The fact is that no single technology solution, or even a combination of solutions, exists that will block 100% of cyberattacks.
Therefore, an organization must move beyond a protection-based approach to a much more comprehensive model—a model that includes the ability to detect and mitigate successful cyberattacks before they cause lasting damage. Threat hunting is one aspect of such a comprehensive defense strategy. When bolstered by the latest threat intelligence and grouped with top-of-the-line technologies, such as 24/7/365 monitoring, companies can avoid becoming cyber victims.
Here's what threat hunting entails.
The Threat Hunting Process
Threat hunting is the ongoing process of defining threats and looking for evidence of them in your network. The foundation of this process is to operate on the premise that attackers will bypass your defenses and will gain access to your computers and networks. Threat hunting enables earlier identification of security failures and allows for containment and remediation before damage (such as ransomware) occurs.
A single threat hunt consists of four steps: hypothesis, data collection, response, and documentation and notification. The process is then repeated on an ongoing basis as new threats are identified.
As new attacker tactics, techniques, and procedures (TTPs) are identified, a threat hunt will assess if those TTPs are active in your environment. Let’s look at three examples.
Zero-day attack: A zero-day attack is a new threat—it leaves you no time to protect yourself. If a zero-day attack emerges Monday and is identified Wednesday, analysts would hypothesize that the threat breached your systems somewhere in that time and would then hunt for it.
Phishing attempt: On Friday, you discover your company was the target of a phishing campaign. Analysts would hypothesize that some employees fell for the attempt and would look for evidence of malicious files.
Password Reuse: You hypothesize that an employee has reused his email password at another website and that website has the password stolen. Therefore, analysts would conduct a hunt for unusual login activity.
Not all hypotheses are always treated with the same urgency, though. An organization will likely rank events by likelihood of occurring as well as the consequences if it does in fact occur. If a certain type of attack is unlikely but potentially catastrophic, it may receive more attention than an attack with a higher probability but lower impact. Experts continuously monitor the latest attack vectors and their potential effects in order to establish these priorities with the company's best interests in mind.
2. Data Collection
Once cybersecurity teams have organized their hypotheses, they go about validating (or by extension, invalidating) the threats by collecting and analyzing data based on those assumptions (i.e. if hypothesis X is true, we'd expect to see data Y).
An effective way to accomplish this is to establish a baseline of 'normal' behavior and quickly find anomalies in the systems and networks that would trigger incident response. Endpoint Detection & Response (EDRs), Security Information & Event Management (SIEMs), and logs collect historical data and are among the best tools for this purpose.
4. Documentation & Notification
Once threats are eradicated, analysts document the results of the threat hunt and alert necessary parties, depending upon the seriousness of the threats. In doing so, they trace a pattern, so if the anomalies show up again, they’ll know how to nullify them and possibly set up automation to address the potential threat quicker if it were to arise again.
Each step begets another—hackers are constantly evolving, so your cyber defenses need to be as well. Threat hunting, combined with monitoring, helps create a 360-degree view into your cybersecurity posture. That provides an idea of the threats that exist in your systems at all times.
Therefore, if you’re considering working with a managed security services provider (MSSP), make sure that threat hunting is part of their offering.