Unlike automated systems that passively react to alerts, threat hunting is about actively looking for anomalies and malicious activities to catch cyber threats before they cause damage. Threat hunting assumes that a breach has already occurred and aims to reduce the dwell time of threat actors within a system. It’s like playing a game of hide-and-seek with cybercriminals—the goal is to find them first before they accomplish their objectives.
The effectiveness of threat hunting is not merely determined by the tools or technologies used but, more importantly, by the skills and intuition of the threat hunter. These analysts must have a deep understanding of both normal and abnormal network activity and possess the ability to think like an attacker. This combination allows them to spot subtle signs of infiltration that may otherwise go unnoticed.
This is part of a series of articles about application security.
In this article:
- Why Is Threat Hunting Important?
- Threat Hunting vs. Threat Intelligence
- The Threat Hunting Methodology and Process
- Types of Threat Hunting Investigations
- What’s Required for Cyber Threat Hunting?
- 3 Threat Hunting Frameworks
- Machine Learning and AI in Threat Hunting
Why Is Threat Hunting Important?
The increasing sophistication of cyber threats and their ability to evade traditional security measures requires a more proactive approach. Threat hunting addresses this need by actively seeking out threats, providing a deeper level of security and significantly reducing the risk of a successful attack.
Threat hunting also contributes to a more robust cybersecurity infrastructure by providing insights and feedback that can be used to improve existing systems. Each hunt yields valuable data about the current state of a network’s security and the tactics, techniques, and procedures (TTPs) used by attackers. This information can then be used to update threat intelligence, enhance security systems, and train staff, thereby strengthening the organization’s overall security posture.
Another significant advantage of threat hunting is reducing the dwell time of attackers on a network. The longer a threat actor goes undetected, the more damage they can inflict. By actively seeking out these threats, threat hunters can identify and neutralize them much faster, minimizing potential damage and protecting valuable assets.
Threat Hunting vs. Threat Intelligence
Threat intelligence refers to information about potential or existing threats that could harm an organization. It involves collecting and analyzing data from various sources to provide actionable insights about threat actors, their motivations, methods, and the likely targets. The goal of threat intelligence is to inform decision-making and enhance the effectiveness of security measures.
Threat hunting involves actively looking for threats within an environment. It uses threat intelligence as a foundation but extends beyond it by focusing on identifying threats that have bypassed existing security measures. Thus, while threat intelligence provides the necessary information and insights, threat hunting uses this information to actively seek out threats.
In essence, threat intelligence is like a roadmap, providing information about potential dangers and their locations, while threat hunting is the process of using that map to navigate the terrain and seek out the threats.
The Threat Hunting Methodology and Process
Step 1: Hypothesis
The first step in the threat hunting process involves forming a hypothesis. This is a statement or a theory about the potential threats that might exist within a system. The hypothesis can be based on a variety of factors, including recent threat intelligence reports, anomalies detected in network traffic, or even intuition based on past experiences.
The hypothesis serves as the starting point for the investigation. It provides a direction to the threat hunting process, guiding the subsequent steps. It’s important to note, however, that the hypothesis doesn’t have to be correct. Even if it proves to be wrong, the process of testing the hypothesis can still provide valuable insights and data.
Step 2: Collect and Process Data
Once a hypothesis is formed, the next step involves collecting and processing relevant data. This could include network logs, endpoint data, threat intelligence reports, and more. The data collected should be relevant to the hypothesis and help in either proving or disproving it.
This step is crucial as it provides the raw material for the investigation. The quality and relevance of the data collected significantly impact the effectiveness of the threat hunting process. Therefore, it’s important to have robust data collection and processing mechanisms in place.
Step 3: Trigger
The trigger phase involves identifying the specific indicators of compromise (IoCs) that support the initial hypothesis. These could include unusual network traffic patterns, suspicious log entries, or abnormal system behavior. The trigger serves as a ‘smoking gun’—a clear sign of a potential threat.
Identifying the trigger is often the most challenging part of the threat hunting process. It requires a deep understanding of normal system behavior and the ability to distinguish between benign anomalies and potential threats.
Step 4: Investigation
After identifying the trigger, the next step is to conduct a thorough investigation. This involves analyzing the collected data, correlating different pieces of information, and trying to understand the extent and nature of the potential threat.
The investigation phase is critical to validate the initial hypothesis and to understand the scope of the potential threat. This phase can often be time-consuming and complex, requiring advanced analytical skills and tools.
Step 5: Response and Resolution
The final step in the threat hunting process is response and resolution. If the investigation validates the initial hypothesis and identifies a threat, the focus shifts to containing and eradicating the threat. This could involve isolating affected systems, removing malicious files, or blocking malicious IP addresses.
Once the threat is neutralized, it’s important to conduct a post-mortem analysis to understand how the threat bypassed existing security measures and what can be done to prevent similar incidents in the future. This feedback loop is crucial for continually improving the organization’s security posture.
Related content: Read our guide to threat detection and response
Types of Threat Hunting Investigations
Structured
Structured threat hunting involves a methodical and systematic approach, where security teams follow a set procedure or playbook. This type of investigation usually begins with a hypothesis about a potential threat or an anomaly, followed by a rigorous investigation to prove or disprove the hypothesis.
The advantage of structured threat hunting is that it’s repeatable and measurable, allowing teams to learn from past investigations and refine their methods over time. However, the downside is that it can sometimes be too rigid, potentially missing out on novel or unexpected threats.
Unstructured
In contrast to the structured approach, unstructured threat hunting is more flexible and creative. Here, security teams don’t necessarily start with a hypothesis. Instead, they explore the network with an open mind, looking for any signs of suspicious activity or anomalies that could indicate a threat.
Unstructured threat hunting capitalizes on the intuition, experience, and expertise of the security analyst. It allows for the discovery of new attack vectors and techniques that may not have been anticipated in a structured investigation. However, this approach can be time-consuming and challenging to measure due to its open-ended nature.
Situational or Threat Intelligence-based
The situational or threat intelligence-based approach to threat hunting combines elements of both structured and unstructured investigations. It’s based on knowledge about current threat trends, attacker tactics, techniques, and procedures (TTPs), or specific intelligence about a potential threat.
In this case, threat hunters use this intelligence to guide their investigation, focusing on areas or behaviors that are most likely to be targeted by the identified threats. This approach allows for targeted and efficient investigations, but its effectiveness largely depends on the quality and relevance of the threat intelligence used.
What’s Required for Cyber Threat Hunting?
Effective threat hunting requires a combination of human expertise, an effective organizational model, advanced tools and technology, and access to relevant data.
Human Hunters
At the heart of successful threat hunting are the human hunters—cybersecurity professionals who possess a deep understanding of networks, systems, and vulnerabilities. These individuals need to be highly skilled, with expertise in areas like network forensics, endpoint analysis, and advanced threat detection.
Human hunters should be curious and persistent, always questioning the status quo and willing to dig deep to identify hidden threats. They should also be comfortable working with a range of technologies, from traditional security tools to advanced analytics and artificial intelligence.
Organizational Model
The organizational model is another critical aspect of effective threat hunting. An organization should have a clear structure and process in place for conducting threat hunting activities. This includes defined roles and responsibilities, standard operating procedures, and a collaborative culture that encourages information sharing and continuous learning.
The model should also provide for regular training and development opportunities for threat hunters, ensuring they stay updated on the latest threat trends and technologies.
Tools and Technology
Threat hunting is not a manual process—it involves the use of advanced tools and technologies to collect, analyze, and visualize data. This typically includes security information and event management (SIEM) systems, endpoint detection and response (EDR) solutions, network traffic analysis tools, and more.
These tools help hunters to sift through large volumes of data, identify patterns and anomalies, and accelerate the investigation process. They also provide capabilities like real-time monitoring, threat intelligence integration, and automated response, enhancing the effectiveness of threat hunting activities.
Data
Data is the lifeblood of threat hunting. Without access to the right data, even the most skilled threat hunter will struggle to identify and isolate threats. This includes data from various sources, like logs, network traffic, endpoint data, threat intelligence feeds, and more.
The key here is not just to collect as much data as possible, but to collect the right data—data that is relevant, reliable, and actionable. Plus, organizations need to have the capabilities to store, process, and analyze this data effectively and make it useful for threat hunters.
3 Threat Hunting Frameworks
Here are three popular, formalized frameworks that can help your organization get started with threat hunting.
The Sqrrl Threat Hunting Reference Model
The Sqrrl Threat Hunting Reference Model is a comprehensive guide that provides a structured approach to uncover hidden threats in your network. The model is based on six stages:
- Purpose: Defines the reason and objectives for hunting. It involves understanding the context of the threat and what you hope to achieve.
- Hypothesis: Involves formulating educated guesses about potential threats based on the purpose.
- Discovery / detection: Involve looking for evidence to prove or disprove the hypothesis. This could involve searching for specific indicators of compromise or looking for anomalies in user behavior or system logs.
- Investigation: Involves verifying whether the discovered anomalies are indeed threats or false positives.
- Response: Involves taking appropriate actions to mitigate the threat and prevent future occurrences.
TaHiTI: Targeted Hunting Integrating Threat Intelligence
TaHiTI is a model that integrates threat intelligence into the hunting process. The idea is to leverage existing knowledge about threats to guide your hunting activities.
TaHiTI involves three main steps:
- Preparation: Involves gathering and analyzing threat intelligence. This could involve subscribing to threat intelligence feeds, analyzing recent breaches, or researching the latest malware trends.
- Hunting: Involves using the gathered intelligence to guide your hunting. You might, for instance, look for indicators of a recently disclosed zero-day vulnerability in your logs.
- Iteration: Involves refining your hunting activities based on the results. If you didn’t find any threats, for example, you might need to refine your intelligence gathering or hunting techniques. If you did find threats, you would mitigate them and use the knowledge gained to improve your future hunting.
PEAK: Prepare, Execute & Act with Knowledge
The PEAK (Prepare, Execute & Act with Knowledge) model is another three-stage threat hunting model. It includes the following phases:
- Prepare: Understanding your environment and setting clear objectives for your hunting. This could involve mapping your network, identifying key assets, or defining what constitutes normal behavior.
- Execute: Involves actively searching for threats based on the preparation. This could involve looking for anomalies, correlating events, or searching for known indicators of compromise.
- Act with knowledge: Involves responding to the identified threats and learning from the process. This could involve mitigating the threats, refining your hunting techniques, or improving your defenses based on the knowledge gained.
Machine Learning and AI in Threat Hunting
Machine learning and artificial intelligence (AI) models can be invaluable tools in threat hunting. They can analyze vast amounts of data much faster than humans and can identify patterns and anomalies that would be difficult for humans to spot.
For example, User and Entity Behavioral Analytics (UEBA) systems, based on machine learning, can establish a baseline of normal behavior in a network. Any deviations from this baseline could then be flagged as potential threats. Another way AI is used in machine learning is to automate parts of the hunting process. For instance, AI systems can be used to automatically correlate events, analyze logs, and even automatically respond to identified threats.
However, while machine learning and AI can greatly enhance threat hunting, they are not a replacement for human intuition and expertise. They should be seen as tools to aid the human hunter. It’s the combination of human expertise and machine efficiency that makes for truly effective threat hunting.
Learn more in our detailed guide to AI in cyber security