threat landscape organisations can no longer sit back and solely rely on their information security systems, information security teams need to remain vigilant, patching vulnerabilities and identifying the next cyber threat ahead of time. Cyber threat hunting involves creating a hypothesis based on potential threats or on how criminals may attack in the future and then testing these hypotheses by evaluating the current organisational environment. These hypotheses are created based on the data collected by security systems, threat hunters analyse the collected data for clues that may point towards any suspicious activity.
Cyber threat hunting works due to the addition of a human element to the threat hunting process i.e. skilled IT security professionals complement automated security processes to search, log, monitor and neutralise threats before they can cause serious problems. Usually, information security teams tend to wait for alerts before they scan networks and systems for breaches or other security incidents, with threat hunting information security personnel aggressively searching for breaches as if they have already occurred or will occur in the near future.
Proactive Threat Hunting Tools
Threat hunters use a variety of tools to support their methodologies. Tools can include the following:
- Advanced analytics, artificial intelligence, and machine learning
- Statistical analytics
- Intelligence analytics
- Security monitoring
- SIEM systems
- Threat intelligence
- Behaviour analytics
What are the types of Threat Hunting?
Threat hunters create a hypothesis based on certain security data or triggers that are identified. These hypotheses are then used to carry out an investigation, to discover any potential risks to a business’s information security. These investigations can be classified into three types:
- Structured hunting
A structured hunt is based on an IoA, also known as an ‘indicator of attack’ and the tactics, techniques, and procedures (TTPs) of a threat actor. All hunts are aligned and based on the TTPs of the threat actors. This enables the hunter to identify potential threat actors even before any damage is caused to the environment.
- Unstructured hunting
An unstructured hunt is initiated based on a trigger, one of many indicators of compromise (IoC). This trigger often cues a hunter to look for pre-and post-detection patterns. Guiding their approach, the hunter can research as far back as the data retention, and previously associated offences allow.
- Situational or entity driven
A situational hypothesis comes from an enterprise's internal risk assessment or a trends and vulnerabilities analysis unique to its IT environment. Entity-oriented leads come from crowd-sourced attack data that, when reviewed, reveal the latest TTPs of current cyber threats. A threat hunter can then search for these specific behaviours within the environment.
Proactive Threat Hunting Techniques
Threat hunters use a number of techniques to identify suspicious activities and behaviors, as well as locate threats that may have already breached systems. Below are six examples of proactive threat hunting techniques:
- Analysis - Monitoring data sources and logs, like DNS and firewall, examining network, file, and user data, and reviewing security information and event management (SIEM) and intrusion detection system (IDS) alerts to identify threats.
- Searching - Searching primarily means defining search criteria before querying the data to identify anomalies. Although this is often referred to as the simplest method of hunting, hunters should avoid searching too broadly for general artefacts, which may produce far too many results to be useful, or doing the opposite and searching too specifically may produce too little information to act upon.
- Baselining - Understanding and defining what ‘normal’ threat levels look like and then exploring possible deviations from the norm.
- Clustering - Clustering is a statistical technique, which consists of separating groups (clusters) of similar data points based on certain characteristics out of a larger set of data. This is often done using machine learning or artificial intelligence. Hunters examine large groups of related data to help spot similar anomalous data characteristics between system and network activities.
- Grouping - Grouping consists of taking multiple unique artefacts and identifying when multiple of them appear together based on certain criteria. “Artefacts” refer to the common pieces of information which are of interest to the hunter. The big difference between grouping and clustering is that grouping your input is an explicit set of items that are each already of interest. If a group seems out of place, it may potentially represent a tool or TTP that an attacker is using.
- Stacking - Stacking involves inspecting certain data values and then putting them into ‘stacks’ based on characteristics and analysing the outliers or extremes of those results.
Why is Threat Hunting important?
Some cyberthreats can get past your automated cybersecurity solutions. According to IBM, your security operation control analysts should be able to put a stop to 80% of the threats, but 20% of these threats are likely to slip through. These threats can cause significant damage to your systems and networks, having an effective threat hunting solution can help reduce the time between intrusion and discovery, therefore reducing any negative impacts.
To put it simply if threat hunting is not implemented, organisations will not know if there is a malicious actor within their systems. Cybercriminals who breach an organisation's systems can remain within their network for long periods of time collecting data, looking for sensitive information and credentials that will allow them to access deeper systems in an organisation. The impact of allowing a malicious actor to remain within an organisation’s networks once they gain entry can lead to irrevocable ramifications financially and reputationally, threat hunting allows organisations to identify and eradicate these malicious actors who get past initial defences preventing any additional damages before they can occur.
How can StickmanCyber help?
StickmanCyber takes a thorough approach to systematically identify, document and respond to possible cyberthreats to your organisation. Let our team of cybersecurity experts help you stay ahead of threats & attacks against your organisation. Contact StickmanCyber today to learn more about our Threat Monitoring, Detection, & Response services.