Today’s digital landscape is constantly evolving. At the same time, cybercriminals are becoming more sophisticated. This means it's increasingly important for organizations to develop an effective threat hunting strategy to detect and mitigate malicious activity within their networks.
However, finding the right expertise to staff a hunt team remains a challenge. In fact, 58% of respondents in a recent security operations survey said they felt their organization’s investigative skills—a vital component of threat hunting—needed improvement.
Before we get into the benefits and other challenges of threat hunting, let’s explain what threat hunting is and how it fits into a greater cybersecurity strategy.
What is threat hunting?
Threat hunting is a process of actively searching for signs of malicious activity using a combination of human intelligence and advanced technologies and tools. Threat hunting is often described as a human-driven approach that operates outside of the well-defined and controlled envelope of automated threat detection.
Threat hunting is not only designed to detect malicious activity or in-progress cyberattacks, but also to uncover visibility gaps. Organizations should conduct threat hunting in addition to using threat detection technologies—firewalls, intrusion detection systems (IDS), and managed detection and response (MDR) solutions—to shed light on the blind spots left by security tools.
Threat hunting often involves cyber intelligence researchers or analysts actively searching for indicators of compromise (IOCs), anomalies in network traffic, and suspicious behaviour on a network. Their goal is to uncover (and respond to) the presence of attacker tactics, techniques, and procedures (TTP) that were overlooked or missed by existing detection technologies.
What are TTPs?
Cybersecurity professionals often describe the behaviours, processes, actions, and strategies threat actors use as TTPs. Using a non-cyber analogy, a specific approach to counterfeiting $100 bills can be thought of as a TTP. The signs of a counterfeit bill—the wrong colour or a bad watermark—can be thought of as an indicator of TTP.
TTPs are critical because they can provide threat intelligence experts and security analysts the data they need to identify and correlate an attack to a known hacker or threat group and better understand an attack framework. TTPs can be file hashes, signatures, attack tactics, IP addresses, traffic from suspicious locations, and so many more.
Fundamentally, TTPs help researchers focus their investigation path, identify threat sources or attack vectors, define the severity of the threat, and support incident response and threat mitigation.
How threat hunting works
First, as mentioned earlier, threat hunting does not rely solely on threat intelligence databases or security alerts but uses a combination of these methods and manual investigation to detect malicious activity that may otherwise go undetected.
The process employs techniques such as searching for malicious files, examining traffic patterns, and analyzing user behaviour. During a threat hunt, security analysts will search for any suspicious activity or behaviour as well as attempt to determine the root cause of the threats.
Second, through this process, security analysts develop a better understanding of the attack vectors and methods used by the attackers. They can also identify system weaknesses or gaps in security that may have been exploited by the attackers.
Third, once potential threats are identified, organizations can then use threat hunting techniques to build an effective response strategy. This may include implementing countermeasures, deploying additional security controls, notifying certain people of the incident, revoking credentials, or even taking systems offline if necessary.
Lastly, threat hunting is an extremely effective way to protect organizations against cybercrime. By using advanced technologies and analysis techniques, security teams can detect and mitigate potential threats early on and help protect an organization’s network and data.
The threat hunting process
The threat hunting process is composed of three distinct steps: trigger, investigation, and resolution.
Step 1: The trigger
The first step is the trigger, which involves identifying suspicious activities or behaviours that may indicate malicious activity. Triggers could include:
- Unexpected system changes
- Increases in network traffic
- Suspicious user behaviour
Once a trigger is identified, security analysts can begin the investigation process.
Step 2: The investigation
During the investigation, analysts inspect the activities or behaviours identified by the trigger. They may use data analytics and machine learning algorithms to detect patterns and anomalies in the data, as well as review network logs and system configurations.
Through this process, analysts gain deeper visibility into the environment and develop an understanding of the tactics used by the attackers.
Step 3: The resolution
The last step of threat hunting is resolution. This involves implementing countermeasures and deploying additional security controls to remediate any malicious activity the analysts found. Organizations may need to modify their systems and update their policies to protect their networks from future attacks.
By following these three steps, security teams can detect and investigate potential threats early to better protect the organization’s network and data.
Common threat hunting tactics
Hypothesis-based investigations
This technique involves hypothesizing about a potential threat and then analyzing the environment for evidence that supports or refutes that hypothesis.
During the investigation, security analysts will review data and look for patterns or connections between various components of the environment that may pinpoint suspicious activity.
Known indicators of compromise (IoCs)
Known IoCs or indicators of attack (IOAs) are specific pieces of information that can be used to identify suspicious activity. Security analysts often use IOCs or IOAs to search for potential threats within their networks.
Examples of IOCs include unusual, privileged user account activity, login anomalies, increases in database read volume, suspicious registry or system file changes, unusual DNS requests, and web traffic showing non-human behaviour.
(We made a cheat sheet outlining key indicators of security compromise. You can download it here!)
Machine learning investigations
Machine learning investigations are algorithms that can be used to identify patterns in the data that may indicate malicious activity. These algorithms can also be used for predictive analytics, allowing analysts to anticipate potential threats and take measures to mitigate them. They are often used with other tactics such as network forensics to identify and investigate suspicious activity.
Using the above tactics, organizations can develop an effective threat hunting strategy to detect, investigate, and remediate any malicious activities within their networks.
The benefits of threat hunting
The primary benefit of threat hunting is that it allows organizations to take a proactive approach to identify malicious activity within their networks. Threat hunters can detect and investigate threats before the attacker has a chance to cause real damage to an organization’s network and data.
As we know from many of the Cost of Data Breach Reports, the average breach cycle is 277 days, which is more than enough time for most bad actors to move laterally on the network in search of admin privileges, exfiltrate sensitive data, and do further damage. A quality threat hunting program can significantly limit the time criminals are on your network by identifying suspicious IPs, uncovering suspicious traffic, and so much more.
Additionally, threat hunting helps security teams understand the attack vectors and methods used by attackers, gain deeper visibility into their networks, and identify any system weaknesses or gaps in security that were exploited or may be exploited in the future.
While threat hunting may seem costly, organizations can save money in the long run by mitigating attacks before they cause long-lasting damage.
The challenges of threat hunting
Despite all the benefits of cyber threat hunting, there are certain challenges too.
First, threat hunting requires specialized skills and expertise that can be hard to find. Security teams need a deep understanding of their networks, as well as the latest cyber security threats to accurately identify and investigate malicious activities.
Second, the process can be difficult and time-consuming, which can be a challenge for organizations without the proper resources. Organizations need access to the right technologies and tools to effectively detect and investigate suspicious activities.
Both points are especially challenging for small and medium-sized businesses.
How to start threat hunting today
To summarize, threat hunters search for hidden malware or attackers and look for patterns of suspicious activity that their defence technology missed or judged to be resolved but isn't. The process also helps identify and resolve vulnerabilities or security gaps before they get exploited.
Using intel-based, hypothesis-based, and custom hunting, threat hunters can identify anomalous or malicious behaviour, and isolate the threat.
As attacks grow in number and sophistication, it's vital that organizations start a threat hunting practice. It's clear that the benefits of identifying a potential attack or attack in progress outweigh the cost of investing in a threat hunting program.
The best way to start threat hunting for most organizations? Work with a trusted cybersecurity company with the latest technologies and expertise to conduct threat hunting on your behalf. By doing so, organizations can enjoy the peace of mind that comes with knowing their networks are truly protected.
