What is Threat Hunting?
Threat hunting is a focused and iterative approach used to proactively detect and eliminate threats that may have evaded traditional security tools. These threats include attacks or malware that infiltrate a business or organization’s network, leading to stolen intellectual property or personal information of customers and employees. As the complexity of network architecture has increased, the sophistication of “bad actors” perpetrating cyber-crimes has followed suit, making threat hunting an important and fast-growing element of the cyber security landscape.
To qualify as a threat, a potential adversary must have malicious intent, capability and opportunity to perpetrate their attacks. The field of cyber threat hunting has been established specifically to counteract the most advanced level of attack, based on the assumption that many such threats remain under the radar of existing security tools.
Why Threat Hunting is Important
Basic security tools, such as firewalls and antivirus software, can usually weed out the majority of cyber security threats, particularly the less sophisticated ones. The rare attacker who infiltrates the network undetected necessitates a more organized and powerful approach to cyber security. This includes external attackers as well as malicious insiders with built-in access to company systems and a motivation to commit cyber crimes such as IT sabotage or fraud. Insider threats can be even more difficult to detect, since access to sensitive data is often part of the job description and malicious behavioral patterns can be difficult to discern from normal activity. Whether they originate from within or outside the organization, advanced threats can often go weeks or months evading detection, all the while exposing sensitive data to corruption or theft.
The 80/20 rule is based on the “pareto” principle that 80% of all effects are the result of 20% of the causes. This same premise can be applied to network security, since roughly 80% of the problems are induced by 20% of the threats. This basic tenant implies that a higher level of focus, technology and manpower should be directed towards the most virulent attackers.
With regards to threat hunting, an advanced persistent threat (APT) is defined as a cyber attack through which an unauthorized party gains access to a network and steals or corrupts data unabated over an extended period of time. The cyber attacker typically utilizes multiple entry points to evade detection and elimination.
Initial access can be obtained through emails, files, applications or other benign pathways which lead to a compromised condition. Once established, malicious software will create additional avenues of compromise through which more instructions and/or code may be delivered. After this access foothold has been constituted, data such as account numbers, passwords and other sensitive information is often targeted by the attackers. Once this data leaves the network and reaches the hands of the infiltrators, the network is considered breached, rather than simply compromised. This breached condition leaves an open door for the cyber criminals to freely enter.
The common denominator linking APTs to threat hunting is the omnipresent human factor. A foiled APT strategy may quickly evolve to exploit newly discovered vulnerabilities or security weaknesses. Threat hunters can stay one step ahead of the bad actors by using deception technologies, such as luring attackers into fake servers, where the methods of the unknowing perpetrators can be observed while an effective counterstrategy is developed. This ongoing game of “cat and mouse” means these well-coordinated and adaptive cyber-attacks require an equally dynamic and malleable response. Advanced security and forensics tools combined with the elite knowledge and ingenuity of the threat hunter might be the best recipe for proactively preventing, detecting and defeating APTs.
- Increased Vulnerability
The “Internet of Things” (IoT) continues to advance technology and applications throughout the cyberscape but has also introduced new attack surfaces that create increased vulnerability. By nature, most IoT devices do not include a human interface, making them appear immune to attack by default. If not protected by end-point monitoring solutions, IoT devices can leave endpoints exposed to security threats, such as botnets, that once relied on networks of PCs for their point of entry. The proliferation of millions of additional IoT devices will continually raise the likelihood of compromise through similar methods.
Artificial intelligence (AI) has gained increased acceptance in recent years and the massive expansion of networks and data centers has made progressive adoption unavoidable. AI and machine learning (ML) can automate and improve many processes, including cybersecurity using AI-driven algorithms. Unfortunately, AI and ML have also proven to be beneficial for the attackers, enabling them to adapt threats quickly, create additional layers of insulation between the bad actors and their targets, and automate infiltration tactics such as phishing.
Performing Threat Hunting
The first step in conducting a successful threat hunt should be determining who will do the hunting. The answer may seem obvious, but many organizations lack the bandwidth or expertise within their existing IT departments, meaning additional outside resources may be required to lead or perform threat hunting activities.
Other essential prerequisites include thorough baselining of network operations and traffic patterns for comparison to anomalous conditions and full implementation of network security architecture and passive defense systems. Network security monitoring tools such as firewalls and antivirus software should be deployed and actively collecting security data.
The planning phase of threat hunting is of vital importance. A structured approach to planning combines a review of past incidences and hunts, industry trends, and any other security threat intelligence relevant to the current situation such as anomalies observed in traffic flows. Tactics, techniques and procedures (TTPs) are the three pillars around which the bad actors perpetrate their attacks and can often be used to establish patterns to profile individuals or distinct groups of cyber criminals.
Analysis of these behaviors within the context of known vulnerabilities leads to the development of viable hypotheses to be tested. A hypothesis is simply a data-driven theory regarding what compromised conditions may currently exist, along with a planned experiment to test the validity of the hypothesis. Once the data to support a hypothesis test has been collected, it can be analyzed to determine whether the hypothesis was valid. Effective hypothesis testing experiments will lead to conclusive results, yet efficiently utilize resources and minimize interruptions.
If a breach is detected, the issue requires escalation to the appropriate level of incident response team. Compromised conditions that have not yet led to a full breach may also be detected as well as vulnerabilities that may or may not have been anticipated in the planning process. The collection and analysis of data is a cyclical, rather than linear process, known as the intelligence cycle. Using this threat intelligence, all information and evidence garnered through data collection and experimentation can be disseminated to enlighten and influence future threat hunting efforts.
Becoming a Threat Hunter
Threat hunting as a full-time vocation is slowly gaining viability, as the sophistication and customization of cyber-attacks raises the bar for IT teams. With a rapidly growing percentage of organizations now performing continuous threat hunting, the value of this advanced security practice is clearly being recognized. Along with extensive experience in the security realm, the best threat hunters also share common skills and talents, including pattern recognition, data analytics and forensics abilities, and communication skills. The need for effective communication in threat hunting professionals underscores the dynamic, human element within this specialty.
The innate talents and abilities that make a threat hunter successful are buttressed by extensive technical acumen. Coding experience in multiple languages, operating system expertise and advanced knowledge of TTPs are some additional preferred traits of threat hunters. Take this threat hunting training today!
Threat Hunting Tools
Effective planning and hypothesis testing performed by experienced cyber security professionals forms a solid foundation from which to launch threat hunting activities. Beyond these essentials, there is a rapidly evolving need for advanced and powerful threat hunting tools. Some tools can be used to boost the horsepower behind your analytics which can foster more informed hypothesis generation. Analytics tools can perform data-mining activities on a large scale and differentiate troublesome patterns and relationships. Many tools in this category are also capable of providing interactive displays and graphs which aid the threat hunters in their investigations and analysis.
Forensic capability is another essential arrow in the threat hunter’s quiver. Threat hunters should have quick access to enriched flow records including traffic and application types, volumes, IP addresses and device type history on the network. Observer GigaFlow can support threat hunting activities with forensic recall capability of unstructured flow-based data from hybrid environments and immediate identification of unauthorized devices or rogue activities. Anomalies such as odd-hour traffic and exposure to known malicious IP addresses can be quickly identified for potential in-depth analysis at the packet level.
Powerful packet capture appliances such as Observer GigaStor provide outstanding packet-level storage and recall functionality scalable to over a petabyte of capacity. This empowers the threat hunter with long-term retention and analysis of granular packet level data. The valuable data cache can be called upon to recreate specific file and URL details from the most critical time frames identified at the flow level. GigaStor can reconstruct mined data in detail or assist in validating root cause when data has been compromised.
Network performance monitoring tools such as Observer Apex can combine access to packet level data and enriched flow records in a single, powerful interface which creates an exceptional threat hunting investigation and analysis tool. Long-term data retention and advanced analytics capabilities enable in-depth post-event security forensics. Working in concert with GigaFlow, Observer Apex can be used for advanced traffic profiling of every host and device. Simultaneous access to packet level data via GigaStor creates a mode for seamless transition into deep packet analysis for any critical time and traffic sequences. For example, if a known malicious IP has touched internal IP addresses, specific details of the transactions can be quickly accessed at the packet level for more in-depth visualization.
Threat Hunting Challenges
The challenges for threat hunters will intensify as the tactics, techniques and procedures of the bad actors evolve. The landscape has shifted from random malware attacks towards more customized and professional focused attacks. Mining data, developing hypotheses and performing investigations all consume precious time in a field where the adversary is moving quickly, and vital network security is at stake. Having the right data stored and readily available in the right format can make the threat hunter’s formidable task faster and more effective. The threat hunter may need to move rapidly between metadata, enriched flow records and packet level data to reach definitive conclusions. Having the right tools available can help beat the attackers to the punch.
Another challenge faced by threat hunters is the lack of standardization and infrastructure built around this avocation. Since threat hunting practices have developed independently at different organizations, there are few standard guidelines and protocols available to would-be threat hunters. Moreover, creating more standardization in the threat hunting realm might unwittingly provide intelligence to the bad actors themselves.
Despite these challenges, organizations that have employed threat hunting practices effectively have realized tangible improvements in response time and accuracy, reduced dwell (undetected infection) and containment times, decreased frequency of breaches and improved resource allocation. The best threat hunters can stay one step ahead through their inherent skills and talents, along with a proactive mode of operation that continually seeks rather than simply monitors and waits. As security threat intelligence and forensics tools develop and improve, threat hunting can positively influence the balance of power in cyber security.
Why Investing in Threat Hunting is Essential
Enterprises dedicate 50x more budget to prevention than investigation, but it’s not working. Learn why.
Become a Threat Hunter Today!
Are you ready to take the next step with one of our network security products or solutions?
Complete one of the following forms to continue:
Threat Hunting Resources
Strategies from expert threat hunters designed for NetOps & SecOps teams