Threat Hunting Process

Mounika Raghavarapu   

Today in 2021, threats are becoming more and more advanced than ever, and traditional defense mechanisms and antivirus solutions are not enough to avoid advanced threats. Security teams often handle numerous threats right from malware, ransomware, file-less attacks to cyberespionage. The major challenge for many security teams is not about dealing with huge number of risks. But to perform repetitive tasks every day, as they prioritize incidents and effort to sort out an endless backlog of alerts. A proactive Threat Hunting mechanism is what is needed for the organizations to stay ahead of the modern-day attackers.

Now let’s understand what “threat Hunting” Actually means

Threat Hunting: is a process of proactively performing an intensive search throughout the network to expose the lurking undetected threats. 

Why is Hunting Required?

Alerting from Security systems is important, but it cannot be the only focus of a detection program. The primary goals of a hunting program should be to improve detection by prototyping new ways to detect malicious activity and then turning those prototypes into effective new automation methods.

There are no "one size fits all"-type solutions in threat hunting.

When conventional Protections Fail, Threat Hunting helps explore the hidden APT(Advanced persistent threats)s in the network. The general security hygiene practices, automated security tools, firewalls and antivirus are effective in stopping the majority of threats from intruding into the network. But when an intruder enters into the network by bypassing these security measures, it is very difficult to identify the presence of the intruder in the network, with these traditional security mechanisms.

As per a research, it is known that a cybercriminal spends an average of 191 days in an organizations network before they are detected, and this is a very long time for the intruder to easily cause huge damage to the organization's data. After an attack is encountered organizations generally perform a forensic investigation to evaluate the events that led to the attack to happen. In contrast to forensic investigation, threat hunting targets explore the waiting attackers and stop them in their paths before they have the chance to create real damage.

It is evident that the organization's automated security tools and tier 1 and tier 2 security operations centre (SOC) analysts are capable enough to restrict and handle almost 80 percent of the threats. But still, there is a need for the organizations to think about that 20 percent, where there is a huge chance for the modern-day attackers to include advanced persistent threats (APTs) that will cause noteworthy damage.

Unlike the general and automated threats, the attacks performed by the advanced persistent attackers easily evade the advanced tools that are in place for restricting the intruder’s activity, they directly target the organization's network. In comparison with the general hacking attempt, an APT needs higher attention and significantly more efforts form the response teams and Security Operations Centre (SOC).

Pre-requisites for Starting Threat Hunting

Before starting up the threat hunting program, organizations need to have a proper security setup that is capable of ingesting various sources of data and storing it in a way that lets the staff access it. A proper security setup must have security information and event management (SIEM), endpoint management, firewalls, network packet capturing tools, and antivirus. Apart from this automated blocking and monitoring tools, organizations also need access to threat intelligence resources, through which they can explore the indicators of compromise (IoCs), malware hashes, IP addresses and more.

Threat hunting is normally a tedious process and it involves a lot of human effort to analyse and detect huge sets of data. In this case, there is a need for an automated tool that helps the security teams to slice and dice the huge data sets into small chunks so that they can reveal the insights of the data. Human efforts plus automation is the best combination in threat hunting to detect each granule of the data. 

There is no established threat hunting process that can be used by all the organizations, so the security teams must have expertise in the organization’s network. Without being acquainted with the organization's systems and having knowledge of how each and every dataset is supposed to look, it is highly difficult to define how to best hunt for threats.

Threat Hunting Process 

Hypothesis-driven approach 

What is Hypothesis? 

A Hypotheses is generally an Assumption made on the attack behavior. It is an actionable use case developed relying on the observations, intelligence, and experience of the security team. 

Three types of hypothesis: 

  • The analytics-Driven hypothesis is derived using Machine-learning and UEBA (User and Entity Behaviour Analytics ), by this an aggregated risk scores are derived which will also serve as hunting hypotheses
  • Situational-Awareness Driven hypothesis is derived by performing "Crown Jewel analysis (identifying core missions, assets, and data in the organization), enterprise risk assessments, and by analyzing company- or employee-level trends"
  • An intelligence-Driven hypothesis is derived based on the Threat intelligence reports, vulnerability scans, threat intelligence feeds, and malware analysis 

Operationalized Hunting 

  • Collect All Endpoint Data 

Leverage EDR (Endpoint Detection and Response) sensor for a raw feed of endpoint telemetry 

  • Establish Hypothesis
    • New threat report 
    • Map current detection capabilities to ATT(adversarial tactics, techniques,)&CK (common knowledge)
    • "What does this look like on the endpoint?" 
  • Hunting:

Hunt retrospectively within existing environments to validate hypothesis 

  • Detector Development:
    • Codify the behavior of component observations 
    • Automatically identify this behavior in the future 
  • Threat Detection:

Look for suspicious and malicious behaviors in aggregate 

  • Triage and Investigation:

Analysts review events and either confirm threat, suppress, or automate future similar events

Cymune Threat Hunting Services:

The cyber threat hunter role is becoming increasingly important in the modern enterprise, as companies strive to stay ahead of the latest threats and implement rapid responses to mitigate potential damage resulting from cyber-attacks.

Our information security professionals proactively and iteratively detect, isolate, and neutralize advanced threats that evade automated security solutions. Our extensive experience in the domain of security gives us a competitive edge as opposed to using traditional rule or signature-based detection methods.