Threat hunting is among the hot topics in the cybersecurity industry right now. However, with so much buzz, it’s tricky for even the most experienced security pros to discern hype from reality.
To do so, first you need to understand the primary objective of any threat hunting exercise, which is to proactively search networks to identify new types of threats or existing active exploits before they cause damage and disruption. This stems from the fact that businesses can no longer afford to maintain a reactive approach to security, since advanced persistent threats are so good at evading traditional defenses and residing undetected – often for months, if not years.
Threat hunting, typically performed by dedicated security experts, leverages the latest behavioral monitoring tools and intelligence to proactively detect suspicious patterns of behavior, and has the potential to help reduce average detection and response times to just minutes.
Threat hunting is vital to reduce the spread and effectiveness of attacks, but with a large proportion of organizations yet to engage in this type of activity, let’s examine the blueprint of any successful threat hunting operation.
Having the right tools
Searching for indicators of compromise (IOCs) and attackers’ tactics, techniques and procedures (TTPs) requires a combination of manual and machine-assisted practices.
Security information and event management (SIEM) platforms are a key technology used by threat hunters to monitor network activity and understand what constitutes regular and malicious activity.
Log analysis is essential to help identify suspicious activity and hunters will routinely set new SIEM correlation rules to alert on sequences of network events which may indicate an intrusion.
The latest user and entity behavior analytics (UEBA), machine learning and endpoint detection and response technologies are also commonly leveraged. These allow security teams to obtain wider event visibility, conduct deep forensics to analyze the kill chain of attacks, set watch lists, and facilitate swifter incident response by isolating and eliminating attacks before they proliferate.
Aggregated Intelligence
Any successful threat hunting operation is also heavily reliant on threat intelligence. Threat exchanges, threat intelligence platforms, in-house research and offensive security exercises such as red team operations are all vital sources of information that can help hunters to improve their understanding of IOCs and TTPs.
Once particular threats have been identified and contained, hunters will often seek to obtain additional insight through techniques such as malware analysis and reverse engineering.
A dedicated team of hunters
Having the right tools in place is futile without the right people to use them. To evade detection, patient and persistent hackers routinely think outside the box, so being able to adopt an offensive security mindset to improve cyber defense is a prerequisite of any successful threat hunter.
Formulating hypotheses about threat behaviors is also an essential part of the role, meaning good situational awareness and critical thinking skills are also important.
Traditionally, the role of blue team security analysts has been to investigate, analyze and respond, but the growing need for organizations to embrace threat hunting means that the job remit is evolving to include more responsibility in this area.
Developments within the security orchestration, automation and response (SOAR) market will help to facilitate this shift as efficiency improvements within SOCs enable more time and effort to be devoted to detection rather than routine processes.
An iterative approach
Fostering a culture of collaboration between all security personnel, including in-house and outsourced teams, is vital to the success of any threat hunting operation.
Processes for sharing knowledge and intelligence are necessary to aid collective understanding and produce actionable outputs. There also needs to be a continual feedback loop to ensure that processes and controls are frequently evaluated.
The right support and advice
With threats becoming increasingly sophisticated, organizations that commit time and resources to threat hunting are those likely to make the biggest improvement to their cybersecurity maturity.
Threat hunting is definitely more than just hype and while achieving proficiency in this area is unlikely to happen overnight, by forward planning and seeking out the right support to help guide and leverage investments, you’ll be better placed to benefit sooner rather than later.
Found out more about Redscan here.