What is Cyber Threat Hunting?
Cyber threat hunting is a proactive threat detection work method. Generally, it is the process of actively looking for the traces of attackers (past and present) in an IT environment.
The underlying assumption threat hunters make about the existence of cyber attackers, helps them find their traces before any alerts are generated by security controls.
This is in contrast to traditional defensive or preventative measures where the protector investigates data only after a threat indication has been made. A cyber Threat Hunter would normally demonstrate both analytical and creative skills, and could benefit from a strong understanding of adversary cyber tactics, techniques and procedures (‘TTP’s’).
Thinking like an adversary
Impersonating an attacker will help understand how cyber adversaries would act in the context of a specific organization and operation objectives. For example – a cyber operation on a cloud-based software development company with 5K employees would not be carried the same way a cyber operation on a hardware SMB would. To examine possible operation methods, a threat hunter should hypothesize specific Tactics, Techniques, and Procedures (TTPs), understand how these TTPs would appear in specific organizational data sources, and search for them.
Examining known attack behaviors
Despite discovering hundreds of organizational cyberattacks per day, “traditional” security products do not address/document TTPs that are commonly used by cyber attackers. They merely focus on IOCs. Another threat hunting investigation method includes looking at published attacks, and researching attack behaviors in depths. From there, a good threat hunter will build powerful new attack hypotheses, relying on newly discovered attack behaviors and techniques.
Hunting anomalies in known environments
Cyberattackers’ activity is inherently different than that of employees and insiders, because they have different goals. This means that they will always leave traces. Threat hunters can trace anomalies by using different statistical outlier algorithms. E.g.: In an environment with thousands of benign endpoints and only a few that are compromised, specific activities will immediately stand out as anomalous in a statistic analysis. From there, the hard work is understanding whether these anomalies represent a malicious activity or not. An experienced hunter will infuse the statistical analysis with relevant features, differentiators and labels, to raise its efficiency.
Threat Hunting in the Evolution of Threat Detection & Response
The cybersecurity ‘Threat Detection and Response’ domain has gained tremendous traction in recent years. Now, security leaders are looking to extend it across the enterprise, and do it at scale.
Preventing the threat
Blocking hackers from accessing organizational networks
Detecting the threat
Scanning networks for known vulnerabilities identified by previous breaches
Autonomous Threat Hunting
Intercept clever threats that manage to bypass existing controls and detect attacks from the get-go with proactive, autonomous threat hunting
A New Chapter in Threat Detection & Response
New Threat Detection and Response solutions push beyond the single point, and rise above data noise
In order to rapidly detect threats and effectively respond, enterprises today need to acquire the following features in threat detection and response: