What Is Cyber Threat Hunting?

How threat hunting works

Traditional cyber threat hunting is based on a manual process in which a security analyst scrutinizes data based on their knowledge of the network and systems to build assumptions about potential threats. 

Cyber threat hunting has advanced in effectiveness and efficiency through the addition of automation, machine learning (ML), and user and entity behavior analytics (UEBA) to alert enterprise security teams of potential risks.

Once the risk or potential risk, as well as frequency of a hunt, has been determined, an investigation is initiated. 

Types of Threat Hunting

• IOC-based Hunting: This reactive approach focuses on detecting known threat artifacts within the environment, such as file hashes, IP addresses, and domains.

• Hypothesis-driven Investigations: When significant information of a new, imminent threat vector is discovered, cyber threat hunting will delve deeper into network or system logs in search of hidden anomalies or trends that could signal the new threat. 

• Analytics-driven Investigations: Searches based on information gathered from ML and artificial intelligence (AI) tools.

• Tactics, Techniques, and Procedures (TTP) Investigations: Hunting for attack mannerisms typically uses the same operational techniques. This is helpful to source or attribute the threat and to leverage existing remediation methods that have worked with these behaviors.

Threat hunting is specific to each environment, but some techniques can be applied to almost any environment. Core threat hunting techniques include:

Baselining

Baselining helps the hunter understand what “normal” looks like within an organization. SANS describes the value of baselining as looking for a needle in a haystack by removing the hay in double-digit percentages to shorten the time needed for the needle to become visible. 

To help minimize the time needed to combine baseline analysis with attacker technique, SANS suggests hunters consider the following questions:

• How prevalent is PowerShell in your environment?

• If prevalent, what does normal system administrator activity look like?

• Where does PowerShell activity typically come from? What user accounts typically run it?

As a result, a hunter may not need to baseline all of PowerShell, but rather look for unexpected outliers or attacker-specific command structures.

Attack-specific Hunts

Baselining aids the hunter in understanding the overall hunt environment, but attack-specific hunts can help track malicious activity faster. Attack-specific hunts typically focus on a specific threat actor or threat. However, the limits of their specific hunt model can throw off false positives. Attack-specific hunts and baselining often yield good results.

Time Sensitivity

All hunts are time sensitive, and therefore require hunters to validate their baseline terms periodically. SANS recommends confirming that new software implementations are not causing unnecessary traffic resulting in false-positive data. 

Keeping up with attackers’ shifting to new techniques—or reverting back to old techniques—requires hunters to validate intelligence-based hunts and even hunt again if legacy techniques are detected.

Third-party Sources

Looking for needles in a data haystack can overwhelm teams of hunters. Third-party providers can help guide hunters to more successful hunts.

SANS lists the following benefits hunters can gather from third-party sources:

• Ruling out false positive leads

• Focusing on interesting leads

• IP lookups

• Geolocation

• Encrypted traffic metadata

• Log detection

• Attacker technique overlays

• Link analysis of internal vs. external or host vs. network data points

Five threat hunting steps

A cyber threat hunt is composed of steps or processes designed for an efficient, successful hunt. These steps include:

Step 1: Form a Hypothesis

Threat hunts begin with a hypothesis or a statement about the hunter’s ideas of what threats might be in the environment and how to go about finding them. A hypothesis can include a suspected attacker's TTPs. Threat hunters use threat intelligence, environmental knowledge, and their own experience and creativity to build a logical path to detection.

Step 2: Collect and Process Intelligence and Data

Hunting for threats requires quality intelligence and data. A plan for collecting, centralizing, and processing data is required. Security information and event management (SIEM) software can provide insight and a track record of activities in an enterprise’s IT environment.

Step 3: Trigger

A hypothesis can act as a trigger when advanced detection tools point threat hunters to initiate an investigation of a particular system or specific area of a network.

Step 4: Investigate

Investigative technologies enable deep searches for potential anomalies within systems and networks. This facilitates the classification of those anomalies as benign or malicious.

Step 5: Response/Resolution

Data gathered from confirmed malicious activity can be entered into automated security tools to respond, resolve, and mitigate threats. Actions can include: 

• Removing malware files

• Restoring altered or deleted files to their original state

• Updating firewall / IPS rules

• Deploying security patches

• Changing system configurations

These actions can help you better understand what occurred and how to improve your security against similar future attacks.

Threat hunting maturity model

An enterprise’s cyber threat hunting maturity model is defined by the quantity and quality of data the organization collects from its IT environment. An enterprise’s cyber threat hunting capabilities for hunting and responding, toolsets, and analytics factor into its threat hunting maturity model. 

The SANS Institute identifies a threat hunting maturity model as follows:

• Initial: At Level 0 maturity an organization relies primarily on automated reporting and does little or no routine data collection.

• Minimal: At Level 1 maturity an organization incorporates threat intelligence indicator searches. It has a moderate or high level of routine data collection.

• Procedural: At Level 2 maturity an organization follows analysis procedures created by others. It has a high or extremely high level of routine data collection.

• Innovative: At Level 3 maturity an organization creates new data analysis procedures. It has a high or extremely high level of routine data collection.

• Leading: At Level 4 maturity, an organization automates the majority of successful data analysis procedures. It has a high or extremely high level of routine data collection.

Benefits of automation in cyber threat hunting

Modern adversaries are automating their techniques, tactics, and procedures to evade preventative defenses, so it makes sense that enterprise security teams can better keep up with attacks by automating their manual workloads. Incorporating automation benefits cyber threat hunting processes and helps SOCs better use their staff and resources. These include:

• Data Collections: Cyber threat hunting investigations involve collecting many categories and data from a variety of sources, requiring many hours to manually sort through and delineate good data from insufficient data. Automation can greatly reduce the amount of time required for collection and boost the valuable resources of security SOCs.
• Investigation Process: A seemingly constant volume of threat alerts and warnings can overwhelm even the most experienced and well-staffed SOC. Automation can reduce the threat noise by quickly categorizing which threats are high, medium, and low risk, thus reducing security staff time demands and allowing them to efficiently address those that need immediate action or further investigation.
• Prevention Process: Once a threat is identified, mitigations need to be created throughout an enterprise’s networks, endpoints, and cloud.
• Response Process: Automated responses can counter the smaller, more routine attacks, such as deleting customized script to isolate a compromised endpoint, deleting malicious files after isolation, and automatically using backup info to restore data compromised in an attack.

What’s required for cyber threat hunting?

What foundational security resources are required for an enterprise to implement in-house threat hunting or subscribe to a threat hunting service?  

We can’t expect machines to be ethical or strategic. And we can’t expect humans to be good at searching large volumes of data at speed and scale or performing complex pattern matching. That’s why human machine teaming is crucial.

Optimize Human Expertise Through Human Machine Teaming

Here’s what it takes to run an effective and efficient cyber threat hunting program based on human machine teaming:

Human Hunters: Budget personnel and time for analysts to focus on hunting. Threat hunting requires human interaction and input to get to a resolution quicker with more accuracy. 

Knowledge of the threat landscape and the solid understanding of the IT environment, along with creative and intuitive thinking, are core fundamentals for a cyber threat hunter. 

Humans help get to a resolution quicker with more accuracy, and remove redundant and mundane manual errors that can be riddled with mistakes.

Organizational Model: Each organization must choose the appropriate model for its hunt team. Models are based on an organization’s size and budget, along with the availability of analysts who can provide diverse skillsets. 

According to SANS: “Threat hunting entails a more mature organization with a defensible network architecture, advanced incident response capabilities, and security monitoring/security operations team.”

Tools and Technology: Many enterprises use comprehensive endpoint security solutions for detection and response, as well as security monitoring services and management tools. These solutions can include:

• SIEM and statistical intelligence analysis tools, such as SAS programs

• Threat intelligence platforms (TIPs), where threat intelligence is gathered and curated

• Industry threat data banks, such as the Financial Services Information Sharing and Analysis Center (FSISAC) and other ISACs, for security data with actionable indicators

• Bad IP address or hash, vulnerability management for published risks, and online reputable publications on threats

Generally, these technologies are siloed, requiring cyber threat hunters to manually integrate their outputs to reach a decisive conclusion.

This complexity presents a significant challenge for organizations lacking the necessary human expertise and resources.

Data: By establishing a baseline of a network’s traffic or system behavior, security personnel can then develop a baseline of expected and authorized events from which to identify anomalies. Use threat intelligence to focus on high-impact malicious activities first.