In recent years, the Term “Threat Hunting” has become the most important component of Cyber Security Programs. Most Enterprises and Cyber Professionals have started to adopt the Threat hunting terminology in their day-to-day tasks. However, the definition of threat hunting has been never been a satisfactory topic among professionals. Here in the blog what are Threat hunting and basics and how to use them at the enterprise level?
Threat hunting is a proactive approach to looking for suspicious activity on enterprise networks. It means that during a SOC operation the analyst will investigate the alerts that are triggered based on the alert rule condition and threshold, whereas in threat hunting Hunter finds the suspected activities based on the Procedures attackers uses before it is created as an alert or Incident.
The main goal of the Threat Hunter is to proactively check and investigate the corporate networks assuming that the network has already been compromised.
Misunderstanding of Threat Hunting
As mentioned above the Threat Hunting approach is proactive in search of suspicious activities. Threat Hunting should not be involved with starting to detect the threats as an alert or searching with the set of IOCs which is already reported by security researchers.
For Example: For Professional Threat hunters
- Threat actors execute malicious command scripts in the compromised network devices.
Here, in this example, we need to check for the scripts executed and command-line arguments. And also, should monitor the events associated with the script execution.
- Threat actors try to create or modify the system process to bypass the traditional detection mechanism.
Here, in this example, we need to monitor the new service or process that is not part of known software and updates. Cyber attackers may create and modify the system-level processes to execute malicious payloads as a persistence technique.
For Example Bad example of the Threat hunting Process.
- Analyst tries to search the IOCs from the recent Threat intelligence as part of the hunting process looking for any hits with the entire network logs.
- Sometimes, investigating the alerts triggered from the various log sources.
Threat Hunting Goals
Some of the Threat hunting goals include,
- First proactively search for the threats in the networks.
- Suspecting the possible suspicious activities in the enterprise networks.
- The threat hunting process tries to reduce the False positives and reduce the dwell time of the threat compromise.
- The threat hunting process tries to improve the security postures and weaknesses in the network before the actual threat actors compromise the network.
This post talks about the Threat hunting basics and Objectives and goals.
And I have posted about the Threat hunting Process to start as a beginner and the Pyramid of Pain in Hunting. You can go through them for a better understanding. Before hunting the Threat Hunters should understand the threat landscape and also various techniques the threat actors use in different attacking strategies.