In recent years, the Term “Threat Hunting” has become the most important component of Cyber Security Programs. Most Enterprises and Cyber Professionals have started to adopt the Threat hunting terminology in their day-to-day tasks. However, the definition of threat hunting has been never been a satisfactory topic among professionals. Here in the blog what are Threat hunting and basics and how to use them at the enterprise level?
Threat hunting is a proactive approach to looking for suspicious activity on enterprise networks. It means that during a SOC operation the analyst will investigate the alerts that are triggered based on the alert rule condition and threshold, whereas in threat hunting Hunter finds the suspected activities based on the Procedures attackers uses before it is created as an alert or Incident.
The main goal of the Threat Hunter is to proactively check and investigate the corporate networks assuming that the network has already been compromised.
Misunderstanding of Threat Hunting
As mentioned above the Threat Hunting approach is proactive in search of suspicious activities. Threat Hunting should not be involved with starting to detect the threats as an alert or searching with the set of IOCs which is already reported by security researchers.
For Example: For Professional Threat hunters
- Threat actors execute malicious command scripts in the compromised network devices.
Here, in this example, we need to check for the scripts executed and command-line arguments. And also, should monitor the events associated with the script execution.
2. Threat actors try to create or modify the system process to bypass the traditional detection mechanism.
Here, in this example, we need to monitor the new service or process that is not part of known software and updates. Cyber attackers may create and modify the system-level processes to execute malicious payloads as a persistence technique.
For Example Bad example of the Threat hunting Process.
- Analyst tries to search the IOCs from the recent Threat intelligence as part of the hunting process looking for any hits with the entire network logs.
- Sometimes, investigating the alerts triggered from the various log sources.
Types of Threat hunting
There are several types of threat hunting, including:
- Signature-based hunting: This type of hunting involves searching for known malware or other malicious activity using predefined patterns or signatures.
- Behavioral-based hunting: This type of hunting involves identifying unusual or suspicious activity on a system or network, such as unexpected network traffic or changes in system behavior.
- Threat intelligence-based hunting: This type of hunting involves using external threat intelligence, such as information from security vendors or industry groups, to identify potential threats.
- Indicator of compromise (IOC)-based hunting: This type of hunting involves looking for specific indicators of a compromise, such as a specific file, IP address, or domain name, on a system or network.
- Network-based hunting: This type of hunting involves looking for malicious activity on a network, such as scanning for open ports or identifying unusual network traffic.
- Endpoint-based hunting: This type of hunting involves looking for malicious activity on a specific endpoint, such as a server or client device, by analyzing log files and other data.
- Data-based hunting: This type of hunting involves using data science and machine learning techniques to identify patterns in data that may indicate the presence of a threat.
Threat Hunting Goals
The goals of threat hunting can vary depending on the organization and the specific threat landscape, but some common goals include:
- Identifying and mitigating active threats: Threat hunting is often used to identify and respond to threats that have already infiltrated an organization’s systems or networks.
- Improving incident response: By identifying threats early, threat hunting can help organizations improve their incident response capabilities and reduce the impact of a security incident.
- Enhancing security posture: Threat hunting can help organizations identify vulnerabilities and improve their overall security posture by identifying and mitigating potential threats before they can be exploited.
- Proactive threat detection: Threat hunting allows organizations to be proactive in identifying and responding to potential threats, rather than relying solely on reactive security measures such as firewalls or antivirus software.
- Continuously monitoring: threat hunting can help organizations to continuously monitor their environment for potential threats and take appropriate action in a timely manner.
- Compliance and regulatory requirement: Some organizations may have specific compliance and regulatory requirements for threat hunting, such as those related to data privacy or cybersecurity.
- Cost reduction: by identifying and mitigating potential threats early, threat hunting can help organizations avoid the costs associated with security breaches and data loss.
This post talks about the Threat hunting basics and Objectives and goals.
And I have posted about the Threat hunting Process to start as a beginner and the Pyramid of Pain in Hunting. You can go through them for a better understanding. Before hunting the Threat Hunters should understand the threat landscape and also various techniques the threat actors use in different attacking strategies.