Proactive search for complex threats seems to be a useful technology but inaccessible for many organizations. Is it really so? What do companies need to do to start Threat Hunting? What tools are needed for threat hunting? What trends in this area can be seen on the market in the coming years? These are some of the questions I would like to answer in my article today.
What is Threat Hunting?
Threat Hunting is a search for threats in a proactive mode when the information security specialist is sure that the network is compromised. He should understand how his network operates in order to be able to identify various attacks by examining the existing anomalies.
Threat Hunting is a search for threats that have already bypassed automated detection systems. Moreover, most often, you do not have signals or alerts that allow you to detect an intrusion.
From the SOC perspective, Threat Hunting is an extension of the service that allows you to counter any level of intruders, including those who use previously unknown tools and methods.
Threat Hunting can be based on some data obtained by a security specialist, or it can be based on a hypothesis. If after testing the hypothesis, the test gives a positive result, then later, it can be used to improve the processes and mechanisms of detecting new threats. And also, Threat Hunting allows you to find blind spots in the security system and expand the monitoring area.
What organizations need Threat Hunting?
Proactive threat hunting is relevant to those organizations that can become the target of a complex, targeted APT attack. At the same time, given the trend towards supply chain attacks, a small company may also become a target for motivated attackers.
It should be noted that the organization's maturity is very important for the implementation of Threat Hunting. Since the result of hunting for threats should be an improvement in the quality of the process of their detection, such procedures should at least exist in the company.
Business leaders must come to an understanding they really need Threat Hunting. To do this, you first need to build the system of information security processes, assess risks and assets in order to understand how vulnerable and valuable the organization's data is to possible attackers.
All the above applies to the implementation of Threat Hunting in-house. Threat Hunting as a service can be popular among companies of any size that are ready to provide access to their infrastructure to third-party security services.
What tools do you need for Threat Hunting?
It is important to note the importance of "raw" data about the system's operation that includes hosts event logs, public and private network logs. In most cases, analyzing them helps to detect some traces of an attack. Threat Hunting also uses network traffic analysis tools, EDR and behavioral analysis tools. In addition, configuration, and asset monitoring systems, as well as external data sources, will be a good help.
A security information and event management system can be used as storage that accumulates the collected data, and SOAR approach helps link different sources of information together and prevent duplication of indicators.
In addition to data sources, infrastructure is also needed that includes tools for automating the work of analysts and visually represents the chain of events in the form of interconnected graphs.
At the same time, no automation can replace the intuition and experience of a threat hunter. An enquiring mind, curiosity, and Threat Intelligence in the heart are much more valuable than tools and services. Threat Hunting is impossible without a human.
Where and when does Threat Hunting begin?
Let us try to figure out what the trigger for starting hypothesis testing in Threat Hunting is? Threat Hunting is based on Cyber Threat Intelligence, so one of the main triggers is information about other attacks or different intruders’ actions and techniques. Here is a good example – many of us increase information security awareness by reading and studying the latest information about cyber-attacks and apps on specialized security websites and researchers' blogs. Such data can initiate a search for similar threats in the monitored system.
Analysts must draw information from different sources and prioritize between them. It is necessary to check those hypotheses that lie outside the detection zone of security tools and can be used to carry out an attack. At the same time, the experience of a threat hunter and his personal rating of the danger of certain threats are of great importance.
Several sources from which Threat Hunting begins:
Information about a vulnerability that is likely to be present in the monitored network.
Researching key business assets that attackers could target.
External indicators of compromise - data on attacks on other organizations.
Also, we should not forget about new, previously unknown threats, information about which can also serve as a starting point for a search. It is also important to have a system of data compromise factors.
The most effective way to test Threat Hunting is to simulate an attack. Threat hunting detects less than 1% of incidents. However, you should not think that 1% is the coefficient for assessing its effectiveness since these information security events, which are not detected by information security tools, can be the most dangerous to your business.
As for the first steps that an organization should take to start Threat Hunting, experts note a basic assessment of risks and assets and possible impact of potential attacks on them. It is important to understand what the company's critical assets are, where they are located, and what business processes are involved. The next step is collecting the maximum number of logs and metadata from monitored systems. Analysis of this information will provide the first hypotheses.
Threat Hunting perspectives
Attacks will become more and more targeted. It will be more difficult to learn about them using the Internet, so Threat Hunting will evolve. Hunting for threats will become one of the SOC processes; specialized platforms and instruments will appear that will automate the work of analysts and help them process large amounts of data.
In the coming years, Threat Hunting may introduce profiles of organizations that take into account size, industry, and other factors and help build the threat detection process more efficiently.
Containerization and cloud computing will require new methods and approaches to the threat hunting process. Threat Hunting will increasingly go to the cloud as more and more enterprises use cloud technologies.
Some things will not change in the next three to five years. First, this is a shortage of personnel. Not all companies that want to hire a Threat Hunting expert will be able to do so. Therefore, outsourcing will proliferate in this segment, and it will be more automated. Again, Threat Hunting is impossible without a human.