What Is Threat Hunting

 

What Is Threat Hunting? 

Threat hunting helps organisations identify security threats that get past their initial endpoint defences. Typically organisations have a defensive strategy when dealing with cyber threats, implementing solutions like firewalls, antivirus, endpoint protection, email security, web security etc. However, organisations along with these cyber security solutions, have started to proactively identify cyber threats that may lie lurking in their networks, this is known as cyber threat hunting. 

How does it work? 

Due to the current cyber threat landscape organisations can no longer sit back and solely rely on their information security systems, information security teams need to remain vigilant, patching vulnerabilities and identifying the next cyber threat ahead of time. Cyber threat hunting involves creating a hypothesis based on potential threats or on how criminals may attack in the future and then testing these hypotheses by evaluating the current organisational environment. These hypotheses are created based on the data collected by security systems, threat hunters analyse the collected data for clues that may point towards any suspicious activity. 

Cyber threat hunting works due to the addition of a human element to the threat hunting process i.e. skilled IT security professionals complement automated security processes to search, log, monitor and neutralize threats before they can cause serious problems. Usually, information security teams tend to wait for alerts before they scan networks and systems for breaches or other security incidents, with threat hunting information security personnel aggressively search for breaches as if they have already occurred or will occur in the near future.  


Threat Hunting Methodologies 

Initially, a threat hunter conducts an investigation on the assumption that a malicious actor is already present within an organisation’s system or network. These investigations can be of three different methodologies:

  1. Hypothesis-driven investigation - This type of investigation is triggered when a potential cyber threat emerges based on crowdsourced attack data which has provided insight into an attacker’s tactics, techniques and procedures (TTPs). Based on these new TTPs a hypothesis will then be created and tested by threat hunters in the environment of their own organisation.

  2. Investigations based on identified IOCs & IOAs - This type of investigation leverages threat intelligence to catalogue known Indicators of compromise (IOCs) or Indicators of attack (IOAs) associated with new emerging threats. This information is then used as a trigger for a threat hunter to identify malicious activity in an organisation. 

  3. Investigations using machine learning - This type of investigation combines powerful data analysis and machine learning to comb through a large amount of information in order to detect anomalies that might indicate malicious activity within an organisation.

 

Why Threat Hunting Is Needed

Some cyberthreats can get past your automated cybersecurity solutions, according to IBM, your security operation control analysts should be able to put a stop to 80% of the threats, but 20% of these threats are likely to slip through. These threats can cause significant damage to your systems and networks, having an effective threat hunting solution can help reduce the time between intrusion and discovery, therefore reducing any negative impacts. 

According to the Ponemon Institute, Cost of a Data Breach Report 2020, cybercriminals spend 191 days inside a network before being discovered, this provides them with more than enough time to steal the data they are looking for. The same report states that a data breach costs a company almost USD 4 million on average. And the harmful effects of a breach can linger for years. The longer the time between system failure and response deployed, the more it can cost an organisation. 

To put it simply if threat hunting is not implemented, organisations will not know if there is a malicious actor within their systems. Cybercriminals who breach an organisation's systems can remain within their network for long periods of time collecting data, looking for sensitive information and credentials that will allow them to access deeper systems in an organisation. The impact of allowing a malicious actor to remain within an organisation’s networks once they gain entry can lead to irrevocable ramifications financially and reputationally, threat hunting allows organisations to identify and eradicate these malicious actors who get past initial defences preventing any additional damages before they can occur. 

 

How Threat Hunting Is Performed

Threat hunting has quickly become an essential part of an organisation's cybersecurity posture, it consists of four key steps:

Step 1: Creating a hypothesis

The first step of any successful threat hunting attempt is to create a hypothesis of potential threats in the environment, it involves creating a hypothetical scenario of an attacker's tactics, techniques and procedures when it comes to breaching an organisation’s defences. An information security team can create a hypothesis using their own threat experiences and knowledge of the threat landscape. 

Step 2: Collect and process data and intelligence 

Threat hunting involves creating a plan for the collection and processing of intelligence and data. Often organisations implement SIEM solutions, Security Information & Event Management software can help an organisation keep track of the activities being conducted in an IT environment. 


Step 3: Trigger & Investigation

Using the hypothesis threat hunters can identify an area of investigation i.e. in this step of the threat hunting process a hypothesis of a new threat acts as a trigger for an information security team to conduct an investigation in a specific area of the organisation. Once triggered the investigation can start, threat hunters can utilise technology like endpoint detection and response to search for malicious anomalies in a system or network. 

 

Step 4: Response & Resolution

Once the investigation is complete the final step of threat hunting is response and resolution. Using the results from the investigation provided by threat hunters, information security teams can work on responding to and mitigating any threats identified. The data collected from investigations can also be used to improve the technology used to identify threats, reducing overall human interaction and further automating the process of threat detection. 

By the end of a threat hunting activity hopefully, the organisation would have learned more about their threat landscape and how future threats can be prevented. Threat hunting is something that should be taken seriously by every organisation, adding proactive measures on top of reactive cyber security solutions can greatly reduce the chances of facing any negative consequences of cyber attacks. 

 

Six Benefits of Threat Hunting

 

1. Uncovers Hidden Threats

 

Implementing a threat hunting program in your organisation’s cybersecurity strategy allows your organisation to proactively identify malware or any other threats that have managed to sneak into your network and systems. Threat hunting also does a great job of identifying and eliminating any malicious actors that may have gained access and are hiding in your networks and systems.

2. Faster Threat Response 

The proactive nature of threat hunting ensures that your organisation is one step ahead of the attackers, attackers can no longer rely on the vulnerabilities present in threat detection software that give them the time to complete an attack. By actively looking for threats, your organisation is better equipped to respond quickly when any anomalous activities are discovered

3. Reduces damage and overall risk 

The impact of allowing a malicious actor to remain within an organisation’s networks once they gain entry can lead to irrevocable ramifications financially and reputationally, threat hunting allows organisations to identify and eradicate these malicious actors who get past initial defences preventing any additional damages before they can occur. 

4. Helps improve defences 

One of the main results of carrying out a threat hunting program is that it provides insights on how to improve your organisation’s security to better defend against possible threats. Because threat hunting is carried out on the assumption that a potential threat has already occurred or a malicious actor is already present within your networks or systems, it provides valuable insight into how to improve your organisation’s existing defences. 

5. A more efficient approach to identifying threats

Threat Hunting utilises tools like security information and event management (SIEM) software products or an intrusion detection system (IDS) to help identify anomalies within your organisation’s networks and systems, leading to more efficient identification of threats and giving the ability to counteract them. 

6. Reduces Investigation Time

The results and knowledge gained from threat hunting exercises can drastically reduce the investigation time for security teams when an actual security incident occurs. Threat hunting provides organisations with a better understanding of their security capabilities, systems and networks along with their vulnerabilities. 

 

How can StickmanCyber help?

StickmanCyber takes a thorough approach to systematically identify, document and respond to possible cyberthreats to your organisation. Talk to a consultant today to learn more. 

 

Similar posts

 

Optus has been hit with a major cyber attack

In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Download our guide to learn everything you need to know about the Optus Data Breach, as well as the nine steps every business around the world and in Australia needs to take to avoid being next.