Threat hunting is the process by which specialized security analysts proactively hunt for threat actor behavior and attempt to defend their network before real damage can be done. The word “specialized” is critical to understanding what it takes to stand up a successful threat-hunting strategy, as the skill takes time to learn and is in high demand.
According to a SANS Institute Survey, only 31% of organizations had dedicated threat-hunting staff in 2017. Four years later, the same survey saw that number jump to 93% of organizations surveyed. The need for threat-hunting specialists over the past half decade has increased, and for good reason. The barrage of attacks against enterprise organizations is increasing at an alarming pace, and it simply will no longer do to wait for an attack and respond.
Indeed, the increase in threat hunting has also been found to increase many organizations’ overall threat intelligence capabilities and security postures. SANS has seen that, because of the increase in threat hunting, security teams are getting better at continuously monitoring, and are experiencing fewer false positives.
Threat hunting models aren’t easy to put into place, and there are several methodologies. Therefore, it’s important to define the goal of a specific threat hunt. From there, a team can begin to define the techniques needed to action a successful hunt.
So, what exactly are the specific functions in a threat hunt? As discussed above, the goals of individual hunts will vary. Accordingly, so will the detailed aspects of each hunt.
Let’s take a look at some of the more common elements a seasoned security pro can expect when engaging in a new hunt.
Depending on the hypothesis to be tested or the overall goal, data collection will come from different types of network logs (DNS, firewall, proxy), various sources of threat detection telemetry beyond the perimeter, and/or specific endpoint data.
Several tools like Slack and Microsoft Teams can be automated into threat hunting workflows, triggering new service tickets, kicking off new hunts and investigations, and – when necessary – querying individual endpoint or network users.
It's critical to document the outcomes of a hunt, whether considered successful or not. No matter the end result, this reference can serve as a baseline for actions to take on future hunts with similar goals and help identify a potential repeat threat actor.
Even though a fair bit of automation is used in any given threat hunt, it is the people working in a security organization that will calibrate those automations. From endpoint telemetry, to alerts, to network traffic analysis, technology bolsters analysts’ abilities to seize on insights faster and shut down threats more definitively.
In order to conduct a successful threat hunt, it’s critical to know – as discussed above – what the goal of the hunt is. Based on the determined goal(s), the type of hunt will typically break out into one of the following formats discussed below.
This threat-hunting process is typically kicked off by members of a security organization observing an anomalous event, over time and with increasing frequency. From there, the team can begin to form a hypothesis on what might be taking place and if that hypothesis is actually testable. This will help to confirm the validity of the presence of malicious activity – or not.
Let's now take a look at some of the specific tools and processes by which a hunter can test a hypothesis and determine if a threat is indeed real.
A SIEM platform can detect security issues by centralizing, correlating, and analyzing data across a network. The core functionality of a SIEM includes log management and centralization, security event detection and reporting, and search capabilities.
Analytics correlate endpoint data with sophisticated user analytics and threat intelligence to detect suspicious endpoint activities and whether or not a specific user is even aware of the activity on their system.
This set of tools monitors network availability and activity to identify anomalies, including security and operational issues. They allow hunters to collect both a real-time and historical record of what is occurring on the network.
By maintaining visibility of real-time threat feeds, hunters will become familiar with potential threats that are most relevant to their environment and therefore know how to better defend against those threats.
Threat hunters would ideally use a cloud security tool to monitor multi- and hybrid-cloud environments that are particularly susceptible to risk. By ingesting data such as user activity, logs, and endpoints, analysts should be able to gain a clear snapshot of the business’ IT footprint and any suspicious activity present.
The process of analyzing user behavior consists of gathering insight into network events that users generate daily. Once collected and analyzed, those events can be used to detect the use of compromised credentials, lateral movement, and other malicious behavior.
What are some specific threat-hunting steps to take when leveraging the right tools to test a well-formulated and specific hypothesis?
It's critical to identify – and ultimately automate the process of – collecting the data that will enable action. If a security team suspects malicious activity, they’ll want to collect and examine forensic artifacts from across the network. Part of this process is efficiently triaging and analyzing forensic evidence to quickly determine a root cause of the incident.
Several threat-hunting managed services partners or solutions will feature built-in queries and rules – to automatically surface alerts based on defined criteria – to quickly aid threat hunters in a search for widely known exploits and/or threat actors. However, it helps to maintain the ability for a security team to customize those queries so they’re asking the questions that will best-fit the agreed-upon hypothesis.
Threat hunting techniques should constantly evolve according to the TTPs currently being used by threat actors. While not always easy to uncover, continuous research into adversarial behaviors will keep security defenders proactive, sharp, and ready.
Of course, it’s a tall order to constantly stay on top of TTP research and other intelligence sources, which is where a managed threat hunting partner can help accelerate the process and potentially bolster the success of a threat intelligence program.