Threat Hunting: The Tip Of The Spear For Your Defenses

As cyber attacks are on the rise, threat actors are getting more creative at bypassing traditional security systems. This allows the attackers to remain undetected for a longer period of time to exfiltrate data or spread further in the network to do damage. Cyber threat hunting is a great way to help detect threat actors more quickly who have bypassed security measures that are in place and shrink the time between initial infection and executing an incident response plan.

What is Threat Hunting?

Cyber threat hunting is the practice of proactively searching for cyber threats that could be lurking undetected within the organization’s environment [1][4]. Threat hunters will collect and search through security data in an effort to locate hidden malware or suspicious activity that may have been missed or was considered resolved, but actually wasn’t. This type of proactive approach fits into the cybersecurity landscape because it is complementary to the standard process of incident detection, response, and remediation of threats. The four types of threats in the cybersecurity landscape are:

• Unknown unknowns – organizations don’t know if they have threats in their environment and there are no indicators.
• Known unknowns – organizations know a threat is possible but don’t know if the threat is in the environment.
• Unknown knowns – an outside source has notified the organization that a threat exists in their environment, but they choose not to hear about it.
• Known knowns – an organization knows what the threat looks like and they have evidence that the threat is within the environment. [1]

The Various Types of Threat Hunting

There are three types of cyber threat hunting that can be initiated; these include:

• Structured hunting – cyber threat hunters use indicators of attack (IoA) and tactics, techniques, and procedures (TTP). Hunts are aligned and based on threat actors’ TTPs, which can allow cyber threat hunters to identify the threat actor before they can cause damage.
• Unstructured hunting – this hunt starts from a trigger or an indicator of compromise (IoC). The cyber threat hunter will look for malicious patterns pre- and post-detection. From there, these threat hunters will investigate historical data as far as retention periods allow, which could discover new types of threats or threats that are then dormant.
• Situational or Entity-Drive hunting – this hunt focuses on an organization’s sensitive data or critical resources. Threat actors commonly target high value or high-risks assets thus, cyber threat hunting can help identify high-priority targets and conduct focused searches for relevant threats.[3][5]

Indicators to Look For

For cyber threat hunters to effectively and efficiently hunt for cyber threats, telemetry should be used from both the endpoint and network. Endpoint and network telemetry will include, but not be limited to:

• Operating System Events
• Process Activity Events
• RAM scanning
• IoCs
• IoAs
• Attacker TTPs
• Malicious IPs
• Hash Values change
• Metadata about files downloaded
• HTTP activity metadata
• DNS traffic metadata
• Kerberos traffic metadata

While this is not a full list, cyber threat hunters can use these key indicators to determine if there are any cyber threats within the organization’s environment so they can create a strategy to combat it.

What Makes Threat Hunting Important

Cyber threat hunting is an important aspect of today’s cyber defense strategy because sophisticated threats can bypass security solutions. Even if you leverage automated tools and a security operations center (SOC) analyst that can handle 90% of cyber threats, it is the other 10% that organizations still need to worry about and have a plan to address. If given enough time and resources, threat actors can break into any environment and avoid detection.

In the “Cost of Data Breach 2022” report, it detailed how the average cost of a data breach reached an average of $4.4 million globally (13% increase from 2020) and $9.4 million in the United States. Furthermore, it took organizations about 277 days to identify and contain data breaches on average [3]. Proactive cyber threat hunting can help reduce the time of discovery and it can help reduce the amount of damage done by the threat actors. By reducing this damage, the organization can save their reputation, reduce financial impact, and protect their data.

How to Improve Your Threat Hunting Process

Here are the three ways we recommend most to improve an organization’s cyber threat hunting process:

• Identify organization’s “normal”
• Use the Observe, orient, decide, act (OODA) Loop to react rapidly to cyber threats
• Have the following resources available: personnel with different areas of expertise, systems that collect and organize security events and incidents, and tools that can identify anomalies and track down threat actors

While this article has briefly touched on the subject of cyber threat hunting, hopefully it has stressed the importance and need to include threat hunting within your organization’s security processes. If your organization has not yet implemented cyber threat hunting procedures, then it’s recommended that you start now. Cyber threat hunting will not only help you detect the unknown malicious activity that could be lurking in your environment but, it will help increase your security posture.

References:

1. Crowdstrike. 2022. What is cyber threat hunting? https://www.crowdstrike.com/cybersecurity-101/threat-hunting/ 
2. Verizon Data Breach Report 2022. 
3. IBM. What is Threat Hunting? https://www.ibm.com/topics/threat-hunting 
4. CheckPoint. What is Threat Hunting? https://www.checkpoint.com/cyber-hub/cloud-security/what-is-threat-hunting/ 
5. Cynet. Threat Hunting: 3 Types and 4 Critical Best Practices. https://www.cynet.com/advanced-threat-protection/threat-hunting-3-types-and-4-critical-best-practices/