Light Dark
September 6, 2017 By Eric Cole 3 min read
Risk Management
Intelligence & Analytics
Data Protection
Incident Response
Threat Hunting

This is the final installment in a three-part series on threat hunting. Be sure to read Part 1 and Part 2 for more information.

The purveyors of modern threats are not trying to simply deface your website or own your web server. These advanced attackers are attempting to siphon critical and sensitive data from your network over long periods of time, and do so undetected.

Where Is Your Data?

When threat hunting, at a minimum, you should know where your critical data is stored and how an attacker might try to compromise those systems. Taking it a step further, you should identify which systems, users and devices are connected to those critical assets. These are your attack vectors, which could be under threat by external and internal sources.

Insiders are responsible for the vast majority of damage caused by breaches. While the source of most attacks is external, the cause of damage is internal. Insiders who purposefully perform malicious activity should be identified immediately. But there are also those who, through negligence or lack of awareness, compromise the network’s security unintentionally. These individuals must be properly secured. It is far more common to come across a user who falls victim to phishing or social engineering than a user with the skills and intent to damage your network.

A Baseline for Proactive Security

If you haven’t detected any attacks against your network recently, then your organization either isn’t worth anything or you are doing something wrong. But if you have either prevented or detected a breach, then you have effectively performed proactive security.

Proper security does not mean that your organization is impervious to compromise, however. Security teams must take the necessary actions before, during and after a breach. With both host- and network-based threat hunting, it’s important to work from a baseline. You should have an idea of the typical performance of your network as well as the usual activity of the assets within it.

Host-Based Threat Hunting

From a host-based perspective, threat hunting can be performed with an emphasis on several different metrics. A big indicator of compromise (IoC) for client systems is access attempts, both failed and successful. Most users access 30 to 50 files per day, with maybe a couple of them showing failed access. That failed access would likely be a result of clicking the wrong folder or file several times before the user realizes the error. However, if you see a client on your network accessing 20,000 different files with 100,000 failed attempts, that should raise more than a few red flags.

Another indicator of a breach is unusual ports, protocols or services being run on a user’s machine, specifically if they are not included in the secure baseline. A user transferring data in bulk to a USB drive can also point to an insider threat that should be investigated.

The good news is that many of the pieces of information required to perform host-based threat hunting might be available from existing tools. For example, network monitoring tools can be used to identify anomalies in central processing unit (CPU), memory and disk utilization. Similarly, configuration management tools can identify processes and programs that run when the system starts. Logs correlated with a security information and event management (SIEM) tool can also identify failed and successful access attempts.

Network-Based Threat Hunting

There are many ways to perform threat hunting from a network perspective. One IoC is connection length. A typical client in your network will most likely have short outbound connections.

Another IoC is the amount of data being transferred. A normal connection will not transfer data in bulk over the public internet. The destination IP can also be a breach indicator. Other clues include outbound connections to anomalous or foreign IP addresses.

Similar to host-based threat hunting, network-based hunting can also utilize existing tools to proactively identify an adversary. Network intrusion detection systems, for example, can track the number of connections and other details about traffic. SIEM tools can also correlate and identify unusual traffic patterns. In addition, network forensics tools can provide better details into the payload and distinguish between malicious and normal activity.

Improving Incident Response Speed and Accuracy

A proper threat hunting program can provide a more secure baseline throughout the organization, offering immediate benefits such as reduction in breaches and attempts to compromise your network. Security teams can also reduce the organization’s threat surface and minimize attack vectors by identifying threats and locking down the network environment accordingly.

Threat hunting can increase the incident response team’s speed and accuracy. With more visibility into the network, security professionals can pinpoint areas of potential compromise quickly and efficiently. As a collective effort, threat hunting and threat intelligence can improve the organization’s security posture, which will produce tangible financial benefits.

While security teams cannot eliminate all risks to the IT environment, proper threat hunting allows them to read the news in peace without worrying about the organization becoming a headline.

Listen to the podcast: The Art of Cyber Threat Hunting

 |  |  |  |  | 
Eric Cole

More from Risk Management
July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

July 24, 2024

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

July 10, 2024

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature