Cyber Threat Hunting: Everything You Need to Know for Success

Cyber Threat Hunting: Everything You Need to Know for Success

Cyber threats appear to be lurking around every corner in today’s technologically driven world. Half the battle lies in recognizing the dangers and assessing the risks associated with those threats. However, understanding how to search for them in advance proactively can save a great difficult situation, time, and cost. This is where Threat Hunting comes into the picture.

What is Cyber Threat Hunting?

It is the proactive approach of identifying previously unknown, or ongoing non-remediated threats, within an organization’s network infrastructure.

Why Threat Hunting?

Cyber threat hunting scours an environment for dangerous threat actors who have eluded the initial endpoint security measures.

It additionally improves SIEM alarming; new correlations can be made from the discoveries of the hunt. While threat hunting has been applied in the network, new arising threats are resisting rapidly, regardless of whether an insider or an outsider threat.

Threat hunting is turning out to be progressively significant as organizations look to remain in front of the most recent cyber threats and quickly react to any possible threats.

Where to Hunt?

• SIEM
• EDR solution
• Statistical Data
• Memory
• Network Flow Data
• 24/7 Scan Results
• Honeypots
• Insider Behavior

Threat Hunting Loop

For many firms, cyber threat hunting is a relatively new security methodology. Until recently, most security teams relied on traditional, reactive reactions to alerts and notifications, often only evaluating data sets after a breach was identified as part of forensic investigations and mitigation efforts.

Threat Hunting Methodologies

Threat hunters believe that attackers are present in the environment, and they begin searching for the odd conduct which could flag malicious activity. This type of proactive threat hunting analysis can be categorized into three categories:

1. Hypothesis-driven investigation – Hypothesis-based investigation entails evaluating multiple hypotheses or “guesses” of an attacker’s TTPs (Tactic, Techniques & Procedures) to discover “what is going on” in a given circumstance.
2. An investigation based on known Indicators of Compromise or Indicators of Attack – Using tactical threat intelligence, this strategy to threat hunting catalogs known IOCs and IOAs linked with new threats. Threat hunters utilize these as triggers to find potential concealed attacks or continuing harmful activities.
3. Advanced analytics and machine learning investigations – The third method uses advanced data analysis and machine learning to sift through large amounts of data, searching for anomalies that could indicate hostile activity. These abnormalities generate hunting leads, which professional analysts analyze to detect stealthy threats.

Types of Threat Hunting

• Live Hunt: It is the type of threat hunting where the threat hunters hunt for cyber threats in real-time.
• Retrospective Hunt: In this type of threat hunting, threat hunters leverage historical data to look back across the infrastructure to see if a threat exists that was not previously detected.

Benefits of Cyber Threat Hunting

Hunting’s key goals are to:

1. Reduce dwell time by speeding up adversary detection and lowering investigation and forensic costs.
2. Evict opponents with the least amount of business impact possible.

Hunting allows a company to detect, characterize, assess, and eliminate advanced threats as early as possible in the kill chain, which can be aided by automated technologies that help the hunt. Putting an end to enemies early in the cyber kill chain usually prevents them from achieving their ultimate goal.

Hunting can uncover assaults that are undetectable by passive defenses. Hunting, for example, is excellent in detecting previously unknown attacks because it does not require prior knowledge of the signs of a specific attack.

Hunting, on the other hand, can detect attacks that aren’t malware-based because it isn’t focused solely on malware-based attacks. Many passive defenses rely on prior knowledge of malware features (i.e., signatures) and cannot detect non-malware attacks.

What is required to start Threat Hunting?

• Human Expertise
• Historical Data
• Threat Intelligence
• 24*7*365 Operations

This is where a Managed Security Services provider like SharkStriker can help you fulfill all those requirements. We have an elite team of hunters who utilize their expertise to perform threat hunting daily for effective and proactive threat detections. SharkStriker’s service offerings like MDR-as-a-Service, SOC-as-a-Service, or SIEM-as-a-service can enable continuous monitoring and centralized visibility for quick detection and real-time response.

Below are some of the examples of Threat Hunting

Understanding Web Application Attacks using Threat Hunting:

Web Application attacks is an attempt by a threat actor to exploit the security of a web-based application. Some web application attacks include XSS (Cross-Site Scripting) attacks, Injection attacks, Directory-traversal attacks, and many more.

In the below section, I have provided the images which show how to hunt for the specific attacks using queries:

XSS Attack Detection

For XSS attacks, most hacker’s uses automated scanners to search for the injection points, and that scanner uses payloads from open-source repositories like:

In the above articles, most payloads are between the tags: < and >, and for obfuscation, it can be encoded in URL, which will be represented as %3C and %3e. So below is the very basic query we can search for XSS attempts in the URL path.

Simple query to hunt for:  ((*\<* and *\>*) or (*%3C* and *%3e*))

Detection for SQL Injection Attacks

Injections can be performed by different payloads depending on the type of database. Below is the basic query to detect with string operations.

A simple query to hunt for: (*SELECT* and *CONCAT*)

Path Traversal Attacks Detection

A path traversal attack or directory traversal aims to access files and directories stored outside the webroot folder. By manipulating variables that reference files with “../” and “..%2f” sequences and their variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on file systems, including application source code or configuration and critical system files.

Simple query to hunt for: ((*../* or *..%2F*) and (*etc* or *win.ini*))

Hunting for Log4J CVE-2021-44228 Exploits in an environment

Log4j is a Java-based library for logging error messages in enterprise applications, including custom applications, networks, and cloud computing services.

Log4J vulnerability, also known as Log4Shell, is a high-severity vulnerability that affects the core function of Apache Log4j2. It allows an attacker to perform remote code execution by exploiting the insecure JNDI lookups feature exposed by the logging library Log4J.

Simple queries to hunt for:

Example of IOC Driven Threat Hunting

In IOC-Driven Threat Hunting, threat hunters look for known IOCs and IOAs linked with new threats. Threat hunters utilize these as triggers to find potential concealed attacks or continuing harmful activities.

Our elite hunters look for malicious IPs with the help of the below customized SharkStriker’s orca threat intel fields:

• ti.feed: Our own customized orca threat intelligence field collects information from different threat intelligence platforms.
• ti.threatactor: This orca threat intel field provides information about the malicious threat actor IPs.
• ti.note: This field gives threat actors an idea about the nature of Source and Destination IPs.

Wrapping Up

SharkStriker provides managed security services with the right resources, including the necessary people, data, and analytical tools to effectively hunt for unusual and abnormal network activity and hidden threats in an organization’s environment. We deliver deep expertise and 24×7 vigilance at a more affordable cost.