Unlike traditional reactive cybersecurity measures, threat hunting involves actively searching for hidden threats within your systems before they can cause harm. It's a proactive approach that involves identifying and neutralizing threats that may have slipped through your defenses.
But threat hunting can be out of reach for many businesses, as finding the right expertise to staff a hunt team remains a challenge. In fact, 58% of respondents in a security operations survey said they felt their organization’s investigative skills—a vital component of threat hunting—needed improvement.
Before we get into the benefits and other challenges of threat hunting, let’s explain what threat hunting is and how it fits into a greater cybersecurity strategy.
What is threat hunting?
Threat hunting is a process of actively searching for signs of malicious activity using a combination of human intelligence and advanced technologies and tools. Threat hunting is often described as a human-driven approach that operates outside of the well-defined and controlled envelope of automated threat detection.
Threat hunting is not only designed to detect malicious activity or in-progress cyberattacks but also to uncover visibility gaps. Organizations should conduct threat hunting in addition to using threat detection technologies—firewalls, intrusion detection systems (IDS), and managed detection and response (MDR) solutions—to shed light on the blind spots left by security tools.
Threat hunting often involves cyber intelligence researchers or analysts actively searching for indicators of compromise (IOCs), anomalies in network traffic, and suspicious behaviour on a network. Their goal is to uncover (and respond to) the presence of attacker tactics, techniques, and procedures (TTP) that were overlooked or missed by existing detection technologies.
What are TTPs?
Cybersecurity professionals often describe the behaviours, processes, actions, and strategies threat actors use as TTPs. Using a non-cyber analogy, a specific approach to counterfeiting $100 bills can be thought of as a TTP. The signs of a counterfeit bill—the wrong colour or a bad watermark—can be thought of as an indicator of TTP.
TTPs are critical because they can provide threat intelligence experts and security analysts the data they need to identify and correlate an attack to a known hacker or threat group and better understand an attack framework. TTPs can be file hashes, signatures, attack tactics, IP addresses, traffic from suspicious locations, and so many more.
Fundamentally, TTPs help researchers focus their investigation path, identify threat sources or attack vectors, define the severity of the threat, and support incident response and threat mitigation.
How threat hunting works
First, as mentioned earlier, threat hunting does not rely solely on threat intelligence databases or security alerts but uses a combination of these methods and manual investigation to spot malicious activity that may otherwise go undetected.
The process employs techniques such as searching for malicious files, examining traffic patterns, and analyzing user behaviour. During a threat hunt, security analysts will search for any suspicious activity or behaviour as well as attempt to determine the root cause of the threats.
Second, through this process, security analysts develop a better understanding of the attack vectors and methods used by the attackers. They can also identify system weaknesses or gaps in security that may have been exploited by the attackers.
Third, once potential threats are identified, organizations can use threat hunting techniques to build an effective response strategy. This may include implementing countermeasures, deploying additional security controls, notifying certain people of the incident, revoking credentials, or even taking systems offline if necessary.
Lastly, threat hunting is an extremely effective way to protect organizations against cybercrime. By using advanced technologies and analysis techniques, security teams can detect and mitigate potential threats early on and help protect an organization’s network and data.
The threat hunting process
The threat hunting process is composed of three distinct steps: trigger, investigation, and resolution.
Step 1: The trigger
The first step is the trigger, which involves identifying suspicious activities or behaviours that may indicate malicious activity. Triggers could include:
- Unexpected system changes
- Increases in network traffic
- Suspicious user behaviour
Once a trigger is identified, security analysts begin the investigation.
Step 2: The investigation
During the investigation, analysts inspect the activities or behaviours identified by the trigger. They may use data analytics and machine learning algorithms to detect patterns and anomalies in the data, as well as review network logs and system configurations.
Through this process, analysts gain deeper visibility into the environment and develop an understanding of the tactics used by the attackers.
Step 3: The resolution
The last step of threat hunting is resolution. This involves implementing countermeasures and deploying additional security controls to remediate any malicious activity the analysts found. Organizations may need to modify their systems and update their policies to protect their networks from future attacks.
By following these three steps, security teams can detect and investigate potential threats early to better protect the organization’s network and data.
Common threat hunting tactics
Hypothesis-based investigations
This technique involves hypothesizing about a potential threat and then analyzing the environment for evidence that supports or refutes that hypothesis.
During the investigation, security analysts will review data and look for patterns or connections between various components of the environment that may pinpoint suspicious activity.
Known indicators of compromise (IoCs)
Known IoCs or indicators of attack (IOAs) are specific pieces of information that can be used to identify suspicious activity. Security analysts often use IOCs or IOAs to search for potential threats within their networks.
Examples of IOCs include unusual, privileged user account activity, login anomalies, increases in database read volume, suspicious registry or system file changes, unusual DNS requests, and web traffic showing non-human behaviour.
(We made a cheat sheet outlining key indicators of security compromise. You can download it here!)
Machine learning investigations
Machine learning investigations are algorithms that can be used to identify patterns in the data that may indicate malicious activity. These algorithms can also be used for predictive analytics, allowing analysts to anticipate potential threats and take measures to mitigate them. They are often used with other tactics such as network forensics to identify and investigate suspicious activity.
Using the above tactics, organizations can develop an effective threat hunting strategy to detect, investigate, and remediate any malicious activities within their networks.
The benefits of threat hunting
As we know from many of the Cost of Data Breach Reports, the average breach cycle is 277 days, which is more than enough time for most bad actors to move laterally on the network in search of admin privileges, exfiltrate sensitive data, and do further damage. A quality threat hunting program can significantly limit the time criminals are on your network by identifying suspicious IPs, uncovering suspicious traffic, and so much more.
Beyond reducing dwell time, threat hunting offers a variety of other benefits:
- Proactive detection: Instead of waiting for alerts from security tools, threat hunting involves actively searching for signs of malicious activity, allowing for the identification of threats before they cause significant harm.
- Improved security posture: By continuously seeking out and addressing threats, organizations can strengthen their overall security posture and reduce vulnerabilities.
- Enhanced incident response: By identifying indicators of compromise early, threat hunting can improve incident response times and effectiveness.
- Increased understanding and knowledge of threats: Threat hunting provides insights into emerging threats and attack techniques, enabling organizations to adapt their defenses accordingly.
- Improved compliance: Regular threat hunting can even help organizations meet compliance requirements by demonstrating proactive risk management practices.
While threat hunting may seem costly, organizations can save money in the long run by mitigating attacks before they cause long-lasting damage.
The challenges of threat hunting
Despite all the benefits of cyber threat hunting, there are certain challenges too. Consider that threat hunting can be:
- Resource intensive: Threat hunting requires significant time, effort, and expertise. Organizations need skilled analysts who can interpret data and identify potential threats, which can be costly and difficult to maintain.
- Overwhelming: The vast amount of data generated by network activities can be overwhelming. Sifting through logs and other data sources to find relevant information requires sophisticated tools and methodologies. Plus, identifying true threats among numerous false positives can be difficult. This can lead to wasted time and resources, as well as potential burnout for security teams.
- Inaccessible for smaller businesses: There is a shortage of skilled cybersecurity professionals who have the necessary expertise to effectively conduct threat hunting, limiting which organizations can achieve this.
Consider also that modern IT environments are complex and dynamic, with numerous endpoints, applications, and network configurations. This complexity makes it challenging to establish a comprehensive view of potential threats, which are evolving at a similar pace.
Attackers are always developing new tactics, techniques, and procedures, and keeping up with these changes requires continuous learning for the analysts.
How to start threat hunting today
To summarize, threat hunters search for hidden malware or attackers and look for patterns of suspicious activity that their defence technology missed or judged to be resolved but isn't. The process also helps identify and resolve vulnerabilities or security gaps before they get exploited.
Using intel-based, hypothesis-based, and custom hunting, threat hunters can identify anomalous or malicious behaviour, and isolate the threat.
As attacks grow in number and sophistication, it's vital that organizations start a threat hunting practice. It's clear that the benefits of identifying a potential attack or attack in progress outweigh the cost of investing in a threat hunting program.
The best way to start threat hunting for most organizations? Work with a trusted cybersecurity company with the latest technologies and expertise to conduct threat hunting on your behalf. By doing so, organizations can enjoy the peace of mind that comes with knowing their networks are truly protected.
