In recent years, you’ve likely heard the term “threat hunting” buzzing around the cybersecurity industry. There are different ideas for what it means, different standards for what it takes to achieve, and different processes for what it looks like, though there are some common elements in most definitions.
Let’s start with the basics.
What is threat hunting?
Threat hunting is the proactive search for cyber threats which have gone undetected in a network. Threat hunting is exploratory in nature and requires deep investigation to uncover malicious activity, indicators of compromise (IoCs), and cyber threats like advanced persistent threats (APTs) that have evaded existing security tools.
If they are not discovered, threat actors can stealthily collect data, gather login credentials, and move laterally across the network, spreading out to infect multiple sources and hosts.
Many organizations lack the capabilities to detect and stop sophisticated attackers once they have breached passive defense systems. Security analysts must be constantly vigilant and always ready to find the next threat, which makes a threat hunting program critical to any defense in depth strategy.
How is threat hunting different from threat detection?
Threat detection is a somewhat passive approach to security. It is a necessary capability to aid threat hunters in their activities, but it is not proactive in the way threat hunting is.
Threat hunting enables organizations to detect threats before they’ve caused damage. It’s all about leveraging gathered data to develop hypotheses based on knowledge of adversary behavior and validating those hypotheses by exploring the environment.
With threat hunting, security analysts are not waiting for alerts to land in their queue. They use their intuition and knowledge of attacker behavior, combined with data already at their disposal, to seek out potential threats. In many cases, threat hunter activity is what generates an alert in the first place.
Traditional Security Operations Centers (where threat detection is managed) respond to alerts that are presented by their security tools, such as a SIEM. In these environments, responding to an alert means something has already occurred and it might be too late to stop some attacks.
“Being proactive means analyzing the environment along with known active threats occurring on the web and looking for those threats within your own environment,” said Dave Summitt, Founder of Alpha Omega Advisors, former CISO at Moffitt Cancer Center and Fellow at the Institute for Critical Infrastructure Technology.
For this reason, some organizations choose to create a Threat Analysis Center — a separate unit to optimize threat hunting initiatives. Threat Analysis Centers (TACs) utilize threat feeds and information from other organizations to actively look for threat indicators within the environment with anticipation of stopping threats before they disrupt the business.
Threat Hunting Methodologies
Threat hunters assume that a breach has already occurred, and they proactively investigate the environment to find anomalies that may indicate threat activity. Examples of threat hunting methodologies include:
1. Hypothesis-driven investigations
This type of threat hunting is prompted by discovery of new information about a novel threat vector. Once threat hunters obtain insight about these new threat tactics, techniques, and procedures (TTPs), they can begin digging deep into the network to see if those specific behaviors can be identified in their own environment.
2. Investigation based on known IoCs
Investigations based on known IoCs or other attack indicators require leveraging threat intelligence and global detection playbooks to attribute known attack behaviors associated with new threats. Threat hunters then use these triggers to uncover potential hidden attacks.
3. Analytics and machine learning based investigations
This type of hunting requires advanced analytics capabilities and machine learning tools to search through massive amounts of gathered data to find anomalies that might point to malicious activity. These anomalies are then investigated by security analysts to uncover potential threats.
What is required to start a threat hunting program?
A threat hunting program requires some critical resources to be successful. These include:
1. Human Threat Hunters
Automated detection techniques are helpful in gathering data and finding attacks that have already occurred, but sophisticated attacks can often evade these detection methods. Threat hunting requires human interaction, and experienced threat hunters are a critical part of any effective threat hunting program.
Because of this human element, success depends on the analysts hunting through the data. They must have deep knowledge of the environment, expertise to identify sophisticated attacks, enough experience to develop attack hypotheses, and the security resources to hunt and respond to attack behavior.
Additionally, cyber threat hunters — and cybersecurity teams in general — need to remain focused on security initiatives. They should not be part of day-to-day IT operations.
2. Vast Data
Threat hunting requires the ability to gather vast amounts of network data so security analysts have deep visibility into all system events and assets. Machine learning and advanced analytics tools are incredibly helpful here, as they can perform real-time analysis on the gathered information to accelerate a threat hunter’s understanding.
3. Threat Intelligence
Threat hunting requires the ability to ingest threat intelligence about trends, known APTs and malware groups, new IoCs, and more, and correlate that with environmental data to analyze activity and identify suspicious behavior. This includes a combination of proactive intelligence which can be derived from methods like vulnerability scanning and external threat intelligence feeds, and reactive intelligence to help identify threats when, despite best efforts to prevent attacks, a breach does occur.
There are many ways cyber teams can gain the necessary intelligence for threat hunting. From the “basics” standpoint, it requires investigating existing logs and traffic to fully understand what they should look like and, when something anomalous occurs, it can be analyzed for malicious intent. More advanced methods utilize threat feeds and other information gathered from various organizations.
“Cyber teams should also try collaborating with other teams in the same geographical region,” said Summitt. “There are times when attacks can be found by hunting down indicators of threats you know other organizations are facing.”
Additionally, the team should get familiar with and incorporate cybersecurity frameworks conducive to threat hunting. Operationalizing frameworks like MITRE ATT&CK will elevate the chances of success.
It’s imperative that organizations take the time to understand threat hunting and dedicate the necessary resources. An organization’s chief information security officer (CISO) needs to be transparent with the business when creating a threat hunting program, so they know exactly what is occurring.
“Bringing in other business leaders and showing them exactly what is being done along with the benefits will go a long way in building the necessary support,” said Summitt.
What makes a good threat hunter?
A threat hunter is a cybersecurity analyst who proactively detects, isolates, and neutralizes advanced threats that have evaded existing security tools. They use manual or machine-augmented techniques to perform advanced analysis and employ hypothesis-driven approaches to find anomalies that may indicate malicious activity.
Becoming a skilled threat hunter requires a shift in mindset from a traditional security analyst. Threat hunters must learn to correlate human insights with behavioral analytics and network-wide context. With threat hunting, constant vigilance and investigation is required. Threat hunters know when to look, they know where to look, and they know what to look for to reduce cyber risk.
Additionally, threat hunters understand the difference between ‘alerts’ and ‘signals.’ Alerts should be handled through traditional SOC operations — actions like responding to known threat signatures or policy violations. Signals, however, deliver the contextual intelligence that may or may not indicate a more sophisticated attack like a behavioral anomaly or zero-day exploit is underway.
For example, let’s say an employee is in an office connecting to a server they don’t normally connect to and downloading data to an offsite location. This observation is then enriched by additional data, such as the employee accessing systems at an unusual time. All of this context produces a signal that commands attention from someone with the appropriate skills, access and empowerment to determine the employee’s intent and identify whether this behavior indicates a threat.
Security professionals may undergo threat hunting training to improve their skills. There are also certifications threat hunters can achieve such as the Certified Cyber Threat Hunting Professional (CCTHP), designed to “certify that candidates have expert-level knowledge and skills in cyber threat identification and threat hunting.”
Ultimately, threat hunters report to an organization’s CISO, who may implement training programs to develop security personnel internally before choosing to look for skilled candidates outside of the organization.
Important skills for threat hunters include:
- Information security experience — Threat hunters need to have a background in cybersecurity or network engineering, including real-world experience with data analysis, forensic intelligence, malware dissection, adversary tracking, and more.
- Data analysis — An effective threat hunter will be skilled in complex data analytics and reporting, pattern recognition, threat research, and problem-solving skills.
- Domain knowledge — Threat hunters need a deep understanding of what is normal for the environments they are protecting. To identify and hunt down anomalous activity in the organization, threat hunters must also develop their own intuition to know where to search for threats.
- Knowledge of the cyber landscape — An extensive knowledge of current and past attack methodologies and TTPs is critical for any successful threat hunter. Attack patterns and TTPs evolve rapidly, so remaining up to date is crucial.
When is an organization ready to start threat hunting?
Threat hunting requires a level of organizational maturity and access to resources to be successful. It takes experience, teamwork, and knowledgeable personnel.
One of the first indications that a team is ready to move from threat detection into threat hunting is when cyber teams are able to reduce the noise of cyber incidents and handle threats routinely or through automation. This can mean that the team is operating efficiently and might be a sign that it’s time to mature to the next level.
“The CISO will lead this initiative, but the entire cyber team needs to be included,” said Summitt. “A CISO may believe the team is ready but if the team doesn’t necessarily think so, additional discussions and discovery may be needed to understand the concerns. The cyber team should be at the forefront in defining success criteria and goals when setting up the initial threat hunting program.”
“In addition, it would be good to try to work or partner with a company that is more advanced in terms of capabilities and try to incorporate their lessons learned,” said Summitt.
Threat Hunting with ThreatWarrior
Simply put, you can’t hunt what you can’t see.
Through advanced network detection and response, ThreatWarrior makes threat hunting easy for analysts at any level. The platform helps threat hunters and security analysts gain a better understanding of the environment by delivering 100% visibility into every corner of the network, including cloud and hybrid ecosystems.
ThreatWarrior enables hunters to proactively stop cyberattacks by empowering users with advanced analytics, detailed environmental reporting, deep contextual intelligence, and continuous development of behavioral-based preventions.
The platform provides a real-time view of an organization’s security posture and allows users to directly correlate threat intelligence to behavioral analytics to accelerate threat hunting and investigation, even for less experienced analysts.
How ThreatWarrior Delivers Signal
Understanding the difference between alerts and signals is crucial for all security professionals, and that is no different for threat hunters. ThreatWarrior produces the signals that matter to help security teams focus on the most critical threats.
ThreatWarrior’s AI engine constantly monitors a user’s network to build models of normal activity and tests all new network activity against those models. It performs hundreds of thousands of calculations on every communication over a network to determine how anomalous each one is, then combines those results into a single network score to measure how anomalous the traffic is across the entire organization.
If that number grows large enough, a behavioral anomaly is signaled, which means something potentially nefarious is happening. Because ThreatWarrior never learns malicious behavior as normal, we can boost the likelihood that that signal might be tied to malicious behavior.
Triage is key. We know that a behavioral anomaly is not always a threat, and not every threat matters to everyone. As security professionals, you know your threat profile. This is where a threat hunter’s intuition and knowledge of the threat landscape comes into play. ThreatWarrior’s signals cut through the noise to help hunters determine the true intent of any perceived malicious behavior.
Ultimately, a behavioral anomaly signal is a flag for further investigation. It does not resolve incidents for threat hunters, it creates different ones. Baselining a network and addressing the alerts that have logical, structured rules is critical. It’s what helps build the skills necessary to effectively handle behavioral anomaly signals.
These signals help answer, “What’s next?” They deliver the context to help decide what to do when security professionals have dealt with the known threats and laid the foundation for threat hunting by clearing out alerts.
To learn more about ThreatWarrior and how we empower organizations to stop active threats before they’ve run their course, speak with a ThreatWarrior expert today.