This is the final installment in a three-part series on threat hunting. Be sure to read Part 1 and Part 2 for more information.

The purveyors of modern threats are not trying to simply deface your website or own your web server. These advanced attackers are attempting to siphon critical and sensitive data from your network over long periods of time, and do so undetected.

Where Is Your Data?

When threat hunting, at a minimum, you should know where your critical data is stored and how an attacker might try to compromise those systems. Taking it a step further, you should identify which systems, users and devices are connected to those critical assets. These are your attack vectors, which could be under threat by external and internal sources.

Insiders are responsible for the vast majority of damage caused by breaches. While the source of most attacks is external, the cause of damage is internal. Insiders who purposefully perform malicious activity should be identified immediately. But there are also those who, through negligence or lack of awareness, compromise the network’s security unintentionally. These individuals must be properly secured. It is far more common to come across a user who falls victim to phishing or social engineering than a user with the skills and intent to damage your network.

A Baseline for Proactive Security

If you haven’t detected any attacks against your network recently, then your organization either isn’t worth anything or you are doing something wrong. But if you have either prevented or detected a breach, then you have effectively performed proactive security.

Proper security does not mean that your organization is impervious to compromise, however. Security teams must take the necessary actions before, during and after a breach. With both host- and network-based threat hunting, it’s important to work from a baseline. You should have an idea of the typical performance of your network as well as the usual activity of the assets within it.

Host-Based Threat Hunting

From a host-based perspective, threat hunting can be performed with an emphasis on several different metrics. A big indicator of compromise (IoC) for client systems is access attempts, both failed and successful. Most users access 30 to 50 files per day, with maybe a couple of them showing failed access. That failed access would likely be a result of clicking the wrong folder or file several times before the user realizes the error. However, if you see a client on your network accessing 20,000 different files with 100,000 failed attempts, that should raise more than a few red flags.

Another indicator of a breach is unusual ports, protocols or services being run on a user’s machine, specifically if they are not included in the secure baseline. A user transferring data in bulk to a USB drive can also point to an insider threat that should be investigated.

The good news is that many of the pieces of information required to perform host-based threat hunting might be available from existing tools. For example, network monitoring tools can be used to identify anomalies in central processing unit (CPU), memory and disk utilization. Similarly, configuration management tools can identify processes and programs that run when the system starts. Logs correlated with a security information and event management (SIEM) tool can also identify failed and successful access attempts.

Network-Based Threat Hunting

There are many ways to perform threat hunting from a network perspective. One IoC is connection length. A typical client in your network will most likely have short outbound connections.

Another IoC is the amount of data being transferred. A normal connection will not transfer data in bulk over the public internet. The destination IP can also be a breach indicator. Other clues include outbound connections to anomalous or foreign IP addresses.

Similar to host-based threat hunting, network-based hunting can also utilize existing tools to proactively identify an adversary. Network intrusion detection systems, for example, can track the number of connections and other details about traffic. SIEM tools can also correlate and identify unusual traffic patterns. In addition, network forensics tools can provide better details into the payload and distinguish between malicious and normal activity.

Improving Incident Response Speed and Accuracy

A proper threat hunting program can provide a more secure baseline throughout the organization, offering immediate benefits such as reduction in breaches and attempts to compromise your network. Security teams can also reduce the organization’s threat surface and minimize attack vectors by identifying threats and locking down the network environment accordingly.

Threat hunting can increase the incident response team’s speed and accuracy. With more visibility into the network, security professionals can pinpoint areas of potential compromise quickly and efficiently. As a collective effort, threat hunting and threat intelligence can improve the organization’s security posture, which will produce tangible financial benefits.

While security teams cannot eliminate all risks to the IT environment, proper threat hunting allows them to read the news in peace without worrying about the organization becoming a headline.

Listen to the podcast: The Art of Cyber Threat Hunting

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today