Threat hunting

Threat hunting is complementary to the standard process of incident detection, response, and remediation, and is the practice of proactively searching for cyber threats that may be hidden in a network. Cyber threat hunting digs deep to find malicious actors in an environment that have slipped past the initial endpoint security defences.

In case of a so-called Advanced Persistent Threat (APT), after getting in, an adversary can remain hidden in a network for months, while quietly exfiltrating data, looking for confidential material, or obtaining login credentials that will allow later movement in the environment. Once an adversary is successful in evading detection and an attack has penetrated an organisation’s defences, many organisations lack the advanced detection capabilities needed to stop the APT.

This is why threat hunting is an essential component of any defence strategy, and becoming increasingly important as organisations seek to stay ahead of the latest cyber threats and rapidly respond to any potential attacks.

Proactive threat hunting

Threat hunters assume that adversaries are already in the system, and look for unusual behaviour that may indicate the presence of malicious activity.

  1. Hypothesis-driven investigations are often triggered by a new threat that has been identified through a large pool of crowdsourced attack data, giving insights into an adversaries’ latest tactics, techniques, and procedures (TTP). Threat hunters will look for specific behaviours in their local environment.

  2. Investigations based on known Indicators of Compromise (IoC) or Indicators of Attack (IoA) use tactical threat intelligence to catalog known IOCs and IOAs associated with new threats as triggers for threat hunters use to discover hidden attacks or malicious activity.

  3. Advanced analytics and machine learning investigations sift through massive amounts of information to detect irregularities that may suggest potential malicious activity. These become hunting leads for analysts to identify new threats.

In all cases, threat intelligence resources are combined with advanced security technology.

Threat hunting steps

  1. A trigger points threat hunters to a specific system or area of the network for further investigation when detection tools identify unusual actions that may indicate malicious activity.

  2. During the investigation phase, threat hunters use technology such as Endpoint Detection and Response (EDR) to take a deep dive into potential malicious compromise of a system.

  3. The resolution phase involves communicating relevant malicious activity intelligence to operations and security teams for a response to the incident and mitigation of threats.

Threat hunters also analyse collected data to determine trends in an environment, eliminate current vulnerabilities and make predictions to enhance security in the future.