What is cyber threat hunting?
Security monitoring
Cybersecurity monitoring has traditionally been reactive where detections are based on signatures/hashes/heuristic utilized by security solutions
Use cases provide means for SOCs to detect threats based on custom correlation of suspicious activity within an organization and still be reactive in nature
A SOC analyst reviews alerts coming into a SIEM or similar solution, analyzes and responds to them accordingly
Challenges
Unknown threats bypass traditional security controls and remain in the environment, sometimes until they'r noticed by an external agency
Sophisticated attackers have the tools and the skill set to bypass traditional defenses
SOC analysts may deal with alert fatigue due to too many alerts generated by the various security solutions
Visibility gaps in the environment will degrade the detection process as you can't monitor what you can't see
What is threat hunting?
Threat hunting is a proactive, rather than reactive, approach to identifying threats in an environment
It utilizes a hypothesis-based analyst-drive approach to identify, prioritize, execute, record and report hunts in the environment
The goal of threat hunting is to identify potential threats before they can cause harm, by using various techniques, methodologies and hypothesis-driven investigation
It enhances the security posture of your organization by identifying threats that are not detected through traditional avenues
Why is it important?
Reaching an all-time high, the cost of a data breach averaged USD 4.35 million in 2022
The average time to identify and contain a data breach was 277 days
Proactive strategies reduce response times and fiscal impacts:
Organizations with XDR technologies identified and contained a breach 29 days faster than those without
Average breach cost reductions with AI/Automated Solutions - 3.05 million
Average breach cost reductions with incident response (IR) team and regularly tested IR plan - 2.66 million
Average cost savings associated with zero-trust deployment - 1 million
Who is a threat hunter?
Cybersecurity professional who proactively seeks to uncover threats in an environment not detected by existing detection controls
Someone who is well-versed in security analysis and has domain knowledge to distinguish normal from suspicious behavior
Uses various threat hunting sources to identify potential hunts, develops a hypothesis to guide the hunts, executes and reports on them
Uses various threat hunting methodologies and techniques to uncover threats in the environment that are not detected via existing detection mechanisms
Threat hunting sources
Threat hunters rely on different sources of information to create hunts, such as the following:
Threat intelligence
Collection of data related to known threats and threat actors
Threat actors targeting your organization
Information sharing between organizations within the same sector
Zero-day exploits against similar organizations
New vulnerabilities being leveraged by attackers
Internal finding
The findings identified by various teams conducting assessments
Internal audit
Enterprise risk teams
Red Team
Security incidents
Lessons learned phase of incident response captures valuable that could be leveraged by threat hunting. These could be tactics and techniques identified during incident response, gaps in coverage, vulnerabilities, etc
MITRE ATT&CK framework
Tactics and techniques outlined in the framework are great resources to identify and prioritize hunts to be conducted within your organization
Organizational knowledge
Knowledge of known gaps, broken processes, etc derived from time spent with an organization is another great source for threat hunting
Anomalous activity
Activity that deviates from established security configurations or behaviors in another input for threat hunting
Last updated