Threat Hunting: Methodologies, Tools, and Tips for Success
By Douglas Bernardini
What is threat hunting?
Cyber threat hunting is an active information security strategy used by security analysts. It consists of searching iteratively through networks to detect indicators of compromise (IoCs); hacker tactics, techniques, and procedures (TTPs); and threats such as Advanced Persistent Threats (APTs) that are evading your existing security system. Threat hunting activities include:
- Hunting for insider threats or outside attackers – Cyber threat hunters can detect threats posed by insiders, like an employee, or outsiders, like a criminal organization.
- Proactively hunting for known adversaries – A known attacker is one who is listed in threat intelligence services, or whose code pattern is on the denylist of known malicious programs.
- Searching for hidden threats to prevent the attack from happening – Threat hunters analyze the computing environment by using constant monitoring. Using behavioral analysis, they can detect anomalies which could indicate a threat.
- Executing the incident response plan – When they detect a threat, hunters gather as much information as possible before executing the incident response plan to neutralize it. This is used to update the response plan and prevent similar attacks.
A three-step threat hunting framework
There are three phases in a proactive threat hunting process: an initial trigger phase, followed by an investigation, and ending with a resolution.
Step 1: Trigger
Threat hunting is typically a focused process. The hunter collects information about the environment and raises hypotheses about potential threats. Next, the hunter chooses a trigger for further investigation. This can be a particular system, a network area, or a hypothesis.
Step 2: Investigation
Once a trigger is chosen, the hunting efforts are focused on proactively searching for anomalies that either prove or disprove the hypothesis. During the investigation, threat hunters leverage a wide range of technologies to assist them in investigating anomalies, which may or may not be malicious.
Step 3: Resolution
Threat hunters collect important information during the investigation phase. During the resolution phase, this information is communicated to other teams and tools that can respond, prioritize, analyze, or store the information for future use.
Whether the information is about benign or malicious activity, it can be useful in future analyses and investigations. It can be leveraged to predict trends, prioritize and remediate vulnerabilities, and improve your security measures.
Threat hunting methodologies
Intelligence-based hunting is areactive threat hunting technique designed to react according to input sources of intelligence. You can input intelligence such as indicators of compromise, IP addresses, hash values, and domain names.
This process can be integrated with your SIEM and threat intelligence tools, which use the intelligence to hunt for threats. Another great source of intelligence is the host or network artifacts provided by computer emergency response teams (CERTs), which allowyou to export automated alerts.
You can input the information into your SIEM using Trusted Automated eXchange of Intelligence Information (TAXII) and Structured Threat Information eXpression (STIX).
This threat hunting technique involves testing three types of hypotheses:
- Analytics-driven: makes use of machine learning (ML) and user and entity behavior analytics (UEBA) to develop aggregated risk scores and formulate hypotheses
- Intelligence-driven: includes malware analysis, vulnerability scans, and intelligence reports and feeds
- Situational-awareness driven: enterprise risk assessments and crown jewel analysis (the identification of the digital assets that are critical to the company). The large amounts of data collected means threat hunters need to automate a big part of the process using machine learning techniques and threat intelligence.
Investigation using indicators of attack (IoA)
The most proactive threat hunting technique is investigation using indicators of attack. The first step is to identify advanced persistent threat (APT) groups and malware attacks by leveraging global detection playbooks. This technique commonly aligns with threat frameworks such as MITRE ATT&CK. Here are the actions that are most often involved in the process:
- Use IOAs and TTPs to identify threat actors: The hunter assesses the domain, environment, and attack behaviors to create a hypothesis that aligns with MITRE. After identifying a behavior, the threat hunter attempts to locate patterns by monitoring activities. The goal is locating, identifying, and then isolating the threat.
- Hybrid hunting: The hybrid threat hunting technique combines all of the above methods, allowing security analysts to customize the hunt. It usually incorporates industry-based hunting with situational awareness, combined with specified hunting requirements. For example, the hunt can be customized using data about geopolitical issues. You can also use a hypothesis as the trigger, and leverage IoAs and IoCs.
What makes a great threat hunter?
A threat hunter is a security analyst who uses manual or machine-assisted techniques to detect, isolate, and neutralize APTs that are not detected by automated security tools. To improve their skills, security staff may undergo threat hunting training, obtain a threat hunting certification, such as Certified Cyber Threat Hunting Professional (CCTHP), or Certified Ethical Hacker (CEH).
Threat hunters typically report to a director of information security, who ultimately reports to the chief information security officer (CISO). When working in a security operations center (SOC), threat hunters report to the SOC manager.
Some important skills for a good threat hunter are:
- Data analytics and reporting – pattern recognition, technical writing, data science, problem solving, and research
- Operating systems and networks knowledge – need to know the ins and outs of organizational systems and networks
- Information security experience – malware reverse engineering, adversary tracking, and endpoint security; needs to have a clear understanding of past and current TTPs used by the attackers
- Programming language fluency – at least one scripting language and one compiled language is common, though modern tools are increasingly eliminating the need for using scripting language
3 tips to improve your threat hunting
Data breaches and cyberattacks cost organizations millions of dollars every year. These tips can help your organization better detect these threats:
1.Identify your organization’s “normal”
Threat hunters need to sift through anomalous activities and recognize the actual threats, so it is crucial to understand what the normal operational activities of the organization are. To accomplish this, the threat hunting team collaborates with key personnel both within and outside of IT to gather valuable information and insights. This enables them to decide what is a threat and what is unusual, but normal, activity. This process can be automated using a technology like UEBA, which can show normal operation conditions for an environment, and the users and machines within it.
2.Observe, orient, decide, act (OODA)
Threat hunters use this strategy, borrowed from the military, in cyber warfare. OODA stands for:
- Observe – Routinely collect logs from IT and security systems.
- Orient – Cross-check the data against existing information. Analyze and look for indicators of an attack, such as signs of command & control.
- Decide – Identify the correct course of action according to the incident status.
- Act – In case of an attack, execute the incident response plan. Take measures to prevent similar attacks in the future.
3.Have appropriate and sufficient resources
A threat hunting team should have enough of the following:
- Personnel – a threat hunting team that includes, at minimum, one experienced cyber threat hunter
- Systems – a basic threat hunting infrastructure that collects and organizes security incidents and events
- Tools – software designed to identify anomalies and track down attackers
Threat hunting platforms
Threat hunters use solutions and tools to find suspicious activities. These are the three main categories:
- Security monitoring tools – Tools such as firewalls, antivirus, and endpoint security solutions collect security data and monitor the network.
- SIEM solutions – Security information and event management (SIEM) solutions help manage the raw security data and provide real-time analysis of security threats.
- Analytics tools – Statistical and intelligence analysis software provides a visual report through interactive charts and graphs, making it easier to correlate entities and detect patterns.