Threat hunting is the practice of proactively and continuously searching for cyber threats that sneak in and go undetected in the enterprise infrastructure. It is a data protection strategy that is used to detect indicators of compromise (IoCs), hacker tactics, techniques, and procedures (TTP), and threats such as Advanced Persistent Threats (APTs) that may have slipped past the initial endpoint security defences.
Threat hunting is a complex process and effective hunting occurs in three phases – trigger, investigation and resolution.
Once the hunter has collected information about the potential threat, the logical next step would be to choose a trigger for further investigation. This trigger can be a specific system, a network area, or a hypothesis. Identification of a trigger in the process of outlining the scope of the hunt, and the boundaries that will ensure the hunter understands what to look for.
After finalising the trigger, the hunter starts looking for anomalies that either prove or disprove the hypothesis. This is done in the investigation process where various technologies are leveraged to assist hunters in identifying anomalies that may or may not be malicious.
Once important information has been collected during the investigation phase, the same is assigned to other teams and tools to prioritize, analyze, report, respond and remediate the threats. This is the final stage in the threat hunting framework called the resolution phase. The information collected is critical to the threat hunting process as it can be used to predict trends, prioritize and mitigate risks, and improve security measures.
The challenge in threat hunting is to distinguish between “signal” (true evidence of malicious action) and “noise” (a wide range of diverse activities that occur between legitimate users daily). Threat hunters understand that the real clues are hidden in the noise. Finding these clues require special methodologies and here are some options.
This threat hunting technique is designed to elicit a response based on intelligence sources. In this method, threat intelligence sources or Indicators of Compromise (IoC) like IP addresses, file names, hash values, and domain names are used. This process also allows for integration between SIEM and threat intelligence tools to automate the process of detecting known bad actors.
Another source of intelligence is the host or network artefacts provided by CERT that allows sending automated alerts. The information can be entered into SIEM using tools like TAXII and STIX.
By far, hypothesis-based hunting is the most mature methodology. This approach is based on logical reasoning and practical evidence and is designed to prevent bias and speculation from affecting outcomes. This hunting technique involves testing three types of hypotheses:
Analytics-driven: a step that uses ML and UEBA to develop aggregated risk scores and formulate hypotheses
Intelligence-driven: analysis of malware, vulnerability scanning, and intelligence reports and feeds
Situational-awareness driven: identifying critical digital assets for enterprise-level risk assessments and crown jewel analysis
IoA-based hunting is the most proactive threat hunting method that commonly aligns with threat frameworks such as MITRE ATT&CK. The list of actions involved in this process includes:
Using IOAs and TTPs to identify possible threat actors or attack campaigns.
Assessing the domain, environment, and attack behaviours to create a hypothesis that aligns with MITRE.
Locating patterns by monitoring activities. The goal is to locate, identify, and then isolate the threat.
This methodology combines all of the above methods - hence the name hybrid and allows security analysts to customize the hunt. It usually involves industry-based hunting and contextual awareness in line with specified hunting requirements.
Threat hunting can be a very slow process where most times the outcomes are negative (which is a good thing). Long hunting stints without favourable outcomes can easily alter the line of thought of the analyst, which is why sticking to a defined methodology will ensure coverage. A pre-decided hunting methodology also brings consistency across multiple hunters.
Some effective tools and platforms for threat hunting include:
Key Cybersecurity log sources– Firewalls, antivirus, proxy, authentication and endpoint security solutions are key to monitoring the environment.
SIEM solutions – This helps manage the raw security data and provide real-time analysis of security threats.
Analytics tools – Analysis tools use statistical and machine learning to identify threats that are undocumented or previously undetected. It becomes easier to correlate entities and detect patterns.
Distinguish between unusual and normal
Threat hunting requires filtering through anomalous activities and detection of real threats. In this regard, it is important to identify and understand the ‘normal’ functions of the organization and the basis that identifies the unusual.
Once the threat hunting team has gathered valuable information and insight, it becomes easier to distinguish between the activities. This process can be automated using UEBA as a technology that depicts normal operational conditions of the environment as well as the users and machines within it.
The OODA-loop strategy
OODA-loop strategy is used in the military ecosystem to apply rational thinking in confusing or chaotic situations. The same is applied in the cyber warfare world.
Observe, Orient, Decide, Act (OODA) is a four-step approach to decision-making that can be used in threat hunting. This focuses on filtering available information, placing it in context and making the right decision while acknowledging that based on new and more data, the same can be adjusted or changed.
Efficiency of resources
A threat hunting team should be resource-efficient and rely on experience and training, a basic threat hunting infrastructure that collects and organizes security incidents and events, and the right tools to identify anomalies and track down attackers. Use tools to automate repetitive processes like threat attribution and validation.
Typically, most systems fail to identify connections between threats because they work on isolated threats and end up creating a list of disconnected alerts. DNIF HYPERCLOUD is designed to identify the connection between various threat signals using graph-based machine learning techniques and track down the relationship between multiple attacks instead of isolated attacks, giving a clear picture of the threat landscape.