What Is Threat Hunting?
Originally published in August 2019
Every industry is susceptible to data breaches and malicious cyber-attacks. In 2021, over 5 billion records were exposed and over 1,200 data breaches occurred in the United States. With an 11% increase in data breaches compared to 2020, CISOs and the security operations center must actively monitor for threats and combat them before damage occurs.
Large enterprises are more at risk due to their size and complexity. For example, financial institutions are trusted to be custodians of private financial information, including tax, ledger, and account related details, while security teams in the healthcare industry have to secure electronic medical records alongside the security of IoT medical devices actively servicing their patients.
Vulnerabilities exist through many attack vectors, and at times, it may seem impossible for an enterprise with multiple network devices, endpoints, and users to protect itself successfully. Few security teams have the staffing and resources to anticipate or investigate possible breaches on their own.
WHAT IS THREAT HUNTING?
Threat hunting is the proactive investigation and search for threats in an environment based on a predetermined hypothesis.
These hypotheses are based off information specific to the business, as well as the threats the industry faces. For instance, in the healthcare industry, CISOs and security managers are aware that threats exist around confidential patient records as well as social security numbers. As such, security teams need to understand where their most vulnerable data resides and where the attackers are likely to focus their attacks. Teams can then form a hypothesis of how a potential breach may occur and use that to perform a hunt campaign. This works across industries, where advancements in cybersecurity technology enable a security professional to assess the risk surrounding threats and determine preventative measures in an automated manner.
Looking for a threat hunting tutorial? Get the white paper: Threat Hunting 101 >
THREAT HUNTING TECHNIQUES
Security teams can leverage three general threat hunting techniques in order to detect malicious attacks. They include:
Hypotheses can be built by looking at the general behavior of previous attackers within similar environments to anticipate and predict attacker’s tactics, techniques, and procedures (TTP) in their own environments using frameworks like the MITRE ATT&CK as guidance.
Threat hunting uses intelligence on how attackers have compromised systems previously. This includes leveraging data from past attacks on known indicators of compromise (IoCs) like IP address, site domains, and hashes to identify possible data breaches within an organization that exhibits the same artifact.
Baselining the Environment
The final type of threat hunting uses security benchmarks in an enterprise’s own environment to understand normal and abnormal behavior. Baseline behavior allows abnormal behavior to stand out for faster investigation and response. It is practical to baseline only areas within an enterprise that fit a certain hypothesis. Organizations who focus on smaller subsets of an environment such as a specific network segment, application, or user group are more likely to be successful when conducting baselining hunts.
No matter how an enterprise approaches threat hunting, to be effective, they require data aggregated from every relevant source. Enterprises that have acquired an extensive portfolio of security tools — such as SIEM, EDR, multi-cloud and third-party apps — have many disparate data sources, without the ability to integrate, visualize, and coordinate response across them. Current service providers, such as managed security service providers (MSSPs) and some managed detection and response (MDR) providers, also fail to provide the necessary visibility and coverage across these disparate data points.
Why Threat Hunting Is Important
Threat hunting can give your security team critical knowledge and experience with how attackers operate. With this intelligence, teams can make sure attackers can’t breach your network. One of the best ways to hunt threats is to collaborate with developers and operations teams. This cross-functional perspective will ensure you have a better view of what’s happening on your network in real time, giving you faster detection of potentially dangerous behavior by threat actors. In order to find out what they’re up to, you’ll need an arsenal of great tools that provide full visibility into all activity on your infrastructure across both traditional IT networks as well as cloud systems like Amazon Web Services (AWS). Fortunately, there are steps you can take to build an effective threat hunting plan.
KEYS TO EFFECTIVE THREAT HUNTING
Security teams must put in place an iterative and scalable process for execution. Technology must be at the core of this process considering the increase in vulnerabilities that have put effective response beyond the reach of manual intervention. The three tactics to effective threat hunting are:
1. Stitching Together Disparate Security Technologies
Threat hunting technology must be able to synthesize data points from across enterprises’ increasingly complex cybersecurity technology stacks. This is no small feat, as many of the solutions do not integrate producing data silos. At the same time, it is not feasible for security teams to pursue a “boil the ocean” strategy of building a massive (and expensive) data lake to serve as a single repository for their security data. The desired outcome is the ability to pull data analytics from across disparate technologies, on-demand, when specific use cases demand it effectively and economically.
2. Delivering Actionable Insights
Of course, connecting technologies is of limited value without the ability to monitor and measure a security environment in a unified manner. Powerful analytics are needed that align with an enterprise’s security vital signs – including dashboards that capture the right metrics and enable drill-down capabilities to further investigate potential threats. The ability to “slice and dice” those metrics ensures that different team members and different levels of the enterprise can gain the insights they need.
These vital signs will depend on the organization and industry, but often include things at both a macro and micro level to ensure that those trends at both levels can be easily identified and prioritized. The macro level includes metrics and insights such as overall visibility level across the enterprise, technology effectiveness, and team performance. The micro level includes much more specific detail including insights such as the internal or external IP related with the most alerts, top IDS signatures fired for different network zones and other specifics related to potential threats affecting an environment.
3. End-to-End Automation for Greater Speed and Effectiveness
Threat hunting tools with automation employ machine learning and other capabilities to tee up real-time responses to potential security threats. This library of interventions should be based on industry best practice as well as threat intelligence specific to an enterprise’s environment. As a result, security teams can identify and contain threats as they are occurring, reducing the costs and severity of cyber-attacks.
Automated Threat Hunting with ReliaQuest GreyMatter
Conduct scheduled threat hunting campaigns across your environment with ReliaQuest GreyMatter.
ReliaQuest GreyMatter, a cloud-native XDR platform helps organizations gain greater visibility across SIEM, EDR, multi-cloud and hybrid environments to speed detection and response. ReliaQuest GreyMatter uses machine learning to automate threat hunting. We’ll comb through your network and identify problems hidden in your network. We’ll then bring them to light for analysts, keeping your environment secure and helping security leaders sleep at night.