Threat hunting is a popular buzzword in cybersecurity at the moment, but what does it mean? How do you know if you should be doing it, and where do you start?
To threat hunt means to proactively search for malware or attackers that are lurking in your network — and may have been there for some time. They could be quietly siphoning off data, patiently listening in for confidential information, or working their way through the network looking for credentials powerful enough to steal key information.
When Traditional Protections Fail, Threat Hunting Sniffs Out APTs
Basic security hygiene and properly implemented antivirus, firewalls and other automated security tools should stop the majority of threats from getting in. But once an attacker has sneaked into your network undetected, there’s often not much to stop them from staying there.
On average, cybercriminals spend 191 days inside a network before being discovered, and that’s more than enough time to cause some damage. In contrast to a forensic investigation, which is designed to work out what went wrong after an attack, threat hunting aims to track down these waiting attackers and stop them in their tracks before they have the chance to cause real damage.
Learn the latest on the lifecycle of a data breach with the 2020 Cost of a Data Breach report
Although your automated security tools and tier 1 and 2 security operations center (SOC) analysts should be able to deal with roughly 80 percent of threats, you still need to worry about the remaining 20 percent, which is more likely to include advanced persistent threats (APTs) that can cause significant damage.
Threats that are unsophisticated, automated or untargeted should be easy to detect or block, but those that carefully evade the tools designed to stop them typically come from advanced persistent attackers — groups or individuals who directly target your organization and network. Compared to a basic hacking attempt, an APT demands significantly more effort and attention from the SOC and response team.
What Do You Need to Start Threat Hunting?
Before you start, it’s important to ensure that your organization is actually ready to threat hunt. You should have a fairly mature security setup capable of ingesting multiple sources of information and storing it in a way that lets you access it. A basic set up should include automated blocking and monitoring tools such as firewalls, antivirus, endpoint management, network packet capture, and security information and event management (SIEM). You will also need access to threat intelligence resources so you can look up IP addresses, malware hashes, indicators of compromise (IoCs) and more.
Finally, you will need a tool that allows you to bring together your disparate data sets and slice and dice them in a way that reveals insights with the least possible effort. Threat hunting can involve a massive amount of information, so while it is a human-led effort, you’ll certainly need some computer assistance to make the task more manageable.
Once you have all the tools in place and working together, you will also need a team with enough people to manage the technology and data. Threat hunting is never going to be the first priority. To start, it may not even be a full-time role — just a few hours a week of one person’s time.
There is no set threat hunting process that will apply to every company, so your team must have expertise in your organization’s network. Without being familiar with your systems and knowing how everything is supposed to look, it will be impossible to determine how to best hunt for threats.
How Do You Know What to Look For?
Before starting a threat hunt, you need to set some prioritized intelligence requirements (PIRs) — the questions that will drive your threat hunting efforts and the answers that will drive decision-making within the organization. Ask yourself, for example, is data being exfiltrated from my organization?
Your PIRs will depend on what matters the most to your organization and should be agreed upon in advance by C-level executives and stakeholders. They will also change over time. Once you have set your PIRs, you should decide which IoCs to look for based on an informed hypothesis. For example, certain changes in traffic flows could indicate data exfiltration.
Threat hunting is an advanced and complex task, but with the right people, technology and questions, it can make a massive difference to your organization’s security and prevent major problems before they occur.
Read the solution brief: IBM i2 Enterprise Insight Analysis for Cyber Threat Hunting
IBM Security Solution Specialist
Louise Byrne is a contributor for SecurityIntelligence.