Updated June 2021
Every industry is susceptible to data breaches and malicious cyber-attacks. Large enterprises are more at risk due to their size and complexity. For example, financial institutions are trusted to be custodians of private financial information, including tax, ledger, and account related details, while security teams in the healthcare industry have to secure electronic medical records alongside the security of IoT medical devices actively servicing their patients.
Vulnerabilities exist through many attack vectors, and at times, it may seem impossible for an enterprise with multiple network devices, endpoints, and users to protect itself successfully. Few security teams have the staffing and resources to anticipate or investigate possible breaches on their own.
WHAT IS THREAT HUNTING?
In 2018, over 446 million records were exposed and over 1,200 data breaches occurred in the United States. With an increase in annual data breaches, CISOs and the security operations center must actively monitor for threats and combat them before damage occurs. The proactive investigation and search for threats in an environment based on a predetermined hypothesis is known as threat hunting.
These hypotheses are based off information specific to the business, as well as the threats the industry faces. For instance, in the healthcare industry, CISOs and security managers are aware that threats exist around confidential patient records as well as social security numbers. As such, security teams need to understand where their most vulnerable data resides and where the attackers are likely to focus their attacks. Teams can then form a hypothesis of how a potential breach may occur and use that to perform a hunt campaign. This works across industries, where advancements in cybersecurity technology enable a security professional to assess the risk surrounding threats and determine preventative measures in an automated manner.
TYPES OF THREAT HUNTING
Security teams can leverage three general threat hunting techniques in order to detect malicious attacks. They include:
Hypotheses can be built by looking at the general behavior of previous attackers within similar environments to anticipate and predict attacker’s tactics, techniques, and procedures (TTP) in their own environments using frameworks like the MITRE ATT&CK as guidance.
Threat hunting uses intelligence on how attackers have compromised systems previously. This includes leveraging data from past attacks on known indicators of compromise (IoCs) like IP address, site domains, and hashes to identify possible data breaches within an organization that exhibits the same artifact.
Baselining the Environment
The final type of threat hunting uses security benchmarks in an enterprise’s own environment to understand normal and abnormal behavior. Baseline behavior allows abnormal behavior to stand out for faster investigation and response. It is practical to baseline only areas within an enterprise that fit a certain hypothesis. Organizations who focus on smaller subsets of an environment such as a specific network segment, application, or user group are more likely to be successful when conducting baselining hunts.
No matter how an enterprise approaches threat hunting, to be effective, they require data aggregated from every relevant source. Enterprises that have acquired an extensive portfolio of security tools — such as SIEM, EDR, multi-cloud and third-party apps — have many disparate data sources, without the ability to integrate, visualize, and coordinate response across them. Current service providers, such as managed security service providers (MSSPs), also fail to provide the necessary visibility and coverage across these disparate data points.
KEYS TO EFFECTIVE THREAT HUNTING
Security teams must put in place an iterative and scalable process for execution. Technology must be at the core of this process considering the increase in vulnerabilities that have put effective response beyond the reach of manual intervention. The three tactics to effective threat hunting are:
1. Stitching Together Disparate Security Technologies
Threat hunting technology must be able to synthesize data points from across enterprises’ increasingly complex cybersecurity technology stacks. This is no small feat, as many of the solutions do not integrate producing data silos. At the same time, it is not feasible for security teams to pursue a “boil the ocean” strategy of building a massive (and expensive) data lake to serve as a single repository for their security data. The desired outcome is the ability to pull data analytics from across disparate technologies, on-demand, when specific use cases demand it effectively and economically.
2. Delivering Actionable Insights
Of course, connecting technologies is of limited value without the ability to monitor and measure a security environment in a unified manner. Powerful analytics are needed that align with an enterprise’s security vital signs – including dashboards that capture the right metrics and enable drill-down capabilities to further investigate potential threats. The ability to “slice and dice” those metrics ensures that different team members and different levels of the enterprise can gain the insights they need.
These vital signs will depend on the organization and industry, but often include things at both a macro and micro level to ensure that those trends at both levels can be easily identified and prioritized. The macro level includes metrics and insights such as overall visibility level across the enterprise, technology effectiveness, and team performance. The micro level includes much more specific detail including insights such as the internal or external IP related with the most alerts, top IDS signatures fired for different network zones and other specifics related to potential threats affecting an environment.
3. End-to-End Automation for Greater Speed and Effectiveness
Threat hunting tools with automation employ machine learning and other capabilities to tee up real-time responses to potential security threats. This library of interventions should be based on industry best practice as well as threat intelligence specific to an enterprise’s environment. As a result, security teams can identify and contain threats as they are occurring, reducing the costs and severity of cyber-attacks.
Looking for more tips of effective threat hunting? Get the White Paper: Threat Hunting 101.
Automated Threat Hunting with ReliaQuest GreyMatter
Conduct scheduled threat hunting campaigns across your environment with ReliaQuest GreyMatter.
ReliaQuest GreyMatter, the first SaaS security platform, delivers security confidence. ReliaQuest helps organizations gain greater visibility across SIEM, EDR, multi-cloud and hybrid environments to speed detection and response. With full visibility, built-in, validated content and integrated processes, analysts can effectively automate across the entire cyber response lifecycle including detection, investigation, hunting, repair and response. Integrated measurement frameworks help organizations continuously mature security programs to improve the effectiveness of security investments while better enabling the business.