This is the final installment in a three-part series on threat hunting. Be sure to read Part 1 and Part 2 for more information.

The purveyors of modern threats are not trying to simply deface your website or own your web server. These advanced attackers are attempting to siphon critical and sensitive data from your network over long periods of time, and do so undetected.

Where Is Your Data?

When threat hunting, at a minimum, you should know where your critical data is stored and how an attacker might try to compromise those systems. Taking it a step further, you should identify which systems, users and devices are connected to those critical assets. These are your attack vectors, which could be under threat by external and internal sources.

Insiders are responsible for the vast majority of damage caused by breaches. While the source of most attacks is external, the cause of damage is internal. Insiders who purposefully perform malicious activity should be identified immediately. But there are also those who, through negligence or lack of awareness, compromise the network’s security unintentionally. These individuals must be properly secured. It is far more common to come across a user who falls victim to phishing or social engineering than a user with the skills and intent to damage your network.

A Baseline for Proactive Security

If you haven’t detected any attacks against your network recently, then your organization either isn’t worth anything or you are doing something wrong. But if you have either prevented or detected a breach, then you have effectively performed proactive security.

Proper security does not mean that your organization is impervious to compromise, however. Security teams must take the necessary actions before, during and after a breach. With both host- and network-based threat hunting, it’s important to work from a baseline. You should have an idea of the typical performance of your network as well as the usual activity of the assets within it.

Host-Based Threat Hunting

From a host-based perspective, threat hunting can be performed with an emphasis on several different metrics. A big indicator of compromise (IoC) for client systems is access attempts, both failed and successful. Most users access 30 to 50 files per day, with maybe a couple of them showing failed access. That failed access would likely be a result of clicking the wrong folder or file several times before the user realizes the error. However, if you see a client on your network accessing 20,000 different files with 100,000 failed attempts, that should raise more than a few red flags.

Another indicator of a breach is unusual ports, protocols or services being run on a user’s machine, specifically if they are not included in the secure baseline. A user transferring data in bulk to a USB drive can also point to an insider threat that should be investigated.

The good news is that many of the pieces of information required to perform host-based threat hunting might be available from existing tools. For example, network monitoring tools can be used to identify anomalies in central processing unit (CPU), memory and disk utilization. Similarly, configuration management tools can identify processes and programs that run when the system starts. Logs correlated with a security information and event management (SIEM) tool can also identify failed and successful access attempts.

Network-Based Threat Hunting

There are many ways to perform threat hunting from a network perspective. One IoC is connection length. A typical client in your network will most likely have short outbound connections.

Another IoC is the amount of data being transferred. A normal connection will not transfer data in bulk over the public internet. The destination IP can also be a breach indicator. Other clues include outbound connections to anomalous or foreign IP addresses.

Similar to host-based threat hunting, network-based hunting can also utilize existing tools to proactively identify an adversary. Network intrusion detection systems, for example, can track the number of connections and other details about traffic. SIEM tools can also correlate and identify unusual traffic patterns. In addition, network forensics tools can provide better details into the payload and distinguish between malicious and normal activity.

Improving Incident Response Speed and Accuracy

A proper threat hunting program can provide a more secure baseline throughout the organization, offering immediate benefits such as reduction in breaches and attempts to compromise your network. Security teams can also reduce the organization’s threat surface and minimize attack vectors by identifying threats and locking down the network environment accordingly.

Threat hunting can increase the incident response team’s speed and accuracy. With more visibility into the network, security professionals can pinpoint areas of potential compromise quickly and efficiently. As a collective effort, threat hunting and threat intelligence can improve the organization’s security posture, which will produce tangible financial benefits.

While security teams cannot eliminate all risks to the IT environment, proper threat hunting allows them to read the news in peace without worrying about the organization becoming a headline.

Listen to the podcast: The Art of Cyber Threat Hunting

More from Risk Management

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today