How does threat hunting help enterprises maintain a more effective cyber security strategy and respond to threats more effectively? What is it about threat hunting activities that measurably reduce risk?
In the following sections, let’s explore how security leaders can leverage the capabilities of a dedicated threat hunting team to mitigate the business impact of potential cyber-attacks and improve Security Operations Center (SOC) processes for threat detection and response.
Threat hunting involves proactively searching for malware or attackers hiding within a network. Typically, threat hunters operate under the assumption that an adversary has already infiltrated the network. The hunter’s daily task involves searching for evidence of infection.
But threat hunting is not limited to threat detection. Many security leaders are not aware that threat hunting professionals provide assistance in reducing the attack surface of the enterprise – improving the security posture of the network, over time.
Threat hunters operate under the assumption that an adversary has already infiltrated the network. The hunter’s task involves searching for evidence of infection.
As a starting point, threat hunters evaluate the network and develop several important baselines. Once that has been accomplished, threat hunters frequently are able to proactively pinpoint misconfigurations within the network as well as policy violations. Threat hunters may also be able to suggest solutions for addressing existing security gaps.
In recent years, the security industry has come to realize that threat actors have the upper hand during the infection process. That’s because defense systems frequently cannot block sophisticated breaches, and threat actors keep evolving - and they can stay dormant in the network for months. (Research on this topic is available here: 1, 2, 3)
Moreover, the response time for major incidents can involve hours of time – and during this time, the attacker is free to continue having a malicious impact on non-contained endpoints.
Most cybersecurity professionals agree that a SOC requires the following capabilities: a team of well-trained security analysts to triage and handle alerts, an Incident Response team to handle the escalation of major incidents, ongoing intelligence updates (providing key information about new threats and trends), penetration testing routines, and vulnerability assessments.
Threat hunting adds another layer to these capabilities – providing a proactive approach that complements the SOC’s more reactive procedures. It compels organizations to change the way they act in response to threats.
Threat hunting provides a proactive approach that complements the SOC’s more reactive procedures.
Threat Hunting has two main goals:
Threat hunting requires taking preemptive action – anticipating issues before they have a chance to develop into full-scale problems.
Here are some specific examples of how adopting a threat hunting approach to cybersecurity can have a radical impact on an enterprise’s security operations:
Threat Hunting teams work best when they work from several different angles, in parallel, to reduce the attack surface. For example, CyberProof’s Threat Hunting team maintains six distinct layers of activity:
The success of cyber threat hunting activities can be measured by looking at these layers, e.g., how many use cases were deployed? How many playbooks were developed? A common misconception is that a hunt can only be classified as successful if something malicious has been discovered. But this is not true. In fact, it may be more accurate to say that if every hunt uncovers malicious results, this does not signify the success of the hunt but rather is a sign that the organization has poor defenses.
An effective approach to threat hunting involves putting the focus on:
Threat hunters must understand a technique within the context of forensic evidence.
If we look at things from the threat actor’s perspective: When an infection starts, the threat actor begins to explore the network to gain an understanding where they “landed” – which hosts are visible from each endpoint, where the threat actor could go from a particular location, which crown jewels are accessible in the network, and more. The threat actor must answer all these questions to maximize the impact of the infection. These actions leave their mark on the endpoint – and that’s where the threat hunter’s work begins. From the threat hunter’s perspective, it is the hunter’s task to hunt for evidence of all this threat actor activity – based on any outliers that deviate from the established baselines.
The threat hunting process includes several stages, including:
Most cyber hunting activities must be performed by skilled hunters who have the relevant expertise, as this is an approach that combines an in-depth understanding of security tools, analytics, and threat intelligence – with human analytical skills and strong technical instincts. (The exception is IOC hunting, which is the only type of threat hunting that does not require extensive technical knowledge.)
Threat hunters need extensive knowledge of baselining networking and operating system internals because they need to “deep dive” into many areas within the environment and investigate operating system (OS) artifacts. Hunters also need forensics skills – as they must understand attack flows and identify the relevant compromise footprints indicating infection.
Some security leaders settle for allocating cyber hunting activities to senior security analysts as a side activity – rather than having a dedicated threat hunting team. This severely impacts the quality of what threat hunting can provide. True threat hunting capabilities require a significant investment of time and effort in both threat hunting preparations and their execution.
Threat hunting services can be developed in-house – or an enterprise can work with a consultant who provides advanced Managed Detection & Response (MDR) security services and has broad expertise in threat hunting. The advantage of an in-house team is that they know your system well, while the advantage of consultants is that they bring to the table their experience and a broader perspective. Either way, what is key is having a dedicated threat hunting team. An advanced Managed Security Services Provider (MSSP) like CyberProof can help ensure you are set up appropriately and have the necessary threat hunting capabilities to keep your organization safe.
To learn more about how threat hunting can be leveraged to protect your enterprise, contact CyberProof’s dedicated threat hunting team at: hunters@cyberproof.com.