What is Threat Hunting?
Threat hunting is the proactive cybersecurity practice of searching for hidden threats already in an organization’s environment. Threat hunting is necessary because many adversaries engineer their attacks to bypass an organization’s perimeter and defenses in order to sneak in undetected.
Basic security analytics has been built to detect known malware that follows predefined patterns. But new, unknown malware is more difficult to detect.
Threat hunting adds a new layer of protection for a mature security operations center.
Threat Hunting Is Critical
Cybersecurity solutions are far from perfect. Effective threat hunting proactively prevents damage from advanced attacks where detection solutions may fail. In fact, in the 2019 SANS Threat Hunting Survey, 12% of organizations said threat hunting improved their organization’s security posture by over 50%.
The Difference Between Threat Hunting and Incident Response
While incident response is reactive, beginning with a SIEM alert on a potential event, threat hunting takes a more proactive approach to detection. Threat hunting begins with formulating a hypothesis based on multiple indicators, then hunting for the indicators identified in that hypothesis.
How to Conduct a Successful Hunt
It is helpful for analysts to have a varied skillset beyond cybersecurity when hunting for threats. Knowledge of network and endpoint forensics, applications, and business operations can help analysts to think like an attacker.
For example, when hunting for advanced threats like DNS tunneling or persistent malware, the analyst will often look for unusual additions to the Windows registry or DNS queries that are of an unusual size.
Hunting for Threats
Your most important asset for threat hunting is your organization’s data. Data from appliances, cloud infrastructure, application delivery controllers, firewalls, and application servers all help guide you.
To pull all the data together for analysis and threat hunting, many security teams use a SIEM.
Unstructured data can be difficult to search on because it can be disjointed and not correlated. Structured data gathered through a next-generation SIEM has been correlated, making threat hunting easier.
As an organization matures, additional data sources are available, and more manual detection processes can be automated. Automation can help save your security operations center time so analysts can start to threat hunt more or look for advanced threats.
Hunting with Securonix
Securonix Next-Gen SIEM provides key capabilities that make threat hunting more efficient, effective, and accurate such as:
- Live search on real-time data allows threat hunters to search for active threats.
- Community-based threat intelligence, with MITRE, provides an easy reference within the product to identify attack patterns during hunts and hypothesis development.
- Long-term search on historical data enables threat hunters to review behavioral patterns in previous months to help identify hidden threats quickly.