This is the final installment in a three-part series on threat hunting. Be sure to read Part 1 and Part 2 for more information.

The purveyors of modern threats are not trying to simply deface your website or own your web server. These advanced attackers are attempting to siphon critical and sensitive data from your network over long periods of time, and do so undetected.

Where Is Your Data?

When threat hunting, at a minimum, you should know where your critical data is stored and how an attacker might try to compromise those systems. Taking it a step further, you should identify which systems, users and devices are connected to those critical assets. These are your attack vectors, which could be under threat by external and internal sources.

Insiders are responsible for the vast majority of damage caused by breaches. While the source of most attacks is external, the cause of damage is internal. Insiders who purposefully perform malicious activity should be identified immediately. But there are also those who, through negligence or lack of awareness, compromise the network’s security unintentionally. These individuals must be properly secured. It is far more common to come across a user who falls victim to phishing or social engineering than a user with the skills and intent to damage your network.

A Baseline for Proactive Security

If you haven’t detected any attacks against your network recently, then your organization either isn’t worth anything or you are doing something wrong. But if you have either prevented or detected a breach, then you have effectively performed proactive security.

Proper security does not mean that your organization is impervious to compromise, however. Security teams must take the necessary actions before, during and after a breach. With both host- and network-based threat hunting, it’s important to work from a baseline. You should have an idea of the typical performance of your network as well as the usual activity of the assets within it.

Host-Based Threat Hunting

From a host-based perspective, threat hunting can be performed with an emphasis on several different metrics. A big indicator of compromise (IoC) for client systems is access attempts, both failed and successful. Most users access 30 to 50 files per day, with maybe a couple of them showing failed access. That failed access would likely be a result of clicking the wrong folder or file several times before the user realizes the error. However, if you see a client on your network accessing 20,000 different files with 100,000 failed attempts, that should raise more than a few red flags.

Another indicator of a breach is unusual ports, protocols or services being run on a user’s machine, specifically if they are not included in the secure baseline. A user transferring data in bulk to a USB drive can also point to an insider threat that should be investigated.

The good news is that many of the pieces of information required to perform host-based threat hunting might be available from existing tools. For example, network monitoring tools can be used to identify anomalies in central processing unit (CPU), memory and disk utilization. Similarly, configuration management tools can identify processes and programs that run when the system starts. Logs correlated with a security information and event management (SIEM) tool can also identify failed and successful access attempts.

Network-Based Threat Hunting

There are many ways to perform threat hunting from a network perspective. One IoC is connection length. A typical client in your network will most likely have short outbound connections.

Another IoC is the amount of data being transferred. A normal connection will not transfer data in bulk over the public internet. The destination IP can also be a breach indicator. Other clues include outbound connections to anomalous or foreign IP addresses.

Similar to host-based threat hunting, network-based hunting can also utilize existing tools to proactively identify an adversary. Network intrusion detection systems, for example, can track the number of connections and other details about traffic. SIEM tools can also correlate and identify unusual traffic patterns. In addition, network forensics tools can provide better details into the payload and distinguish between malicious and normal activity.

Improving Incident Response Speed and Accuracy

A proper threat hunting program can provide a more secure baseline throughout the organization, offering immediate benefits such as reduction in breaches and attempts to compromise your network. Security teams can also reduce the organization’s threat surface and minimize attack vectors by identifying threats and locking down the network environment accordingly.

Threat hunting can increase the incident response team’s speed and accuracy. With more visibility into the network, security professionals can pinpoint areas of potential compromise quickly and efficiently. As a collective effort, threat hunting and threat intelligence can improve the organization’s security posture, which will produce tangible financial benefits.

While security teams cannot eliminate all risks to the IT environment, proper threat hunting allows them to read the news in peace without worrying about the organization becoming a headline.

Listen to the podcast: The Art of Cyber Threat Hunting

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…