What Is Threat Hunting?
The security mindset is shifting from a focus on how to protect an organization and defend against cyber threats, to a new concept: the “assumption of breach”. True, you have to put defenses in place, but you should also assume those defenses will be breached at some point. That’s why you need to have a plan in place. What will you do to identify and contain those threats?
Threat hunting is an important part of the answer. It aims to actively seek out attackers who have penetrated your network and are carrying out nefarious activity. Threat hunters, like security guards performing regular scans of a sensitive building, sweep over corporate IT systems and look for signs of compromise.
According to an IBM report, it takes an average of 191 days for organizations to discover that they have been breached and remediate their systems. During that terrifyingly-long period, attackers perform a lateral movement, gradually obtaining access to more and more sensitive systems. They continue to move through the network until they put their hands on the crown jewels. Threat hunting can dramatically shorten that window of opportunity for attackers.
Threat hunting also helps identify a special kind of cyber attack: Advanced Persistent Threats (APT). APTs are carried out by organized, sophisticated groups of cybercriminals, who launch a carefully planned attack campaign against a specific organization. APT attackers may be sophisticated enough and have enough time to evade your strongest defenses. But a skilled threat hunter can catch them after they enter, hopefully before damage is caused.
What Does it Take to Become a Threat Hunter?
Not just any security pro can become a threat hunter. Threat hunting requires multidisciplinary expertise, including:
- Security knowledge—security data analysis, forensics, threat intelligence, malware investigation, and reverse engineering, network, and endpoint security tools.
- History of attacks—knowledge of current and past attack techniques and the threat actors who carry out those techniques. The ability to augment knowledge with threat intelligence and data feeds that provide up-to-date information about cyber attacks.
- Advanced IT expertise—operations systems, networks, and common applications like databases, email servers and web servers. Threat hunters must know their way around a network and what buttons to push to exploit a vulnerability or evade security, just like a sophisticated attacker.
- Programming skills—a threat hunter must be able to write scripts, and should also know compiled languages like Java or C++. This enables them to understand the automated techniques deployed by attackers and analyze the internals of malware.
- Creativity and independence—threat hunters must be problem solvers with a combination of analytical, logical, and technical skills. Like detectives, they need to be able to put together the pieces of the puzzle to identify what attackers are up to. They must be good at working alone, able to identify threat opportunities, and deal with them without close oversight.
The SANS Institute’s Threat Hunting Process
How does a threat hunter work? The SANS institute suggests a 5-step process for effective threat hunting.
1. Collecting and processing data
A threat hunter starts by identifying what data they need to pinpoint a threat, grabs that data from security tools or from a Security Information and Event Management (SIEM) solution, and then performs an independent analysis.
2. Establishing a hypothesis
Asking one or more questions that can lead to the discovery of a threat. For example, if there is a suspicious network traffic, this could be a sign that malware is communicating with a command and control center.
Looking at the data to find the Indicators of Compromise (IoC) included in the hypothesis, and then analyzing them to see if they really do indicate a threat. This requires expertise, diligence, and a lot of patience.
4. Identify threats
Recognizing that a certain piece of forensic data is probably a threat. Threat hunters don’t stop there, they need to analyze the threat in more detail, obtain and correlate other relevant information, and identify what type of threat it is, which systems are affected, what was the timeline and what is the best course of action.
Threat hunters take immediate steps to stop the attack, for example by quarantining an affected system or resetting it to a last known good state. They should then identify how to eradicate the threat and prevent it from recurring.
Threat hunters are expected to complete the cycle independently, but if the threat is very severe or affects a large part of the organization, the threat hunter may escalate to senior analysts in the Security Operations Center (SOC), to devise a coordinated response.
In today’s chaotic digital atmosphere, threat hunters need as many skills, tools, and information as they can get. Keeping track of a security perimeter is a 24/7/7 job, which is where automation tools come in handy. These systems can monitor the network, assisting and alerting the human threat hunter. Quick response and collaborative work can help organizations protect themselves against data breaches and advanced threats.