A Comprehensive Guide to Threat Hunting

Cybercriminals are working daily to invent new ways to evade detection. The expansion of the supply chain, and the increased dependence on third-party vendors to support core business functions have made the IT environments more open and complex, allowing threat actors to find different ways to hide. Threat hunting helps detect unknown and advanced cyber-attacks.

In today’s information age, more organizations are opting to utilize digital solutions to support core business functions. Digitalization brings various benefits to organizations including reducing operational costs, enhancing efficiency, and fostering competitive advantages, however, it also introduces various challenges, especially when it comes to IT security.

Cybersecurity remains a major concern for organizations across all industries. This concern has only intensified with the rise of the COVID19 pandemic, which resulted in a large portion of the global workforce no longer working in secure corporate office buildings, and instead conducting business from their very own homes. This new working model has expanded the attack surface of organizations making them more vulnerable to cyber threats.

This larger attack surface, coupled with the rising costs of cyber-attacks are major concerns for organizations. According to Cyber Security Ventures, the global cost of cybercrime is projected to reach $10.5 trillion annually by 2025. The cost of data breaches is also on the rise mainly due to the emergence of worldwide data protection laws imposing large fines and penalties on companies if sensitive customer data is exposed publicly. According to IBM’s Cost of a Data Breach Report 2021, the cost of a data breach has risen to reach US$ 4.24 million. This number is expected to increase in the short term as more organizations shift their sensitive data and applications to the cloud.   

Given the increase in cyber threats and the costs associated with, organizations should strive to become proactive rather than reactive when planning their cyber defense strategies. Incorporating threat hunting capabilities into an organization’s current cyber defense plan will better foster their ability to detect advanced and unknown cyber-attacks.

What is Threat Hunting?

Nowadays, organizations deploy many security solutions such as Firewalls, IPS/IDS, NDR, SIEM, EDR, and antivirus to protect their network. However, cybercriminals still find ways to sneak in and bypass traditional security defenses. Threat hunting is defined as the practice of searching for threats that have bypassed network security perimeters, it assumes suspicious activities are occurring but have not been detected yet. Threat hunting can be executed either manually or using automated tools (sometimes, powered by machine learning and artificial intelligence technologies) to find indicators of attacks (IoAs) and indicators of compromise (IoCs) within an IT environment.

Advanced threat actors, such as APT groups, remain undetected for months and even years after gaining initial access to the target network. They spy on network interactions, exfiltrate data, and steal the credentials of key employees to move laterally across the network and reach more sensitive information. After adversaries reach this phase of the attack, detecting them becomes very difficult, and most organizations lack the capabilities to detect advanced threat actors. Threat hunting will complement an organization’s cyber defense strategy by detecting threat actors who are leveraging the most sophisticated attack techniques and tools to remain unnoticed for an extended period of time.

Cybercriminals are working daily to invent new ways to evade detection. The expansion of the supply chain, and the increased dependence on third-party vendors to support core business functions have made the IT environments more open and complex, allowing threat actors to find different ways to hide. Threat hunting helps detect unknown and advanced cyber-attacks by:

  1. Reducing the time from intrusion to detection
  2. Revealing advanced threat actors who might be hidden in an IT environment for a long time
  3. Discovering threat actors early before they cause further damage (e.g., exfiltrate sensitive data or plant additional malware, such as ransomware).
  4. Aiding in investigating the security incidents that have already occurred and helping formulate a proper response to similar incidents to prevent them from re-occurring 
  5. Fostering the overall cyber defense of organizations and improving their IT security postures

Types of Threat Hunting

Threat hunting can be performed using one of the following three techniques:

Structured Hunting

During structured threat hunting, the hunter will try to determine the attacker’s intent and predict how they will behave to infiltrate the system. Threat hunters will use the indicators of attack (IoA), a series of steps or tactics that attackers must follow to succeed in their attack, to assist in their efforts. Such tactics are available in structured frameworks, such as the MITRE ATT&CK, which lists the most common tactics and techniques leveraged by adversaries when attacking computer systems. One example of such an attack technique is using Spear-phishing to steal a user’s credentials. This type of attack will begin with a well-crafted email message pretending to be from a legitimate, trusted entity and will ask the user to click a malicious link within the email or download a malicious malware attachment.

Unstructured Hunting

In an unstructured hunt, the hunt is typically triggered by an indicator of compromise (IoC). An IoC is any object or activity whose existence may indicate a security problem or breach in the system. There are different types of IoC, such as:

  • Suspicious processes or applications
  • Malicious IP addresses belonging to botnets or ransomware operators
  • Data transfers over unexpected ports
  • A large number of unsuccessful logins attempts in a short period

The IoC will act as a clue for the hunter to investigate the pre-and post-detection patterns. The hunter may also search previous security logs and incidents to better understand what is happening. 

Situational or Entity Driven Hunting

In this type of hunting, the threat hunter will focus on high-value entities within the system that are considered lucrative targets for hackers. For instance, high-value assets include sensitive data, critical applications, and the credentials of key employees, like IT and database administrators and development managers. Cyber attackers commonly choose targets for their high value, and threat hunters will give high priority to assessing the security of these entities.    

Threat Hunting Techniques

Threat hunters assume threat actors are already within an IT environment. To find them, threat hunters will use any of the following four techniques.  

Hypothesis-Driven Hunting

This is a proactive threat hunting strategy that works by making a hypothesis based on evidence from the security environment. This hypothesis will be used as the starting point for the threat hunting activity.

A threat hunt hypothesis can be defined as an idea that is based on some observations acquired from different sources, including:

  • Cyber threat intelligence feeds
  • Researching a particular threat actor
  • Vulnerability scans
  • Incident reports
  • Security alerts
  • Malware analysis reports

Regardless of the source used for the hypothesis, any threat hunting hypothesis must be testable using data and tools to consider it valid.  

Intelligence-Driven Hunting

In intelligence-based hunting, data from different intelligence sources is aggregated to form a profile of what a cyberattack or malicious campaign of a particular threat group may look like. There are different types of intelligence data sources, including:

  • Indicators of compromise
  • IP addresses
  • Domain names
  • External threat intelligence sources, such as threat data from the computer emergency response teams (CERTs)

Intelligence-driven hunting commonly utilizes SIEM tools to hunt for threats. A SIEM tool is fed with different intelligence sources and used to search for potential threats.  

Investigating Using Indicators of Attack

In this proactive threat hunting technique, hunters use tactics, techniques, and procedures (TTP) and IoA associated with a specific threat actor group. This technique works as follows:

  • The first step is identifying the threat actor group, such as ransomware or APT group.
  • Threat hunters will then assess the threat actor’s common attack tools and techniques to create a threat hunting hypothesis that aligns with the MITRE ATT&CK guidelines. For instance, some APT groups use malware-less and remote desktop (RDP) to gain a foothold in the target IT environment.
  • After identifying the possible behaviors of the threat group and their associated malicious patterns, the threat hunter will begin their work to find and isolate the threat.   

Hybrid Hunting

As its name implies, all previous hunting models are utilized to discover threats in hybrid hunting. This method requires sophisticated skills and threat hunters need to leverage different tools and techniques. Hybrid hunting is commonly used when an organization suspects adversaries penetrated its systems but does not know the extent to which they have infiltrated or moved laterally within its IT environment. 

The Three Steps of Threat Hunting

A typical proactive threat hunting process is composed of the following three phases:

Trigger

A trigger is a malicious event that draws the attention of a threat hunter to investigate its root cause. The trigger does not need to be an indicator of compromise. For example, a hypothesis based on a modern threat can be the basis of a trigger used to initiate threat hunting activities. A SOC team may also search for threat actors utilizing a newly discovered zero-day exploit.

Investigation

After identifying the trigger or forming a hypothesis, the threat hunter will begin investigating the target environment using different tools and techniques, including considering additional scenarios about potential threats. The investigation will continue until the supposed hypothesis or possible threat is either proven or disproven.  

Resolution

Based on the information collected during the investigation phase, threat hunters will communicate their findings to other security teams, such as the incident response team, to act accordingly and mitigate the threats. The resolution phase can be executed without human intervention. For example, the gathered threat information can be fed into automated threat detection tools to enhance their detection capability.

The gathered threat information is critical to preventing future cyber threats. For instance, threat hunters will analyze collected information to understand their adversary’s capabilities and their preferred tools and techniques used in an attack. This knowledge will help organizations advance their cyber defenses and prevent similar cyber threats from happening in the future.     

How Can DruvStar Help?

DruvStar’s MDR solution uses advanced tools, professionals, and threat hunting to protect businesses. Learn more about DruvStar’s managed detection and response service.

Our MDR service provides several important features that go beyond the scope of many standard MDR solutions, including:

  • 24/7 monitoring by a team of dedicated security experts 
  • incident response and escalation in line with the NIST cybersecurity standard 
  • vulnerability management to help uncover configuration and credential exposure risks that endanger your digital assets and sensitive data
  • comprehensive visibility through unlimited log access and event data
  • cloud monitoring to identify cloud risks and simply cloud security
  • SIEM technology included, which essentially makes it two solutions in one 
  • compliance reporting capabilities

Contact us today to learn more about how we can help your business improve its information security posture. 

Related Posts

banner_securityProcess

Creating a Secure Product Launch: Essential Steps for Ensuring Product Security Before Release

Implementing a comprehensive security process before releasing a product ensures its safety and reliability. The process consists of a series of steps, including evaluating the product’s security requirements, identifying potential security threats and vulnerabilities, creating a security plan, testing the product to verify that the security plan is effective, and
Medibank blog banner

Medibank Data Breach: Actionable Advice For Protecting Your Organization From Similar Attacks

Organizations have become heavily reliant on digital solutions to run their business in today’s digital age. For organizations to work efficiently it’s imperative that they process and store sensitive customer and employee data. Failing to protect this data can put the affected organization against various legal consequences. The recent attack
dataMapping

Why Data Mapping Is the First Step to Improving Your Data Security Compliance

Organizations’ IT environments have become more hybrid and span cloud and on-premise infrastructure. Having a centralized solution for data mapping to discover all sensitive data assets becomes critical to achieving compliance. Automated solutions that leverage Artificial Intelligence and Machine Learning in technologies can find sensitive data hiding in both structured
Scroll to Top

Get In Touch