Threat Hunting? What exactly is a Threat?
Living in a connected space, ever thought about how safe your organization stand against information security incidents? Or what is the root cause of these security events? Here is where organizations must understand the term Threats and how they could flame your existing infrastructure weaknesses. A threat is an event that triggers a security incident and attempts to access, disrupt, and damage information. That’s when threat hunting becomes important.
Generally, threats are of two types – known and unknown. The known security threats get detected by existing security controls such as firewalls, AV, EDR, SIEM etc. On the other hand, there are unknown threats capable of bypassing enterprise security control frameworks. Here is where you need specialized skillsets like proactive threat hunting. The approach helps detect threats that have evaded the detection capability of deployed controls.
Threat Hunting: In detail
It is a proactive approach used by cybersecurity professionals in identifying lurked threats in an enterprise network infrastructure. It helps detect the unknowns or ongoing non-remediated threats within the enterprise network. These are more like sophisticated threats that can break the security controls and avoid easy detection.
Security analysts use several tools and techniques to monitor, detect, and shield threats. An early call is always priceless in the cyber domain. And that is where these talents foster their expertise in detecting threats way before the attack digs down the surface.
The proactive threat hunting model is a unique security strategy consisting of two significant elements. The former being the Intelligence and the later defence. Intelligence factor or Proactive threat intelligence loops the process of data gathering, tuning, and verification of data sources. The defence element points to the countermeasures taken by an organization to defend against such cyber-attacks.
Importance of threat hunting
As we mentioned, the sophisticated nature of these advanced security threats is hiking. If provided with space, time and resources, these threats can go undetected for the long haul. Enterprises need a complete vision of the threat landscape to detect these threats swiftly.
A proactive threat detection approach reduces the time from intrusion to discovery. In contrast to traditional detection technologies, it brings a human element to enterprise security alongside automated security technologies.
Some of the benefits of proactive threat hunting are;
- Reducing the probability of being breached
- Augmenting human intelligence factor
- Converging the attacking surface
- Uncovering ongoing non-remediated threats
- Detecting advanced/ sophisticated threat vectors
- Identification and classification of gaps in finding
- Creating detailed recommendations or action plans
- Accelerating the speed of response
- Maintaining a concrete IT security posture
Modern attacks require a high-level view
Traditional ways of enterprise defence mechanisms circle reactive security. Reactive security is about responding to a threat after the occurrence of visible signs. Advanced threat patterns never fit this mechanism. They are capable enough to hold your network without being identified or detected for a prolonged time. The situation demands a proactive threat hunting model with enhanced visibility. Modern threats never seem to be present in enterprise networks. It requires additional threat intelligence above automated mechanisms to detect those unknowns in your environment.
Proactive Threat Hunting approach
When it comes to the threat hunting process, enterprises must have a clear-cut requirement before them. Make sure your hired threat hunting team will be able to respond to the following questions;
- What are the focus areas of the threat hunting process?
- What will you find – opponent/ adversaries or Indicators of Compromise(IoCs)?
- How would you estimate adversaries or IOC?
- What is the required time for finding?
Next, the CISO officer should prepare a complete checklist of the process. It aids the security team to prepare themselves before the process initiates. Different phases involved in the threat hunting process are;
Set-up phase in Proactive Threat Hunting
The former phase of the proactive threat hunting process is about designing the network and building a safe working environment. CISO is responsible for equipping the place with all the network essentials of the process. The next stage is to get the hunting team ready as per situational requirements. The formation part purely depends on the skill of a threat hunter to;
- Identify uneven patterns and map them with threat intel feeds.
- Search and hunt hidden threats and anomalies through stiff monitoring and behavioural analysis.
- Refine response plans at the time of need.
A hypothesis is a supposition/proposed reason made by the threat hunting team based on limited evidence. It is a lead to further investigations in proactive threat hunting & detection. Before initiating the hunting process, threat hunters build or derive a hypothesis from;
- Threat hunt libraries consisting of IoAs and TTP’s (used to detect unknown threats).
- IoCs acquired from third-party threat intelligence sources (used to detect known and undetected threats).
- Entity-specific requirements (based on internal risk/vulnerability assessments).
Search & gather data
What next once you have the hypothesis ready? Information is a necessity at all stages of the process. Threat hunters collect and accumulate relevant data (alarm/incident/information) from various sources. They can be;
- Event logs from SIEM
- Data from MDR solutions
- Netflow logs from network devices
- AI/ML-based security analytics platforms
In case, above security solutions are not present in the enterprise, threat hunters use specific techniques to collect hunt data. Gathered data will get used in the following phases of the proactive threat hunting process.
Data normalization & analysis
Data normalization is the process of organizing gathered hunt data in the previous phase. Normalization of collected data makes the analysis phase easy efficient. The team use specialized data analytics tools for the organization of hunt data.
Once the data normalization phase is over, the threat hunting team perform analysis, determining active threat presence. The complete analysis phase looks for threat discovery based on the derived hypothesis. The analysis phase connects special hunting tools for proactive threat detection.
Unfolding new patterns
The threat hunting team adjoins various tools and methodologies with the hypothesis and examines it. They identify data relationships and try to discover new malicious patterns in the network. The process also recreates attack paths to detect and uncover attacker TTP. A hunter uses manual techniques, tool-based workflows, and analytics to discover malicious patterns. And what if no anomalies or patterns are detected? The threat hunters would definitely rule out the existence of a compromise or strategy connected with the hypothesis.
Validation & Measuring phase
a. Validation Phase
It is the stage where the threat hunter will conclude his evaluations based on the used hypothesis. A threat hunter could arrive at three possible scenarios;
*The threat is valid
It implies that the used hypothesis was correct, but threat actors were not present in the target environment. It calls for further evaluation of existing security controls.
*The threat is invalid
It implies that the used hypothesis was incorrect and showed no presence of threat data. The hypothesis should get refined in that instance.
*Threat actor found
It implies that the used hypothesis was correct, and at the same time, the presence of a threat actor got discovered. The instance calls for immediate remediation efforts.
b. Measuring phase
Once the cycle gets completed, it’s time to evaluate the recorded findings. The team must ensure the success matrix by measuring the following.
- Critically spotted incidents
- Compromised host record
- Lasting time for incidents
- Identified threat vectors
- Insecure practices identified
- Identified logging gaps
- Newer visibility record
Remediation & Detection
a. Threat remediation
It is the phase that follows when a threat actor gets discovered. Here, the threat hunting team identifies the action plans or remediation efforts needed to eliminate the threat. They would prioritize the action plans based on risks and calls for urgent response efforts. Additionally, the phase adjoins advisory help, live responses, and breach support to target enterprises.
b. Enhance detection
So, what if the threat is a valid one and no presence of a threat actor? Here is where the target organizations detection capabilities of security controls should get evaluated. Therefore, the threat hunting team identifies necessary indicators and logic controls deployable in target security controls.
Tying it all together
So, here we are after exploring what proactive threat hunting is all about. We have so far dug information on modern-day attacks, threat hunting approach and connected elements. With increased business complexity, enterprises seem far from knowing about persistent threats. It may seem you are not being affected by cyber threats until you face a breach in real. And here is where early detection of threats by using proactive threat intelligence hits the right target. Enterprises need to consider threat hunting to uncover the most significant threats that hide just behind their nose.