Cyber threat hunting is an active information security strategy used by security analysts. It consists of searching iteratively through networks to detect indicators of compromise (IoCs); hacker tactics, techniques, and procedures (TTPs); and threats such as Advanced Persistent Threats (APTs) that are evading your existing security system. Threat hunting activities include:
There are three phases in a proactive threat hunting process: an initial trigger phase, followed by an investigation, and ending with a resolution.
Threat hunting is typically a focused process. The hunter collects information about the environment and raises hypotheses about potential threats. Next, the hunter chooses a trigger for further investigation. This can be a particular system, a network area, or a hypothesis.
Once a trigger is chosen, the hunting efforts are focused on proactively searching for anomalies that either prove or disprove the hypothesis. During the investigation, threat hunters leverage a wide range of technologies to assist them in investigating anomalies, which may or may not be malicious.
Threat hunters collect important information during the investigation phase. During the resolution phase, this information is communicated to other teams and tools that can respond, prioritize, analyze, or store the information for future use.
Whether the information is about benign or malicious activity, it can be useful in future analyses and investigations. It can be leveraged to predict trends, prioritize and remediate vulnerabilities, and improve your security measures.
Intelligence-based hunting is areactive threat hunting technique designed to react according to input sources of intelligence. You can input intelligence such as indicators of compromise, IP addresses, hash values, and domain names.
This process can be integrated with your SIEM and threat intelligence tools, which use the intelligence to hunt for threats. Another great source of intelligence is the host or network artifacts provided by computer emergency response teams (CERTs), which allowyou to export automated alerts.
You can input the information into your SIEM using Trusted Automated eXchange of Intelligence Information (TAXII) and Structured Threat Information eXpression (STIX).
This threat hunting technique involves testing three types of hypotheses:
The most proactive threat hunting technique is investigation using indicators of attack. The first step is to identify advanced persistent threat (APT) groups and malware attacks by leveraging global detection playbooks. This technique commonly aligns with threat frameworks such as MITRE ATT&CK. Here are the actions that are most often involved in the process:
A threat hunter is a security analyst who uses manual or machine-assisted techniques to detect, isolate, and neutralize APTs that are not detected by automated security tools. To improve their skills, security staff may undergo threat hunting training, obtain a threat hunting certification, such as Certified Cyber Threat Hunting Professional (CCTHP), or Certified Ethical Hacker (CEH).
Threat hunters typically report to a director of information security, who ultimately reports to the chief information security officer (CISO). When working in a security operations center (SOC), threat hunters report to the SOC manager.
Some important skills for a good threat hunter are:
Data breaches and cyberattacks cost organizations millions of dollars every year. These tips can help your organization better detect these threats:
Threat hunters need to sift through anomalous activities and recognize the actual threats, so it is crucial to understand what the normal operational activities of the organization are. To accomplish this, the threat hunting team collaborates with key personnel both within and outside of IT to gather valuable information and insights. This enables them to decide what is a threat and what is unusual, but normal, activity. This process can be automated using a technology like UEBA, which can show normal operation conditions for an environment, and the users and machines within it.
Threat hunters use this strategy, borrowed from the military, in cyber warfare. OODA stands for:
A threat hunting team should have enough of the following:
Threat hunters use solutions and tools to find suspicious activities. These are the three main categories:
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |