Threat hunting is the latest ammunition in the arsenal of cyber security folks. Recent security breaches shook up the boardrooms and consequently, the industry sees more attention and focus on cybersecurity effectiveness.
In the past, organizations were focused on automated tools for intrusion detection, and protection, that is better than nothing. But Cyber experts witnessed in the past that, existing approaches are not strong enough to withstand the persistence of attackers.
Threat Hunting process helps organizations to include the human element, to an already automated detection, monitoring, and threat intelligence activities.
Threat intelligence process collects latest threat data from various sources, which feeds into the internal systems to get a more correlated information about potential threats and plan for threat mitigation. Threat hunting may be initiated with or without threat intelligence and helps in the proactive detection of any real or materialized danger in the environment.
You may be interested in reading: How to Achieve Effective Information Security with a Holistic Approach?
Threat Hunting helps you to identify malicious or risky activities that may have evaded the automated tools, through proactive search using human-driven methods, which will be with additional intelligence and correlation, from a smart threat hunting professional.
What is Threat Hunting?
It is an ongoing process and has the following characteristics.
- Look for Bad Thing (Breach/Incident)
- Find Bad Thing
- Figure out How to Find Bad Thing Faster next time.
Cyber Threat Kill Chain
Any cyber threats have a life cycle or a kill chain from its origin till the successful execution of the attack.
It starts with reconnaissance phase, which collects and compile information about the target and ends by successfully achieving the attack objectives (E.g., Fraudulent Fund Transfer or Data Exfiltration)
Weaponization (E.g., A Malicious Email, A Malware), Delivery, Exploitation, Installation, and Communication to Command & Control Servers are part of the chain.
Threat Hunting needs to focus on finding out an undetected incident or breach, as early as possible before it completes the Cyber Threat Kill Chain.
As a priority, it is always better to look for a threat that is near the last links of the chain. This commonly is about detecting any communication to Command & Control Servers or searching for any symptoms that hints at the objectives of the attack being materialized (E.g. Extracting data or Executing a Transaction).
Other links of the chain also need to be investigated or hunted for evidence, on a scheduled basis, so that every hunt will be able to detect the incidents at a faster pace than the previous hunt.
Threat Hunting Process
Create hypotheses (assumptions/guesses) for threat hunting, to start looking at incidents and breaches. Investigate with the right tools and techniques, through which you can explore and detect the events that went unnoticed by the automated solutions.
You may uncover new patterns of attacks, Tactics, Techniques, and Procedures (TTPs). Inform the findings to the relevant parties, and systems, and prevent the execution of the attack in the future with a more informed threat hunting exercise.
For more details please refer: The threat hunting reference model.
Threat Hunting is an ongoing process and needs continual improvement to have the best outcome from it. The maturity levels start from a non-existing (Initial) stage to a fully matured level, where data analysis is automated, and the process is entirely in place to detect incidents in a very proactive manner.
For more information please refer: Threat hunting maturity
Success of Threat Hunting
The following are key factors to make threat hunting a fruitful exercise.
- Proper planning, preparation, and right processes to conduct threat hunting exercise
- Expert and efficient professionals with adequate experience shall lead the process
- Appropriate tools and techniques to perform the threat hunting process across the organization
How to measure the success?
You may use relevant metrics to measure whether the program is a success or not and to identify the areas for improvement.
- Number of incidents that are detected by severity
- Number of compromised hosts identified in a timely basis
- Dwell (reside) Time of any incidents discovered
- Number of detection gaps filled
- Any new visibility gained during the exercise.
Read more on: What makes you a successful CISO? A Business Enabler?