Threat Hunting: The What, Why and Who?

Written by

Three things are required before an adversary can be considered a threat: opportunity, intent and capability to cause harm. No cybersecurity system is impenetrable or capable of recognizing or stopping every potential threat.

Hackers’ tactics, weapons and technologies are evolving so rapidly that by the time a new threat signature is learned, defenses may have already been penetrated. It’s hard to accept it, but there is an excellent chance that any network may already have hidden threats lurking in the background. As a result, an increasing number of organizations are becoming proactive about threat hunting.

Threat hunting focuses on identifying perpetrators who are already within the organization's systems and networks, and who have the three characteristics of a threat. Threat hunting is a formal process that is not the same as preventing breaches or eliminating vulnerabilities.

Instead, it is a dedicated attempt to proactively identify adversaries who have already breached the defenses and found ways to establish malicious presence in the organization’s network.

To be successful, it is important to choose the right personnel for this job but given the current talent gap, it may be difficult to hire experienced threat hunters. As a result, the budget may require that existing staff members combine threat hunting with their other duties.

For example, a threat hunter may also be an analyst in the SOC or an incident responder. However, when choosing to train a threat hunter or selecting a current staff member to take on this challenge, it is important to choose people with the right characteristics.

First, threat hunters should be curious and creative. A hunt begins by crafting a hypothesis about a particular activity or threat that might be present in an environment. For example, if executives have recently returned from a trip abroad, could their laptops have been compromised by state-sponsored hackers? If an employee reported a lost smartphone, have perpetrators used the phone to breach the system? 

Second, threat hunters should be innovative analysts who know the organization as well as the threat landscape. Without sufficient knowledge of both the organization and the threat potential, they will not know the right questions to ask, making it impossible to find the answers they need.

Finally, threat hunters should be skilled with multiple tools, such as SIEM, malware analysis sandboxes, etc. They need to know how to get the most benefit from every tool, but they also need to know the limits of each tool. 

To be effective at threat hunting, apart from choosing the right personnel, companies should also be able to identify threats and counteract them, preventing or minimizing the extent of the damages. Perpetrators today are embracing automated attacks like never before: this gives them the ability to be consistent as well as persistent. It also gives them the ability to process more data in less time, jumping from database to database or network to network with relative ease. If companies are trying to find and eliminate threats with manual processes or ad hoc hunts, they are at a severe disadvantage.

Although perpetrators typically automate many of their attacks, there is still a human mind behind the threats. In today's world, these humans are developing top-notch skills — and they have the intelligence to use them to their best advantage. Many perpetrators are well-funded groups who are sponsored by foreign governments or criminal organizations. This means that they can initiate long-term attacks and be very persistent in maintaining them. Advanced persistent threats can remain hidden for months or even years before triggering an alert. If you wait for the alert, the consequences can be severe. 

Since it is extremely hard and expensive to find skilled threat hunters, automation can help programmatically run common threat hunting steps saving time and resources for analysts. Senior threat hunters can document threat hunting processes and build playbooks which can then be automated. 

With playbook-based threat hunting processes, looking for new hidden threats doesn’t have to be a manual process that starts from scratch each time a hunt starts. Instead, a playbook based well-coordinated hunt maintains consistency and identifies patterns more efficiently while allowing the threat hunters to spend less time on executing existing established threat hunts and instead spend more time on building new threat hunting procedures. When the right people, automation tools and processes are combined, the result is better long-term protection for organization.

To recap, there are three main things to keep in mind while designing the threat hunting program: 1. Hiring the right talent for threat hunting, 2. Automating the common threat hunting best practices and 3. Documenting and measuring the threat hunting procedures. A well designed threat hunting program along with automation tools can help significantly reduce the risk and exposure of organizations.

What’s hot on Infosecurity Magazine?