An Introduction to Cyber Threat Hunting

‍What is threat hunting?

Threat hunting is the process of looking for cyber threats that make it past an organisation's perimeter cyber defence systems undetected, and already exist in its environment. It is especially useful for post-compromise detection of Advanced Persistent Threats (APTs) or advanced attacks that are either state-sponsored, or funded by large, organised criminal groups. The main premise of threat hunting is that an intrusion has already occurred and undetected threats exist in an internal network.  

"Threat hunting is the human-driven activity of proactively and iteratively searching through the organization's environment (network, endpoints and applications) for signs of compromise in order to shorten the dwell time and minimize the breach impact for the organization."

Practical Threat Intelligence and Data-Driven Threat Hunting, Valentina Palacin

Why is threat hunting important?

Threat actors are always looking for security loopholes and new vulnerabilities that allow them to successfully penetrate a network undetected. Even the most advanced tools can't detect and block every threat, and the threats that aren't caught at the perimeter can remain in enterprise networks for a long time – from several weeks to several months. This extended lifespan of a threat allows attackers to move laterally through the network, steal sensitive data, disrupt operations and cause irrevocable damage to businesses.  

How threat hunting helps:

• Active and proactive threat hunting reduces the time between intrusion and discovery, and can protect businesses from major financial and reputational losses.  
• Regular threat hunts also help organisations get a better understanding of their environment and security vulnerabilities, shrink their attack surface, and improve their overall security posture.  
• Threat hunters can proactively find and neutralise sophisticated threats that can't be tackled by traditional security systems, before they cause serious damage.  

For instance, in a ransomware attack, an attacker has to go through multiple stages (initial access, command & control, lateral movement, privilege escalation) prior to the point where data can be encrypted and exfiltrated. An organisation with strong threat hunting capabilities and a defence-in-depth approach to security will very likely catch the threat before the final stage, preventing massive potential losses.  

The inclusion of threat hunting in NIST 800-53  

In September 2020, the National Institute of Standards and Technology (NIST) included Threat Hunting as one of the controls under its Security and Privacy Controls for Information Systems and Organizations [Special Publication 800-53, Revision 5, Risk Assessment (RA-10)]. The reason this is important is that:

1. NIST standardised the definition of threat hunting for organisations trying to use it as a detection mechanism, and also defined what constitutes an indicator of compromise. - "Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code."  
2. It clearly defined what a threat hunting capability was required to do, i.e., (a) Search for indicators of compromise in organizational systems; and (b) Detect, track, and disrupt threats that evade existing controls

While threat hunting was being employed by security teams even prior to NIST's inclusion of it in SP 800-53, its standardisation as a security control formalised its use for detection. It also gave organisations looking for security services a way to better assess threat hunting MDR service providers.

Difference between a SOC analyst and a threat hunter

A SOC analyst monitors network activity, and handles, triages and escalates security alerts generated by threat detection tools. These are usually threats with known signatures and IoCs fed into a SIEM platform, and the analyst's role is to respond appropriately when an alert is thrown. The role is reactive in nature, meaning that the analyst takes action only when a threat is detected by a tool.

A threat hunter, on the other hand, proactively looks for threats that make it into the company network undetected. The idea here is to find malicious activity and threats that are missed by the tools. Threat hunting is usually informed by a deep understanding an organisation's IT environment,  the region or industry it is operating in, and current attack trends. It relies heavily on human intelligence and analytical ability, along with technology to ingest and parse vast amounts of data.  

Threat hunting skillset

While there is no ideal combination of skills and traits that threat hunters must have, it helps if they:

• Have a few years of experience in network and endpoint security
• Are creative, and can think from the attacker's point of view to come up with strong hypotheses
• Have some experience in data science, analytics and baselining  
• Are familiar with the business, industry or political context in which the hunt is planned
• Understand multiple different types of threat intelligence
• Are familiar with MITRE's ATT&CK Framework
• Understand the organisation's IT infrastructure and network architecture, operating systems and the tools to be used

A note about threat hunting tools

For a hunt to be effective, it is critical for the threat hunter to have complete, end-to-end visibility into the target network and endpoints. In advanced threat hunting, logs collected from endpoints, Windows events, antivirus tools, and proxies/firewalls are ingested by a security data lake (included in most next-gen SIEM solutions). This data can then be normalised, enriched, searched through, and analysed by hunters using powerful behaviour analytics and machine learning tools.

Types of threat hunting

Threat intelligence-based hunting

Threat intel-based hunting is a reactive hunting model based on Indicators of Compromise (IoCs) from threat intelligence sources input into the company SIEM to generate alerts. The IoCs can be hash values, domain names, IP addresses, networks, and host artifacts, among others.

Hypothesis-based hunting

Hypothesis-based hunting is a proactive threat hunting model that focuses on attacker tactics, techniques and procedures (TTPs), as opposed to IoCs. It starts with the hunt team forming a hypothesis based on possible attack scenarios and adversaries, and then focusing on the techniques that would support the hypothetical attack. Threat hunters use attacker TTPs and global detection playbooks to find anomalous activity.  

Custom hunting  

Custom hunting is based on an organisation's specific requirements and the context in which the hunt is to be conducted. It can be informed by an industry trend, a geopolitical situation, or specific threats that an organisation finds itself most vulnerable to. Custom hunting uses a combination of techniques from the first two hunting models.  

Threat hunting process

While different organisations may plan and carry out their hunts in various different ways, they usually include some or most of the following steps:

• Defining the purpose and desired outcomes of the hunt in relation to business objectives  
• Setting the scope of the hunt and coming up with a hypothesis based on intelligence and industry context  
• Identifying the endpoints, devices and networks that data will be drawn from
• Deciding which tools, techniques and methods will be used for collecting and analysing data
• Carrying out the hunt (by emulating an adversary) and investigating the hypothesis using the appropriate tools  
• Documenting the hunt observations and the patterns or aberrations that are identified
• If the hunt is successful, automating the parts of it that may be useful for future hunts
• Refining the process

Threat hunting as part of MDR

One of the biggest reasons for the emergence and popularity of Managed Detection and Response (MDR) is its focus on finding stealthy, advanced threats that already exist within an enterprise environment, undetected by perimeter tools. Threat hunting fits perfectly into this use case due to its proactive nature and the fact that it relies on human intelligence and the creative use of cyber threat intel to look for post-compromise threats. This makes it an integral part of any reputed MDR service. It is also among the cyber security services that are best handled by professionals because of the expertise and specific skillset and tools required to execute it successfully.  

LinearStack's threat hunting expertise

LINEARSTACK's MDR service includes both active and proactive threat hunting to look for advanced threats in your environment. Our threat hunting team conducts regular table top exercises, and dedicates more than 80 hours a week to malware and threat research.  

We use the MITRE ATT&CK Framework to plan our threat hunts, and continually develop new hunt cases to run in your environment in order to detect malicious activity that is not picked up by automated technologies. Our team's deep knowledge of emerging threats, combined with high-fidelity telemetry and real-time visibility into your environment, makes threat discovery faster and more reliable.

To know more about how our threat hunting capabilities and 24/7 MDR service can augment your cyberdefence, book a free two-hour consult with one of our experts. You can email us at  info@linearstack.co.nz or call us at 0800 008 795.

Read more here: https://www.linearstack.co.nz/managed-services/managed-detection-response