Threat Hunting September 12, 2018
By Louise Byrne 3 min read
Series: Cybersecurity 101

Threat hunting is a popular buzzword in cybersecurity at the moment, but what does it mean? How do you know if you should be doing it, and where do you start?

To threat hunt means to proactively search for malware or attackers that are lurking in your network — and may have been there for some time. They could be quietly siphoning off data, patiently listening in for confidential information, or working their way through the network looking for credentials powerful enough to steal key information.

When Traditional Protections Fail, Threat Hunting Sniffs Out APTs

Basic security hygiene and properly implemented antivirus, firewalls and other automated security tools should stop the majority of threats from getting in. But once an attacker has sneaked into your network undetected, there’s often not much to stop them from staying there.

On average, cybercriminals spend 191 days inside a network before being discovered, and that’s more than enough time to cause some damage. In contrast to a forensic investigation, which is designed to work out what went wrong after an attack, threat hunting aims to track down these waiting attackers and stop them in their tracks before they have the chance to cause real damage.

Learn the latest on the lifecycle of a data breach with the 2020 Cost of a Data Breach report

Although your automated security tools and tier 1 and 2 security operations center (SOC) analysts should be able to deal with roughly 80 percent of threats, you still need to worry about the remaining 20 percent, which is more likely to include advanced persistent threats (APTs) that can cause significant damage.

Threats that are unsophisticated, automated or untargeted should be easy to detect or block, but those that carefully evade the tools designed to stop them typically come from advanced persistent attackers — groups or individuals who directly target your organization and network. Compared to a basic hacking attempt, an APT demands significantly more effort and attention from the SOC and response team.

What Do You Need to Start Threat Hunting?

Before you start, it’s important to ensure that your organization is actually ready to threat hunt. You should have a fairly mature security setup capable of ingesting multiple sources of information and storing it in a way that lets you access it. A basic set up should include automated blocking and monitoring tools such as firewalls, antivirus, endpoint management, network packet capture, and security information and event management (SIEM). You will also need access to threat intelligence resources so you can look up IP addresses, malware hashes, indicators of compromise (IoCs) and more.

Finally, you will need a tool that allows you to bring together your disparate data sets and slice and dice them in a way that reveals insights with the least possible effort. Threat hunting can involve a massive amount of information, so while it is a human-led effort, you’ll certainly need some computer assistance to make the task more manageable.

Once you have all the tools in place and working together, you will also need a team with enough people to manage the technology and data. Threat hunting is never going to be the first priority. To start, it may not even be a full-time role — just a few hours a week of one person’s time.

There is no set threat hunting process that will apply to every company, so your team must have expertise in your organization’s network. Without being familiar with your systems and knowing how everything is supposed to look, it will be impossible to determine how to best hunt for threats.

How Do You Know What to Look For?

Before starting a threat hunt, you need to set some prioritized intelligence requirements (PIRs) — the questions that will drive your threat hunting efforts and the answers that will drive decision-making within the organization. Ask yourself, for example, is data being exfiltrated from my organization?

Your PIRs will depend on what matters the most to your organization and should be agreed upon in advance by C-level executives and stakeholders. They will also change over time. Once you have set your PIRs, you should decide which IoCs to look for based on an informed hypothesis. For example, certain changes in traffic flows could indicate data exfiltration.

Threat hunting is an advanced and complex task, but with the right people, technology and questions, it can make a massive difference to your organization’s security and prevent major problems before they occur.

Read the solution brief: IBM i2 Enterprise Insight Analysis for Cyber Threat Hunting

 |  |  |  |  |  | 
Louise Byrne
IBM Security Solution Specialist

More from Threat Hunting
August 16, 2023

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

August 15, 2023

Threat hunting 101: How to outthink attackers

6 min read - Threat hunting involves looking for threats and adversaries in an organization’s digital infrastructure that existing security tools don't detect. It is proactively looking for threats in the environment by assuming that the adversary is in the process of compromising the environment or has compromised the environment. Threat hunters can have different goals and mindsets while developing their hunt. For example, they can look for long-term threats in the environment that advanced threat actors can exploit. Or they can look for…

August 10, 2023

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

August 3, 2023

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature