Threat Hunting

Threat hunting refers to the proactive and iterative search for advanced cyber threats that evade existing security solutions. It involves deeply analyzing an organization's infrastructure logs, endpoint data, network traffic, etc. to detect malicious activity.

Threat hunting has become a critical practice in security operations as cyberattacks grow more sophisticated and difficult to detect. Organizations rely on threat hunters and their investigative skills to identify hidden threats before they can cause real damage.

Key Concepts

Definition

Threat hunting is the human-led, proactive pursuit of evidence indicating compromise or threat actor activity within an environment. It focuses on detecting and investigating known or unknown threats that exist in the environment but are not detected by automated security solutions.

Purpose

The purpose of threat hunting is to find threats that have evaded existing defenses. It serves as a last line of defense when prevention and automated detection fail. Threat hunting helps defend against advanced persistent threats (APTs), ransomware, zero-day exploits, and other attacks.

Relevance

Threat hunting complements and augments other security measures like firewalls, intrusion detection systems, antivirus software, etc. It provides depth to a defense-in-depth security posture. With the increasing sophistication of cyber threats, threat hunting is becoming indispensable.

Also Known As

• Cyber threat hunting
• Advanced threat hunting
• Proactive threat detection

Components/Types

There are two main types of threat hunting:

Hypothesis-Driven Hunting

This involves creating hypotheses around tactics, techniques, and procedures (TTPs) that an attacker might use to compromise the environment. Hunters then check for evidence to prove or disprove the hypotheses.

Data-Driven Hunting

This uses statistical modeling and machine learning on the environment's data to detect anomalies that could indicate threats. Data-driven hunting does not begin with predefined hypotheses.

Examples

• Analyzing process execution trees to detect malicious processes masquerading as legitimate ones.
• Inspecting DNS traffic for algorithmically generated domains used by malware.
• Identifying unusual outbound network connections to potential command and control servers.
• Detecting privilege escalation attempts and other attack phase behaviors.

Importance in Cybersecurity

Security Risks

Without proactive threat hunting, organizations risk letting stealthy attackers operate undetected within their networks for long periods of time. This dwell time enables adversaries to gain a foothold, move laterally, and complete their objectives before automated defenses detect them.

Mitigation Strategies

• Hire specialized threat hunters to manually hunt for advanced threats.
• Implement threat hunting tools like SIEMs and EDRs to enable data-driven hunts.
• Continually evaluate and enhance the threat hunting program based on findings.

Best Practices

• Define the scope, schedule, and documenting process for hunts.
• Leverage threat intelligence to guide hunting hypotheses.
• Create automated hunting rules and analytics wherever possible.
• Focus hunts on critical assets, key terrain, and past targets.
• Collaborate hunting insights with other security teams like SOC.

Related Terms

• Security Operations Center (SOC): Benefits from threat hunting program insights.
• Incident Response: Activated in response to threats discovered during hunts.
• Digital Forensics: Helps investigate and validate threats after discovery.

Further Reading

• Sqrrl Whitepaper. A Framework for Cyber Threat Hunting.
• SANS Paper. The Who, What, Where, When, Why and How of Effective Threat Hunting.

Threat hunting is the human-driven, iterative searching for advanced threats that bypass existing security solutions. Combining threat intelligence-based hypotheses and data-driven analytics, threat hunters proactively investigate known and unknown threats. Threat hunting augments automated detection and acts as a last line of defense against sophisticated cyberattacks. With cyber threats growing in impact and frequency, threat hunting programs are becoming indispensable to robust security.