Threat hunting is the process of proactively searching through environments and networks to detect and isolate advanced threats undiscovered by traditional security solutions. Threat hunting assumes that the environment is already compromised and attempts to locate active threats before they can do significant damage. Threat hunting is not a replacement for SIEM, SOC, or other traditional security solutions, but is intended to complement existing solutions to catch any threats that manage to slip through the cracks.
Threat hunting is a proactive process, not a reactive one. This means that threat hunters actively seek out threats that could already exist in the environment instead of waiting for alerts from a SOC team that there is an active threat in the network. When configured and run properly, traditional security solutions can detect and prevent most threats, but for advanced threats that can evade these systems, an active threat hunting approach is needed.
Why Is Threat Hunting Important?
No security solution can be 100% accurate, and the threat landscape is always changing. Breaches can be hard to detect. According to a recent study by IBM, companies take an average of 197 days to detect a breach. Threats that make it through traditional security solutions undetected can sit on a network for months and sometimes years, exfiltrating data and spreading throughout the network. Using threat hunting to shorten the time to discovery of advanced threats can significantly decrease the overall damage and scope of a breach and may even stop a campaign before any damage is done.
Getting Started With Threat Hunting
There are four main things you want to have when you start planning out your threat hunting program. You need actionable threat intelligence, aggregated security data, a solution to process and analyze that data, and qualified threat hunters to use the intelligence and analyzed data to find threats.
Actionable Threat Intelligence
Actionable threat intelligence helps analysts know what to look for when they are conducting the hunt. This intelligence helps to provide information about where to look and what to look for before analysts can actually start hunting. Without this intelligence, you're basically trying to find Waldo in a Where’s Waldo picture without a description of Waldo! Threat intelligence should be relevant to your organization structure and industry. By targeting threats that your organization is likely to face, you spend less time looking for threats that are unlikely to impact you.
There is a wide range of sources that threat intelligence can come from, and what will be useful depends on your specific needs and industry. Free and paid threat feeds are a great place to start, as well as collecting indicators of attacks and Indicators of Compromise which you can use to determine who is attacking your system and how to find them. Actionable threat intelligence is covered in depth in our Threat Intelligence Basics article.
Aggregated Security Data
Having a good data set for analysts to look through is critical for finding threats to be located. This security data should be a cross-section of the environment to avoid bias and increase the diversity of information and sources. Data sources can include firewall and IDS logs, network traffic, endpoint security solutions, Active Directory/LDAP logs, DNS, VPN and switch logs, and much more. The more diverse and representative of the organization the data is the better, as long as it's relevant and organized.
A Solution to Process and Analyze Data
A wide range of solutions can be used to process and analyze collected data, and what your organization ends up using will be dependent on your needs and resources. Solutions can range from a full-fledged SIEM or dedicated threat solution such as ThreatConnect, to an excel workbook. Analytical tools can also be used to help visualize and statistically process data giving the analyst a better understanding of what the data is showing.
Whatever process you use, it should keep your data organized and analyzed efficiently and bring value to the analysts. This will allow threat hunters to look through large amounts of data, filter out what is not relevant, and provide timely and meaningful results.
Qualified Threat Hunters
This is the most important part of threat hunting! The human element is critical to finding threats that slip through automated searches and defenses. Humans have a knack for picking out patterns that computers cannot. Threat hunters must have technical knowledge across a wide range of cybersecurity topics and be able to effectively use tools and analyze data to find the signal in the noise. Tools are only useful if the user knows what they're doing!
The MITRE ATT&CK framework is a great way to get started when structuring your threat hunting process. You can also work with a trusted partner like NuHarbor to provide this service or help you get your process off the ground.
Threat hunting is a critical part of any cybersecurity program and can add significant value by augmenting your existing traditional security program. Proactively searching for threats in your environment can reduce the scope of a breach and catch threat actors before they can do significant damage.
Not sure if you have the personal or resources to start your threat hunting program, or want expert advice? Contact NuHarbor to learn about our Cyber Threat Analyst Center (CTAC). Our experienced threat analysts will monitor your environment to identify low operating threat actors that don't trip traditional alerts.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.