Categories
Blog

What is threat hunting in cybersecurity? How does it work? 

Home » Blog » What is threat hunting in cybersecurity? How does it work? 

What is threat hunting in cybersecurity? How does it work? 

Cyber threats appear to be lurking around every corner in today’s technologically driven world. Half the battle lies in recognizing the dangers and assessing the risks associated with those threats. However, understanding how to search for them in advance proactively can save a great difficult situation, time, and cost. This is where Threat Hunting comes into the picture.

What is threat hunting? 

Threat hunting is a proactive method in cybersecurity where threat experts hunt for unknown, ongoing, and unaddressed threats across an organization’s network. It leverages different tactics, techniques, and strategies to identify if there are threats across a network that are not detected yet. 

What is the primary goal of threat hunting? Why is it important? 

The primary purpose of threat hunting is to catch threat actors/threats before they make their move. It aims to identify any ongoing suspicious activities/potential incidents before they cause damage to the infrastructure or have a significant adverse impact on the organization. It assists cybersecurity teams in enhancing cyber readiness against threats. The data from a threat-hunting activity can be useful for devising an effective incident response strategy. 

What are the benefits of threat hunting? 

The following are the reasons why threat hunting is an essential part of security: 

Step 1: Frame hypothesis – based on threat intel sources, known TTPs  

Step 2: Gather data – from multiple endpoints across infrastructure based on hypothesis 

Step 3: Identify triggers –  anomalous/unusual actions that point towards suspicious activities  that may need to be further investigation 

Step 4: Investigate – analyze the triggers that can be IoCs (Indicators of Compromise) and IoAs (Indicators of Attack) 

Step 5: Resolve – communicate with relevant teams for deployment of incident response 

What does a typical threat hunting framework look like? 

A typical threat hunting framework will have activities like: 

  • Curate Indicators of Compromise with contextual information from SIEM and threat intelligence 
  • Understand the baseline conditions with  
  • Frame a threat hunting hypothesis 
  • Collect data from the environment – could be anything from alerts from a database to forums  
  • Engage in hypothesis-based scanning of the environment for threats  
  • Correlate with existing methodologies – like NIST and MITRE ATT&CK Framework 

What are some of the common IoCs and IoAs searched for in a threat hunting activity? 

Some important Indicators of Compromise searched for in a threat hunting activity are: 

  • Hash Values 
  • IP Address 
  • Domain Names      
  • TTPs 
  • Tools 
  • Network/Hosts 

Common examples of Indicators of Attack (IoA) looked for in threat hunting activity include: 

  • Unexpected activities on the network like excess data suddenly transferred to an IP address 
  • A surge in access requests  
  • Unauthorized modifications in files 
  • Installation of unauthorized software 
  • Modification of system configurations 

What is a TTP in threat hunting? 

As per MITRE, TTP-based hunting involves collecting and filtering data based on the knowledge of adversary tactics, techniques, and procedures for detecting malicious activity.   

It is a robust approach that looks for techniques that adversaries will use to achieve all their objectives.  These include the tactics techniques and procedures that are common across adversaries. 

What are the different kinds of threat hunting? What are the different methods of threat hunting?  

There are three kinds and methods of threat hunting that are commonly used: 

Types of threat hunting Methods/Models  
Structured – Hunts are based on the TTPs deployed by an attacker and leverage the MITRE ATT&CK framework, proactively identifying actors before they make a move.  Hypothesis-based – proactive approach that uses hypothesis made using MITRE ATT&CK framework-based playbooks, IoAs, and TTPs. Hunters catch and isolate threats based on the hypothesis.   
Unstructured – Hunts are based on IoC-based triggers and threat intelligence. Threat hunters look for patterns after and before detections, going back to the root cause before detection.   Intel-based – Hunt is performed using intel shared by intelligence agencies, including IoCs, IP addresses, networks, host artifacts, and domain names  
Situational – hunts are based on a hypothesis of a situation (an attack) and industry-based methods  Custom -Tailored threat hunting activity that is based on customer scope and can use elements from Intel-based and Hypothesis-based hunting.  

What is cloud threat hunting? 

It is threat hunting focused on cloud-based attackers that deploy different TTPs to bypass cloud security measures and leverage security weaknesses on the cloud. Hunters use advanced tools and based telemetry to hunt for undiscovered, ongoing, and hidden threats.    

What do you need to perform threat hunting? 

The following are some of the things that are needed to perform an effective threat hunting activity: 

Human threat hunters – they are critical along with automated detection solutions to perform an effective threat-hunting activity  

Technology – A security solution that performs security data ingestion and storage, offering visibility across infrastructure like EDR/SIEM/XDR 

Threat Intelligence – Latest intelligence on threat actors including their trends, security vulnerabilities leveraged, tactics, techniques and procedures deployed, etc.  

What is managed threat hunting? 

Not every organization would have its own security solution and team of cybersecurity experts who can perform threat hunting for them given the rising cost of security solutions and growing cybersecurity skills gap. For those businesses, there is a managed threat hunting service. It utilizes an external team of cybersecurity professionals well-versed in the different techniques, tools, and expertise in threat hunting and incident response.  

MDR

Deploy 24×7 defense against cyber incidents

Read More >

Latest Post

All
Blog