What Goes on During Threat Hunting?

Infosec professionals these days believe that cyber risks always have a way of getting inside a network. And more often than not, threats come from within an organization. Rather than passively waiting for threat alerts, today’s new cybersecurity model focuses on catching threats before they can do some real damage.

Here’s where threat hunting comes in. As the term implies, the activity is concerned with proactively searching for threats within a network and defending against them. Read on to learn more about threat hunting and the strategies it entails.

What is Threat Hunting?

Threat hunting involves using advanced security solutions, including exploit kits (i.e., sets of working exploits or malicious codes for known vulnerabilities) that cybercriminals employ to reverse-engineer attacks and detect ongoing intrusions within a network.

It primarily aims to look for signs of APTs, rather than garden-variety malware. These signs often pertain to indicators of compromise (IoCs) (i.e., malicious emails, URLs, and files or abnormalities in network traffic.

What is an Advanced Persistent Threat?

APTs refer to sophisticated threats that can slip past firewalls and threat prevention technologies, as well as the actors that instigate them. Advanced Persistent Threats exploit network, application, or communication protocol vulnerabilities. They also employ social engineering tactics, such as spear phishing to gain unauthorized access to a target network.

APTs can go undetected for months. And by the time they are exposed, their perpetrators have already siphoned off a significant number of login credentials and sensitive records. That explains why looking for APTs is a high priority among threat hunters.

Watch this video to learn more about the motivation behind threat hunting.

What Do You Need for Threat Hunting?

To begin a threat hunting program, cybersecurity professionals need many tools, including:

• Endpoint monitoring and protection tools that monitor and protect end-user devices like mobile devices, desktops, and laptops; firewalls; and antitheft and antimalware solutions
• Security incident and event management (SIEM) solutions for gathering and analyzing all types of log data, which includes authentication logs, identity information, access locations, network logs, and device logs
• Knowledge bases, such as threat intelligence databases, data feeds, and lookup tools
• Debugging tools and interactive disassemblers (IDAs), which deconstruct unknown file formats into a simple language
• Forensic and memory dump analysis tools, which enable threat hunters to examine a processor’s memory, restore deleted files, and other tasks
• Virtual machines (VMs), which let users run Windows programs on MacOS and vice versa

In most cases, threat hunters use virtual labs where they can analyze temporarily inactive malware or simulate attacks. Being able to monitor and control all device activities is particularly crucial during threat hunting exercises for accuracy. Having the right tools is essential to filter noise (i.e., low-level threat alerts) in a lab environment.

What Are the Techniques Used in Threat Hunting?

There are various ways to go about threat hunting. Here are two tasks that are usually present in an analyst’s daily workload:

• Static analysis: This refers to examining an application or a malicious code in a nonruntime or inactive environment. Here, the program is stopped and “taken apart” for closer inspection of inputs and outputs. Debugging or disassembly tools obtain the assembly language’s source code (i.e., the low-level or human-readable programming language) of the program for assessment.

• Dynamic analysis: This is the exact opposite of static analysis. In it, analysts observe a piece of malware’s or an application’s behavior in a real-time or runtime environment. It allows threat hunters to assess the behavior’s impact, uncover other vulnerabilities, and effectively come up with a mitigation plan.

What Are the Steps in the Threat Hunting Process?

Like any other scientific or technical process, threat hunting starts with a hypothesis. Here’s a description of the five steps that comprise the threat hunting process:

1. Forming a hypothesis: The threat hunting hypothesis is a statement about the hunter’s ideas of what threats may be present in a network and how to seek them out. This step involves hypothesizing a suspected attacker’s tactics, techniques, and procedures (TTPs). To form a hypothesis, threat hunters use threat intelligence from various open-source and paid sources, environmental knowledge, and their own experience and creativity.
2. Data gathering and analysis: Finding threats requires quality intelligence. That’s why threat hunters need a plan to collect, centralize, and process data. This step uses security information and event management (SIEM) software to give insights and a record of all network activities.
3. Triggering the hunt: The hypothesis begins the actual investigation where advanced detection tools play a critical part.
4. Investigating threats: This step uses endpoint detection and response (EDR) solutions to dig deeper into potentially malicious network anomalies until they are deemed benign or confirmed nefarious.
5. Responding to or resolving threats: Data collected on confirmed malicious activities may be used as inputs for automated security technology so these can respond, resolve, and mitigate threats. This step requires removing malware, restoring altered or deleted files to their original state, updating firewall and intrusion detection/prevention system (IDS/IPS) rules, deploying security patches, and changing system configurations while determining what really happened and how to improve the network’s overall security against future attacks.

Who among IT Staff Members Is Responsible for Threat Hunting?

Job titles may vary, but generally speaking, IT security specialists are in charge of threat hunting strategies inside an organization. They may be called “cyber threat hunters” per se, penetration testers, white-hat or ethical hackers, or just security analysts. They may work as part of a security operations center (SOC) or an incident response team.