What is threat hunting?

Threat hunting is important because sophisticated threats can get past automated cybersecurity. Although automated security tools and tier 1 and 2 security operations center (SOC) analysts should be able to deal with roughly 80% of threats, you still need to worry about the remaining 20%. The remaining 20% of threats are more likely to include sophisticated threats that can cause significant damage. Given enough time and resources, they will break into any network and avoid detection for up to 280 days on average. Effective threat hunting helps reduce the time from intrusion to discovery, reducing the amount of damage done by attackers.

Attackers often lurk for weeks, or even months, before discovery. They wait patiently to siphon off data and uncover enough confidential information or credentials to unlock further access, setting the stage for a significant data breach. How much damage can potential threats cause? According to the Cost of a Data Breach report, a data breach costs a company almost USD 4 million on average. And the harmful effects of a breach can linger for years. The longer the time between system failure and response deployed, the more it can cost an organization.

A successful threat hunting program is based on an environment's data fertility. In other words, an organization must first have an enterprise security system in place, collecting data. The information gathered from it provides valuable clues for threat hunters.

Cyber threat hunters bring a human element to enterprise security, complementing automated systems. They are skilled IT security professionals who search, log, monitor and neutralize threats before they can cause serious problems. Ideally, they're security analysts from within a company's IT department who knows its operations well, but sometimes they're an outside analyst.

The art of threat hunting finds the environment's unknowns. It goes beyond traditional detection technologies, such as security information and event management (SIEM), endpoint detection and response (EDR) and others. Threat hunters comb through security data. They search for hidden malware or attackers and look for patterns of suspicious activity that a computer might have missed or judged to be resolved but isn't. They also help patch an enterprise's security system to prevent that type of cyberattack from recurring.

Hunters begin with a hypothesis based on security data or a trigger. The hypothesis or trigger serve as springboards for a more in-depth investigation into potential risks. And these deeper investigations are structured, unstructured and situational hunting.

Intel-based hunting is a reactive hunting model that uses IoCs from threat intelligence sources. From there, the hunt follows predefined rules established by the SIEM and threat intelligence.

Intel-based hunts can use IoCs, hash values, IP addresses, domain names, networks, or host artifacts provided by intelligence sharing platforms such as computer emergency response teams (CERT). An automated alert can be exported from these platforms and input into the SIEM as structured threat information expression (STIX) and trusted automated exchange of intelligence information (TAXII). Once the SIEM has the alert based on an IoC, the threat hunter can investigate the malicious activity before and after the alert to identify any compromise in the environment.

Hypothesis hunting is a proactive hunting model that uses a threat hunting library. It's aligned with the MITRE ATT&CK framework and uses global detection playbooks to identify advanced persistent threat groups and malware attacks.

Hypothesis-based hunts use the IoAs and TTPs of attackers. The hunter identifies the threat actors based on the environment, domain and attack behaviors employed to create a hypothesis aligned with the MITRE framework. Once a behavior is identified, the threat hunter monitors activity patterns to detect, identify and isolate the threat. This way, the hunter can proactively detect threat actors before they can do damage to an environment.

Custom hunting is based on situational awareness and industry-based hunting methodologies. It identifies anomalies in the SIEM and EDR tools and is customizable based on customer requirements.

Custom or situational hunts are based on customers' requirements, or they're proactively executed based on situations, such as geopolitical issues and targeted attacks. These hunting activities can draw on both intel- and hypothesis-based hunting models using IoA and IoC information.

Hunters use data from MDR, SIEM and security analytics tools as a foundation for a hunt. They can also use other tools, like packer analyzers, to execute network-based hunts. However, using SIEM and MDR tools require that all essential sources and tools in an environment are integrated. This integration ensures IoA and IoC clues can provide adequate hunting direction.

MDR applies threat intelligence and proactive threat hunting to identifying and remediating advanced threats. This type of security solution can help reduce the dwell time of attacks and deliver fast, decisive responses to attacks within the network.

Security analytics strives to go beyond basic SIEM systems to offer deeper insights into your security data. Combining the big data harvested by security technology with faster, more sophisticated, and more integrated machine learning and AI, security analytics can accelerate threat investigations by providing detailed observability data for cyberthreat hunting.

Threat intelligence is a data set about attempted or successful intrusions, usually collected and analyzed by automated security systems with machine learning and AI.

Threat hunting uses this intelligence to carry out a thorough, system-wide search for bad actors. In other words, threat hunting begins where threat intelligence ends. Even more, a successful threat hunt can identify threats that have not yet been spotted in the wild.

Also, threat hunting uses threat indicators as a lead or hypothesis for a hunt. Threat indicators are virtual fingerprints left by malware or an attacker, a strange IP address, phishing emails or other unusual network traffic.