Threat Hunting 101

A Guide To Threat Hunting Essentials

What is Threat Hunting?

Threat hunting is the proactive cybersecurity practice of searching for hidden threats already in an organization’s environment. Threat hunting is necessary because many adversaries engineer their attacks to bypass an organization’s perimeter and defenses in order to sneak in undetected.

Basic security analytics has been built to detect known malware that follows predefined patterns. But new, unknown malware is more difficult to detect.

Threat hunting adds a new layer of protection for a mature security operations center.

 

Threat Hunting Is Critical

Cybersecurity solutions are far from perfect. Effective threat hunting proactively prevents damage from advanced attacks where detection solutions may fail. In fact, in the 2019 SANS Threat Hunting Survey, 12% of organizations said threat hunting improved their organization’s security posture by over 50%.

 

The Difference Between Threat Hunting and Incident Response

While incident response is reactive, beginning with a SIEM alert on a potential event, threat hunting takes a more proactive approach to detection. Threat hunting begins with formulating a hypothesis based on multiple indicators, then hunting for the indicators identified in that hypothesis.

 

soc_analysts

How to Conduct a Successful Hunt

It is helpful for analysts to have a varied skillset beyond cybersecurity when hunting for threats. Knowledge of network and endpoint forensics, applications, and business operations can help analysts to think like an attacker.

For example, when hunting for advanced threats like DNS tunneling or persistent malware, the analyst will often look for unusual additions to the Windows registry or DNS queries that are of an unusual size.

Building a Hypothesis

BuildingHypothesis

Formulating a hypothesis is the first – and most important – step in threat hunting. A hypothesis can be formed based on three different types of information:

 

Threat Intelligence-Based Hypothesis

This kind of hypothesis leverages information from threat intelligence databases to identify indicators of compromise (IOC) or known tactics, techniques, and processes (TTP) that are linked to identified attacks.

For example, a threat intelligence database reports that the hacking group IAMNEO is using malware that sends beaconing requests to infrastructure based in Vietnam. In order to find out if this threat is present in their environment, the threat hunter may then look for evidence of beaconing traffic to IPs based in Vietnam.

 

Situational Awareness-Based Hypotheses

This type of hypothesis is based on the threat hunter identifying significant changes to the IT environment, which can be an indicator of an attack.

For example, mergers and acquisitions can be an opportunity for an attack, especially when they are public knowledge. Security analysts could decide to investigate the acquired organization’s network for potential hidden threats.

 

Domain Expertise-Based Hypotheses

This type of hypothesis is built using specific knowledge that the analyst has about the organization’s environment in order to anticipate attacks and look for signs of possible compromises.

For example, the security analyst may learn about a specific exploit that has been used against other organizations that use the same VPN software. With this knowledge, the analyst hypothesizes that the same exploit could be used against their organization and looks for signs of compromise, such as newly created, unauthorized administrative user accounts.

Hunting for Threats

HuntingThreats

Your most important asset for threat hunting is your organization’s data. Data from appliances, cloud infrastructure, application delivery controllers, firewalls, and application servers all help guide you.

To pull all the data together for analysis and threat hunting, many security teams use a SIEM.

Unstructured data can be difficult to search on because it can be disjointed and not correlated. Structured data gathered through a next-generation SIEM has been correlated, making threat hunting easier.

As an organization matures, additional data sources are available, and more manual detection processes can be automated. Automation can help save your security operations center time so analysts can start to threat hunt more or look for advanced threats.

Learn more about threat hunting frameworks and methods.

Hunting with Securonix

Securonix Next-Gen SIEM provides key capabilities that make threat hunting more efficient, effective, and accurate such as:

  • Live search on real-time data allows threat hunters to search for active threats.
  • Community-based threat intelligence, with MITRE, provides an easy reference within the product to identify attack patterns during hunts and hypothesis development.
  • Long-term search on historical data enables threat hunters to review behavioral patterns in previous months to help identify hidden threats quickly.

Transform Your Threat Hunting Using Securonix Next-Gen SIEM

Schedule a Demo to Find Out How