Threat hunting, designed to detect unknown security incidents and vulnerabilities within an organization’s systems, allows an organization to augment its detection and prevention-focused security mechanisms and implement defense in depth.
Instead of digging into a known event or incident, threat hunters develop hypotheses about potential threats that their organization may be facing. These hypotheses may be based upon knowledge of the cyber threat landscape, the organization’s IT infrastructure, and other factors. Once a hypothesis has been developed, the threat hunter will evaluate it by collecting and analyzing data that could prove or disprove their hypothesis.
A major challenge of threat hunting is the unrestricted scope and wide range of potential avenues of investigation. Threat hunters can pursue a variety of potential threats on many different systems. This vast number of potential combinations makes it necessary for threat hunters to prioritize the hypotheses that they test.
For this reason, it is vital for an organization to create priority intelligence requirements (PIRs) for their threat hunting program. These help to define which threats are the most important for threat hunters to investigate. These PIRs can then be used to develop hypotheses and guide the threat hunting process to maximize the value of the hunt to the investigation.
Let’s take a closer look at what it takes to carry out a successful threat hunt:
Step 1: Prepare The Essentials For The Hunt
Preparation is essential for a successful threat hunt. The three key components of a threat hunting program include:
#1. The Hunter: Threat hunting is a human-driven exercise designed to identify unknown intrusions or vulnerabilities in an organization’s systems based on evaluating hypotheses. Developing, testing, and evaluating these hypotheses requires knowledge and experience regarding the threats that an organization may face and how to identify these threats via a threat hunt.
#2. The Data: The goal of threat hunting is to prove or disprove a hypothesis regarding a potential threat to the organization or a previously undiscovered vulnerability. Proving or disproving this hypothesis requires access to data that enables the threat hunter to make a definitive decision. In preparation for future threat hunting, an organization needs to put processes and solutions in place to collect the data required to evaluate hypotheses derived from an organization’s PIRs.
#3. The Tools: Threat hunting requires in-depth data collection and analysis. While threat hunters may collect and analyze this data manually, doing so could be time-consuming and prone to errors. Maximizing the efficiency and effectiveness of a threat hunting program requires tools that can help hunters to better collect, analyze, and interpret data to prove or disprove their hypotheses. You’re welcome to jump right into your proactive threat hunt with our Investigative Portal.
Step 2: Define Your Threat Hunt
A threat hunt begins as a hypothesis about a potential undetected vulnerability or intrusion within an organization’s systems. After preparing for the threat hunt, the next step is to define the hypothesis for the threat hunt. A threat hunting hypothesis should be based on an organization’s PIRs and threat intelligence. Over time, a threat hunting program should test hypotheses for each potential threat that aligns with an organization’s PIRs. For example, if an organization is concerned about ransomware attacks, threat hunters might focus on testing hypotheses regarding common ransomware infection vectors, such as if an attacker has exploited a virtual private network (VPN) vulnerability or used compromised credentials to log in via remote desktop protocol (RDP). Alternatively, threat hunters could look for indications of a ransomware infection on a system, such as encryption of files, detection of known ransomware variants, or attempts by the malware to move laterally to infect other corporate systems.
Step 3: Hunt For Threats
After defining the threat hunt’s hypothesis, the threat hunter can then start working to prove or disprove that hypothesis. This involves collecting and analyzing data from various systems that could support or disprove the hypothesis.
For example, if a threat hunter was looking for indications that an attacker was exploiting the corporate VPN to plant ransomware, they could begin by examining network traffic logs and session data from the VPN endpoint. If the VPN endpoint was observed to be making unusual connections or VPN sessions included anomalies outside of users’ common usage patterns, this could indicate that an attacker exploited a VPN vulnerability or compromised an employee’s account.
After collecting available data, the threat hunter can prove or disprove their hypothesis. Based on this decision, different actions are necessary:
If the hypothesis is incorrect: A disproved hypothesis is the desired outcome because it means that the potential intrusion or vulnerability does not exist. After disproving a hypothesis, a threat hunter should document the investigation for future reference and move on to a new hunt.
If the hypothesis is correct: A proven hypothesis means that the threat hunter has discovered a previously unknown threat. In addition to documenting the investigation, the hunter should also take steps to remediate the issue, such as initiating incident response activities, patching a discovered vulnerability, and improving defenses for the future.
If no decision can be made: After collecting and analyzing data, the threat hunter may be unable to conclusively prove or disprove their hypothesis. This means that the threat hunter should work to set up collection for any missing required data or find a way to refine their hypothesis to a more testable and provable form.
Step 4: Respond To The Attack
If the hypothesis is proven, this means that a previously unknown threat has been detected and potentially exploited by an attacker. If an intrusion was detected, the organization needs to perform an incident response to determine the scope of the incident and take steps to remediate it. This includes a full investigation of the attack chain using standard incident response practices. After a successful threat hunt, an organization has a clear starting point for an investigation. Using the indicators of compromise (IoCs) and indicators of attack (IoAs) developed during the threat hunt, incident responders can identify systems affected by the intrusion. These systems can then be quarantined, investigated, and cleaned of the infection.
Step 5: Prevent Attacks And Improve Security
If a threat hunt is successful, it has revealed a gap in an organization’s security visibility and defenses. This may be a vulnerability that was missed during security scanning or an attacker that slipped past an organization’s defenses. The results of a successful threat hunt should be used to improve corporate security defenses. This may include integrating new IoCs and IoAs into security solutions, adding new forms of data collection and analysis, and improving existing processes and procedures to better protect against the detected attack.