What is cyber threat hunting?
Security analysts utilize an active information security approach and strategy called “threat hunting.” The conventional incident detection, response, and cleanup procedure is greatly enhanced by threat hunting. Threat hunting is the skill of identifying unknowns in the environment. It surpasses conventional detection systems like endpoint detection and response (EDR), security information and event management (SIEM), etc.
How does cyberthreat hunting work?
Cyber threat hunters can recognize threats from insiders, like employees, and outsiders, like criminal organizations. By incorporating a human component, cyber threat hunters improve automated systems used for corporate security. They are IT security specialists who search for, track, monitor, and remove threats before they have an opportunity to cause serious problems.
What’s required to start threat hunting?
An efficient threat-hunting service must include human threat hunters. Hunters need to have access to a multitude of data, both historical and present, that gives them awareness of a whole infrastructure to effectively look for threats. To compare current cyber-attack trends with internal data, threat hunters need to be armed with the most recent threat intelligence.
What are the types of cyber threat hunting?
One of the following three approaches is commonly used in cyber threat hunting:
- Structured: Structured hunting is the systematic search for particular dangers or signs of compromise using predetermined standards or intelligence. The threat hunter formulates a theory regarding the possible attack route and proceeds to pinpoint the signs of that strike systematically. This process may involve the use of automated tools and queries in addition to manual data analysis and correlation.
- Unstructured: Threat hunting done unstructured is free-form and doesn’t rely on predetermined standards or theories. In addition to innovative methods and tools, this risk-based strategy may make use of a variety of data sources, including endpoint data, network logs, and threat intelligence. Unstructured hunting is especially helpful in locating new or unknown hazards.
- Entity-driven hunting:
Entity-driven hunting is a targeted approach to threat hunting that focuses on specific events, items, or situations that may pose a greater risk to an organization’s security. This can mean employing both formal and unstructured hunting techniques while collaborating with the IT, legal, and business departments as well as other internal stakeholders.
Steps followed for Cyber Threat Hunting
When looking into and resolving threats and attacks, cyber threat hunters frequently do the following fundamental actions:
- Hunting for threats is usually a targeted endeavor. The hunter-gathers data about the surroundings and formulates hypotheses on possible dangers. The hunter then selects a trigger for additional research.
- After a trigger has been found, the hunt is concentrated on proactively looking for anomalies that support or contradict the theory. Threat investigators look into the data, systems, and operations of the company and gather and analyze pertinent data.
- During the investigative phase, threat hunters gather crucial information and relay it to other teams and tools so they can respond, prioritize, analyze, or store the information for later use.
- The resolution step entails informing the operations and security teams of pertinent malicious activity intelligence so they may address the event and reduce risks.
Threat hunting maturity model
The SANS Institute identifies a threat-hunting maturity model as follows:
- Level 1 (initial): Relying on automated reporting in the absence of regular data collection.
- Level 2 (minimal): Integration of moderate-to-high data gathering threat intelligence indication searches.
- Level 3 (procedural): Utilizing analysis methods developed by other people with high to extremely high data collection.
- Level 4 (innovative): Developing novel processes for data analysis that include high to extremely high data collection.
- Level 5 (leading): Automating processes for high to extremely high data collection that are successful in data analysis.
Automated threat hunting
Automating manual tasks should help enterprise security teams stay ahead of threats because adversaries today automate their strategies, methods, and procedures to get past preventive defenses. Automation enhances cyber threat-hunting protocols and optimizes staffing and resource utilization for SOCs. Cyber threat hunters can use AI, automation, and machine learning to automate parts of the process.
References:
Mahboubi, A., Luong, K., Aboutorab, H., Bui, H. T., Jarrad, G., Bahutair, M., … & Gately, H. (2024). Evolving techniques in cyber threat hunting: A systematic review. Journal of Network and Computer Applications, 104004.
Aldauiji, F., Batarfi, O., & Bayousef, M. (2022). Utilizing cyber threat hunting techniques to find ransomware attacks: A survey of the state of the art. IEEE Access, 10, 61695-61706.
Agarwal, A., Walia, H., & Gupta, H. (2021, September). Cyber Security Model for Threat Hunting. In 2021 9th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions)(ICRITO) (pp. 1-8). IEEE.
Miazi, M. N. S., Pritom, M. M. A., Shehab, M., Chu, B., & Wei, J. (2017, July). The design of cyber threat hunting games: A case study. In 2017 26th International Conference on Computer Communication and Networks (ICCCN) (pp. 1-6). IEEE.
