Learn more about Threat Hunting and how organizations can transform their cybersecurity methods from reactive to proactive.
In this 101, we’re going to cover:
With many vendors offering an array of threat hunting services, security professionals may wonder if hunting can actually benefit a company or if it’s just a fad. But threat hunting isn’t based on flashy technology that will become irrelevant in a few months. It’s a return to one of the basic tenets of information security: reviewing your IT environment for signs of malicious activity and operational deficiencies. Threat hunting uses a hypothesis-driven approach and is often supported by behavioral analytics, going way beyond rule or signature-based detection.
To help bring a little more clarity to the topic, I asked Cybereason's threat hunting team to answer a few of the most common questions that they've been asked recently.
Threat hunting is a cybersecurity function that seeks to leverage proactive practices and intelligent technology to identify and mitigate malicious activities in an organization's systems. It works around the premise that attackers have already compromised the organization's systems at its core. A vital element of this assumption is that these attacks have already found a way to evade detection by existing tools and technology and that an active approach is required to root out the threats. That contrasts threat hunting with traditional threat detection methods and tools that rely on conventional monitoring even though they can aid the threat hunting process if used effectively.
A cyber threat is a circumstance or malicious act that disrupts digital life by compromising data, individuals, systems, or assets. Common cyber threats include malware, data breaches, ransomware attacks, and account takeovers. The threat actors are a diverse group, including nation-states, terrorist groups, cybercriminals, and disgruntled insiders are all potential sources of cyber threats.
In the early days of cyber threat hunting, Indicators of Compromise (IOCs) were the cornerstone of proactive cyber detection. IOCs represent evidence that an attack or system breach has occurred. To identify IOCs, threat hunters usually looked for files infected by malware or anomalies like unusual outbound data transfers to identify these indicators. While extremely useful in identifying existing threats, one downside to IOC methods on their own is that they can only detect current breaches, and some new, sophisticated attacks may not have existing well-known indicators.
Addressing the limitations of relying strictly on IOCs involved using hypothesis-driven models to identify potential threats before attacks successfully infiltrate systems. This methodology focuses more on identifying vulnerabilities that are an excellent predictor of future attack vectors.
Aside from vulnerabilities and existing system compromises, threat hunters are also interested in 'TTP,' or tactics, techniques, and procedures. Together, these make up the threat actor's methods and behavior to compromise a system.
Incident response systems are reactive by nature. Typically, an intrusion detection system or process generates an alert, and operators swarm the issue until they neutralize the threat and the damages mitigated. Threat hunting, conversely, is a proactive, hypothesis-driven activity seeking to identify and eliminate threats that may already have breached the network or an organization's critical systems.
That isn't to say that threat hunting solely focuses on detecting—it's also a hypothesis-driven approach to prevention. Threat hunting is at its most effective when it can inform an organization's security posture, hardening attack surfaces to prevent incidents before they ever occur.
Where a robust incident response capability focuses on the fast identification of incidents and the ability to triage and resolve issues as they occur, threat hunting is at its most effective when used to drive system changes in architecture and configuration. That reduces risk and empowers incident response systems against future attacks.
When conducting a pen test, you’re actively trying to circumvent the organization’s defenses to learn what systems an attacker could access and see how far the adversary could advance in your environment. You’re basically trying to infiltrate your defenses from the outside.
Hunting is more of an inside-out approach. The assumption is that the bad guys are already in your environment, despite your best efforts to keep them out. Looking at what’s going on inside your environment, specifically odd behavior, will lead to discovering malicious activity.
Yes. 100%. Security teams can take the threat information gathered during a hunt, determine why they weren’t able to detect these threats and then figure out how they can detect the suspicions in future attacks. Skilled hunters realize that a big part of their job is digging up threat data that can be used to build stronger, better protection mechanisms.
Not at all. Sure, a key goal of hunting is to find existing threats in your environment. But hunts can also increase the visibility you have into your environment and identify potential security issues. For example, let’s say that a financial service company conducts a hunt discovers that it’s environment is clean. However, many employees are using FTP and around 100GB of data are leaving the company each day. Further investigation shows that the FTP use is legit, but the CISO is concerned. FTP was banned to eliminate the possibility that attackers could use ftp.exe for data exfiltration. Without a hunt, the CISO would've continued to operate under a false assumption that could jeopardize the company’s security.
Almost...consider threat hunters as a hybrid: They’re like a white hat version of Boba Fett (a threat could be considered their bounty) and have Indy’s deep knowledge on a particular subject (that’s information security in this case).
Hunters have an amazing amount of knowledge on IT environments, malware attack vectors, and threat actors. They know what Tools, Techniques and Procedures (TTPs) to look for in an environment.
Hunters care about gathering information on the attack, like what information the attackers are after, their overall goals and what systems were infiltrated. They’re not incident responders. Remediation isn’t their job (although they can work with incident response teams. It’s not uncommon for hunters to have government backgrounds. They’ve worked for the military or a three-letter federal agency.
To get started with threat hunting, organizations should focus on three critical steps: Creating a hypothesis, execution, and, finally, thoroughly experimenting and testing to reach conclusions. As in any scientific method, hypotheses should be actionable, testable, and constantly challenged for validity by the analysts who create them and the team at large.
As mentioned previously, executing a hypothesis in threat hunting usually leads back to checking it against Indicators of Compromise (IOCs). Observing and analyzing indicators like privileged user activity, login attempts, HTML responses, registry changes, port access anomalies, or usage patterns that deviate from common geographic and seasonality data all can help threat hunters test their hypotheses.
Staying current is one of a threat hunter's greatest assets. The cyber security industry is brimming with blogs, threat reports, and white papers that all have tremendous potential value for threat hunters seeking to stay informed. In particular, keeping a firm understanding of the types of attacks, malware, and mitigations the industry is seeing can go a long way towards creating more sound hypotheses and understanding what threats may be capable of bypassing intrusion detection and response systems.
Just as important as consuming external knowledge bases is for organizations to maintain institutional knowledge on incidents that have already impacted the company. Attacks typically leave traceability to the vulnerabilities that allowed them to occur. Robust Endpoint Detection and Response tools can even map out attacks from end to end, greatly enhancing future threat hunting activities.
While threat hunting is a natural step forward for organizations seeking a more proactive approach to cybersecurity, not all threat hunting tools are created equal. What makes Cybereason's XDR threat hunting capability stand out is how it empowers analysts of any experience level into more effective threat hunters. It achieves this with a combination of powerful querying capability and superior usability, allowing easy transition between screens and events while executing complex hypotheses.
With each successful hunt, the system grows more powerful, allowing defenders to leverage custom detect rules and define new logic based on lessons learned. Previously unknown vulnerabilities, like the Log4Shell Vulnerability, can still be prevented or remediated by the XDR platform. The Cybereason Nocturnus Team constantly evaluates new methodologies and attack vectors to uncover new IOCs. To schedule a demo and see this for yourself, click here.