What is Threat Hunting?
Threat hunting is the process of proactively searching through environments and networks to detect and isolate advanced threats that were not discovered by traditional security solutions. Threat hunting assumes that the environment is already compromised and attempts to locate active threats before they can do significant damage. Threat hunting is not a replacement for SIEM, SOC, or other traditional security solutions but is intended to complement existing solutions to catch any threats that managed to slip through the cracks.
Additionally, threat hunting is a proactive process, and not a reactive one. This means that threat hunters actively seek out threats that could already exist in the environment instead of waiting for alerts from a SOC team that there is an active threat in the network. When configured and run properly traditional security solutions can detect and prevent most threats, but for advanced threats that can evade these systems an active threat hunting approach is needed.
Why is Threat Hunting Important?
No security solution can be 100% accurate, and the threat landscape is always changing. Breaches can be hard to detect, and companies take an average of 197 days to detect a breach according to a recent study by IBM. Threats that make it through traditional security solutions undetected, can sit on a network for months and sometimes years, exfiltrating data and spreading throughout the network. Using threat hunting to shorten the time to discovery of advanced threats can significantly decrease the overall damage and scope of a breach and may even stop a campaign before any damage is done.
Getting Started with Threat Hunting
There are four main things that you will want to have when you start to plan out your threat hunting program. You need actionable threat intelligence, aggregated security data, a solution to process and analyze that data, and qualified threat hunters to use the intelligence and analyzed data to find threats.
Actionable Threat Intelligence
Actionable threat intelligence helps analysts know what to look for when they are conducting the hunt. This intelligence helps to provide information about where to look and what to look for before they can actually start hunting. Without this intelligence, you’re basically trying to find Waldo in a Where’s Waldo without a description of Waldo! Threat intelligence should be relevant to your organization structure and industry. By targeting threats that your organization is likely to face, you spend less time looking for threats that are unlikely to impact you.
There is a wide range of sources that threat intelligence can come from, and what will be useful will depend on your specific needs and industry. Free and Paid threat feeds are a great place to start, as well as collecting Indicators of Attacks and Indicators of Compromise which you can use to determine who is attacking your system and how to find them. Actionable threat intelligence is covered in depth in our Threat Intelligence Basics article.
Aggregated Security Data
Having a good data set for analysts to look through is critical in finding threats to be located. This security data should be a cross-section of the environment to avoid bias and increase the diversity of information and sources. Data sources can include firewall and IDS logs, network traffic, endpoint security solutions, Active Directory/LDAP logs, DNS, VPN and Switch Logs, and much more. The more diverse and representative of the organization the data is the better, as long as it is relevant and organized.
A Solution to Process and Analyze Data
A wide range of solutions can be used to process and analyze collected data, and what your organization ends up using will be dependent on your needs and resources. Solutions can range from a full-fledged SEIM or dedicated threat solution such as ThreatConnect to an excel workbook. Analytical tools can also be used to help visualize and statistically process data allowing the analyst a better understanding of what the data is showing.
What ever process you use, it should keep your data organized and analyzed efficiently and bring value to the analysts. This will allow Threat Hunters to look through large amounts of data, filter out what is not relevant, and provide meaningful results efficiently.
Qualified Threat Hunters
This is the most important part of threat hunting! The human element is critical to finding threats that slip through automated searches and defenses. Humans have a knack for picking out patterns that computers cannot. Threat Hunters need to have technical knowledge across a wide range of cybersecurity topics and be able to effectively use tools and analyze data to find the signal in the noise. Tools are only useful if the user knows what they are doing!
The MITRE ATT&CK framework is a great way to get started when structuring your threat hunting process even if you do not know where to start. You can also work with a trusted partner like NuHarbor Security to provide this service or help you in getting your process off the ground.
Conclusion
Threat hunting is a critical part of a cybersecurity program and can add significant value by augmenting your existing traditional security program. Proactively searching for threats in your environment can reduce the scope of a breach and catch threat actors before they can do significant damage.
Not sure if you have the personal or resources to start your Threat Hunting program, or want to refer to the experts? Check out the NuHarbor Cyber Threat Analyst Cell (CTAC). As your end-to-end security provider, experienced CTAC Threat Analysts will monitor your environment to identify low operating threat actors that do not trip traditional alerts. Don’t hesitate to reach out if you want to learn more!
by: Hayley Froio
Information Assurance Team Member at NuHarbor Security
Follow us on Social Media for more information: