Threat hunting starts with a pretty paranoid premise: That your network may have already been breached and threat actors may be inside waiting for an opportunity to strike.
Sadly, that turns out to be true in many cases. You can’t be paranoid enough when it comes to cybersecurity. And that’s why cyber threat hunting adds human and technical elements to cyber defenses to try to find signs that those cyber defenses may have already been breached.
Whether done by an internal team or an outside service, threat hunting adds another layer to cybersecurity defenses by working together with threat detection and response tools to provide a more comprehensive approach to threat defense.
As advanced persistent threats (APTs) that dwell inside your network are capable of causing great damage, any organization with sensitive data should regularly engage in threat hunting.
Table of Contents
How Cyber Threat Hunting Works
Cyber threat hunting works by probing an organization’s network, systems, logs and other information sources to find any threats that were missed by traditional threat detection tools. A combination of techniques and tools are used to thoroughly investigate and analyze incidents and indicators of compromise (IoC) with the goal of preventing or mitigating damage caused by network security attacks.
Threat hunting teams are often composed of analysts from SOC teams or similarly qualified security pros. Internal teams use systems like SIEM and security analytics to aid in their investigations. Externally, managed detection and response (MDR) is one service that often includes threat hunting.
The human element makes threat hunting closer to activities like pentesting and vulnerability assessments than informational tools like threat intelligence feeds. The big difference is that rather than looking for vulnerabilities that could lead to an attack, threat hunting teams are also looking for evidence of actual attacks.
4 Common Threat Hunting Activities
Fortunately, threat hunting teams have no shortage of tools and data for investigating potential threats. Searching all those data sources can be challenging though, but a number of data approaches and tools can make that easier.
Searching meticulously for data that may contain potential threats can be time-consuming due to the vast amount of data that needs to be analyzed. To make things simpler, this activity is typically broken down into two methods, clustering and grouping.
Clustering involves analyzing large datasets to pinpoint patterns and anomalies that may indicate a security threat. This data is based on common attributes where cyber threat hunters can efficiently identify suspicious activity, making the threat hunting process more manageable.
Grouping involves clustering data by characteristics such as user accounts, system settings or application behavior to isolate anomalies that may pose a potential security threat. This technique enables cyber threat hunters to identify potential threats and facilitate immediate action to fix any security vulnerabilities.
Stack counting is a bonus technique used to identify and isolate any potential network security threats by analyzing the behavior of different applications on an organization’s systems. By leveraging this approach, organizations can proactively safeguard their systems and data from evolving cyber threats and stay ahead of potential security breaches.
We’ll cover the tools and techniques that make threat hunting possible in the next few sections.
7 Threat Hunting Techniques & Methodologies
These threat hunting techniques and methodologies can help security teams proactively detect security threats. And by using and maximizing the value of existing security tools, organizations can gain deeper insights into the data gathered by security solutions. This will help build a culture of security by raising awareness of security threats among employees and stakeholders, making the organization more resilient against evolving network security threats.
Structured approach to cyber threat hunting follows a clearly defined methodology or process for identifying and investigating potential security threats. This includes specific steps and procedures that guide threat hunters through the process of collecting and analyzing data to detect any anomalies.
The unstructured approach is more flexible and allows more creativity and intuition in identifying threats. It relies mostly on the expertise and experience of the cyber threat hunter to identify potential threats and investigate them without following tedious or rigid processes.
The situational or entity-driven technique is done depending purely on the specific goal or focus of the investigation. The situational approach is involved in investigating a specific incident or security breach, while the entity-driven approach focuses on a particular system or network entity to identify potential network security threats.
Internal transparency ensures that all stakeholders, security teams, and management have access to relevant information and insights about the investigation. This builds trust and cooperation among different teams and improves the overall effectiveness of threat hunting.
Using up to date sources allows cyber threat hunting to identify potential security threats by using the most current and relevant data sources. This includes data from logs, network traffic, threat intelligence feeds, and other relevant sources. These up to date sources allow threat hunters to stay ahead of evolving threats and reduce the risk of security breaches.
Leverage existing tools and automation to analyze large amounts of data and identify potential network security threats. This can help cyber threat hunters work more efficiently and effectively, since it enables them to investigate potential threats more quickly and accurately.
User and Entity Behavior Analytics (UEBA) can supplement threat hunting by using machine learning algorithms to detect suspicious behavior patterns that potentially indicate a security threat. Using UEBA helps organizations improve their ability to proactively detect and respond to any potential security threats.
Cyber Threat Hunting Framework in 5 Steps
There is a five-stage process that is commonly used to identify, investigate, and respond to potential security threats. These serve as standard operating procedures to guide team activities.
Hypothesis is the starting point, making assumptions about potential threats based on intelligence or other indicators of compromise. The hypothesis should be specific and testable and must have a clear set of expected outcomes to clearly identify the necessary steps needed.
Collect and process data from a variety of sources to filter out irrelevant or noisy data, then transforming it into a format that can be easily analyzed.
Trigger alerts or other mechanisms will automatically notify the threat security team when certain conditions are met. These triggers could be based on specific patterns in the data or other indicators that suggest a potential threat.
Investigation happens after trigger alerts have been activated. Security hunters or analysts will use different tools and techniques to analyze the data and identify the potential network security threats. This may involve searching for specific indicators of compromise, identifying patterns in the data, or conducting more detailed analysis of specific systems or network segments.
Response is mitigating the identified threats, the final stage of the framework. This includes isolating compromised systems, removing malware, patching vulnerabilities or taking other measures to prevent further damage. The response must be guided by the severity and nature of the threat. It will also need the resources and capabilities of the network security team.
What is a Threat Hunting Maturity Model?
The Hunting Maturity Model (HMM) is a framework that provides a structured approach for an organization to assess and improve their threat hunting capabilities. This typically contains five levels, where each level represents a new degree of maturity in terms of the organization’s capability to detect and respond to security threats.
Level 1 – Initial: The organization’s threat capability is inconsistent, with little to no formalized process in place
Level 2 – Minimal: The organization has some basic threat hunting processes in place, but they are not reactive or well-coordinated.
Level 3 – Procedural: The organization has established formal processes for threat hunting and has implemented tools and technologies to support these processes, but they may still be isolated and not fully integrated with the overall security posture of the organization.
Level 4 – Innovative: The organization is exploring new techniques and technologies for threat hunting and is continually looking for ways to improve its capabilities.
Level 5 – Leading: With highly sophisticated capabilities and systems in place, the organization is a recognized leader in threat hunting. It is continually pushing the limits of threat hunting and actively sharing its knowledge and skills with the larger security community.
Top Threat Hunting Tools
There are a number of tools that threat hunting teams rely on to help them spot IoCs and other signs of possible breaches.
- Spreadsheets: The simplest threat hunting tool is the humble spreadsheet, which many threat hunters use to help them when carrying out a stack counting exercise to manage the numbers and sort them so that outliers can easily be spotted.
- Security monitoring tools: Defensive security products such as firewalls, EDR tools, data loss prevention systems (DLP), and network intrusion detection systems are all used by threat hunters to help reveal indicators of compromise.
- Statistical analysis tools: These use mathematical patterns to spot anomalous behavior in data, which the threat hunter may then decide warrants further investigation.
- Intelligence analytics tools: These tools help threat hunters visualize data with interactive charts and graphs that make it easier to spot previously hidden correlations and connections between entities, events, or data.
- SIEM systems: Security Information and Event Management (SIEM) solutions are used by threat hunters as well as reactive security staff to make sense of the vast amounts of log data that many organizations generate and to surface suspicious activity.
- User and entity behavior analytics tools: UEBA tools can help threat hunters spot anomalous behavior.
- Threat intelligence resources: As well as tipping threat hunters off about new threats to look for and techniques that attackers are adopting, threat intelligence resources also give details of specific executables or malware hashes to look for and malicious IP addresses to be wary of.
Is Threat Hunting Right for Your Business?
Any business can benefit from threat hunting, and the more sensitive and important your data is (especially if subject to compliance regulations) the more you need to start a threat hunting program or contract with a threat hunting service.. There are a number of necessary capabilities that can help you decide if your staff has the skill and expertise to carry out threat hunting.
Threat hunting requirements
Data Familiarity: Threat hunting requires collecting and analyzing a large amount of data from different sources and should be collected and analyzed in real-time to quickly identify potential threats. By leveraging a familiarity with similar data patterns, organizations can compare faster and accurately identify potential threats to respond accordingly.
Skill and expertise: Effective threat hunting requires skilled personnel with the necessary expertise in cybersecurity, data analysis, and incident response. The threat security team should have a deep understanding of the organization’s systems, networks, and potential threat vectors.
Threat intelligence: Threat hunting requires continuous access to the latest threat intelligence, such as information on new vulnerabilities, attack techniques, and threat actor behaviors. This information will help identify potential threats and develop effective countermeasures.
Tools and technologies: To properly perform and execute threat hunting, there are specialized tools and technologies that an organization must have. These may include advanced analytics tools, a SIEM system, EDR tools, and network traffic analysis (NTA) solutions.
Continuous improvement: Continuously learning from previous threat hunting helps organizations stay on top of potential risks. It is important to stay ahead of evolving threats by regularly reviewing the threat hunting program’s effectiveness, refining processes and tools, and updating skills and expertise to ensure that the program stays effective.
Bottom Line: Threat Hunting
Cyber threat hunting is an increasingly important skill set for organizations with sensitive data, or those subject to data privacy and handling laws. Defensive security tools can’t stop every threat, and attackers can lurk inside a network for a long time without being caught.
A successful threat hunting program requires a skilled cybersecurity team with experience in data analysis and incident response. It must also have access to the latest threat intelligence trends and specialized tools and technologies for data analysis and management.
The requirements are high, but the potential payoff is big. By continuously looking for potential threats, organizations can gain a deeper understanding of their systems and networks and develop more effective countermeasures against potential attacks.
But organizations without those abilities can still conduct threat hunting with outside help (see the Top MDR Services).
This updates a May 17, 2019 article by Paul Rubens
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.