Threat hunting is a proactive activity executed by security operations teams, risk management personnel, and IT operations. The goal of hunting for the organization is to assess, detect, and document possible cybersecurity threats before they become active.
Security operation teams (SecOps) need to develop a consistent and repeatable process to ensure the organization continues to gain value from this important exercise. By creating a threat hunting checklist, SecOps teams have a proven strategy to gather important telemetry across the network, endpoints, zero-trust authentication logs, and end-user devices. By executing successful threat hunting internal engagements, each organization will improve their overall security posture.
What Are the Key Takeaways Regarding Threat Hunting?
Threat hunting engagements place the organization on a cybersecurity offensive path, not defensive. Resources required to execute a threat hunting detection engagement become money well-spent by the organization. Here are some important points all organizations should strive towards regarding enabling and sustaining their threat hunting strategy.
- Understand the critical role of proactive threat hunting in strengthening network resilience.
- Discover key components and strategies essential for effective threat hunting.
- Learn how to implement data collection and analysis tools for comprehensive threat detection.
- Explore the deployment of advanced detection tools like EDR and IDS.
- Adapt to the changing threat landscape with continuous strategy improvements.
Understanding the Threat Hunting Checklist
SecOps teams determined to discover the threat against their organization start with using hunting as the foundation for an efficient threat detection strategy.
Threat hunting exercises help an organization discover vulnerabilities, indicators of compromise (IoC), human error in configuration management, and inconsistency in remediation of critical assets. Discovering IoCs is critical for organizations because this shows possible air gaps in the threat detection strategy.
Importance of Proactive Security Threat Hunting
The threat from cybersecurity adversaries changes continuously. Hackers leveraging adversarial AI tools for email phishing, denial-of-service (DoS) attacks, and browser session hijacking have become more common. These AI tools help hackers automate their various attack vectors by increasing their velocity based on the success and failure of previous attacks.
AI-powered hunting tools have become very common with SecOps to help counter the hacker’s use of similar exploitation capabilities. SecOps teams also have turned to AI to assist with more automated threat hunting with comprehensive detection rules, automated risk assessments, and incident response.
SecOps teams continue to move ahead with automated threat hunting and detection engineering capabilities to help reduce human error, alert fatigue, and more accurate intrusion analysis.
Why is Threat Hunting Important for Cybersecurity Professionals?
Without threat hunting, SecOps teams and the organization will remain in a very reactive state regarding cybersecurity response. The volume of AI-powered hacking attacks creates a no-win situation for an organization remaining in the reaction mode instead of a proactive mindset.
Threat hunting becomes the critical piece in the journey to transform the organization from a reactionary to a more proactive cybersecurity culture. By looking proactively for IoCs, tactics, techniques, and procedures (TTP) documented within the MITRE ATT&CK Framework, the organization can adjust their current defensive capabilities and processes ahead of their adversaries.
Key Components of Threat Hunting Tools and Resource Allocation
When establishing a cyber threat hunting checklist, SecOps needs to break the plan into four phases to ensure the execution is effective, repeatable, and fluid.
Preparation
Within the preparation phase, SecOps teams, along with the senior leadership team, need to define the objectives for the threat hunting engagement. After the objectives become clearly defined, SecOps needs to list their sources for gathering intelligence. Most SecOps teams have access to global threat intelligence feeds and open-source material they can use to help with the threat hunting engagement. Another critical piece of the preparation phase includes the selection and enablement of various tools to assist with the engagement.
Threat hunting tools include endpoint security agents, next-generation firewalls, network detection and response (NDR) solutions, and intrusion prevention agents.
Data Collection
Threat hunting only works if the SecOps teams collect valuable telemetry from trusted sources. SecOps teams that deploy endpoint security agents will gain the benefit of collecting valuable and relevant telemetry information. Additionally, SecOps teams also gain immeasurable value in collecting information from networking devices, firewalls, border routers, and cloud security solutions, including Cloud Access Security Broker (CASB) solutions. Another incredible source of valuable telemetry exists with zero-trust authentication security logs.
Once the SecOps teams have determined which telemetry resources they plan to collect from, they need to determine how much data needs to be captured and where the information needs to be stored. Security Information and Event Management (SIEM) tools remain an ideal repository for SecOps to store the data for analysis.
Collecting too little or too much data will affect the threat hunter’s ability to create valuable threat intelligence information with actionable insight. Too little data may cause a false detection of a threat.
Detection Method
Once the data collection phase becomes defined, the next stage focuses on developing the detection process. SecOps teams need to define how best to use the collected data within a process flow to help deliver valuable insight into threats.
The first step in developing the detection method is creating an initial baseline. Next step, access IoC sources to help match possible ones discovered during the threat hunting exercise. These IoC sources include feedback from IBM, BlackBerry Global Intelligence, VirusTotal, and the Cybersecurity Infrastructure and Security Agency (CISA).
Advanced Analysis Powered by AI and ML
Prior to artificial intelligence (AI) and machine learning (ML), SecOps teams used a mix of behavior-based analytics and signature-based threat tools to process the collected data against the various threat intelligence feeds. With access to AI and ML tools, threat hunters now have access to a faster and more accurate analysis of threats learned from previous telemetry.
Defining Key Areas of Concern Based on Risk and Overall Impact
Once the tools, data collection, and detection strategy have been defined, the next phase in the threat hunting checklist is defining where SecOps needs to begin to hunt within the enterprise environment.
Threat hunting ideally is needed across every aspect of the enterprise environment. However, it is not realistic to capture and analyze every element of network traffic, account login information, or TCP connections across the border router, switching core, cloud instances, and every endpoint. SecOps needs to focus on what attack vectors will cause the greatest damage against their organization and what assets are most likely going to be the top target.
For example, hackers leveraging email phishing for ransomware attacks will first look towards the weakness in messaging security. By placing malicious links loaded with malware instead of well-crafted emails, there will be a large number of users that will click on the link and mistakenly download and kick off a ransomware attack.
As a result of this email phishing attack, SecOps needs to hunt for ransomware tactics, including lateral movement between hosts within the same network segment or attempts by the malware to communicate externally to command-in-control servers.
Another common attack vector used by hackers is the exploitation of weak and default passwords within the Active Directory (AD) administrative groups. By gaining access to AD administrative groups, hackers can increase their privileges while removing others from the same group. This hijacking of administrative permissions is a very common and successful attack vector.
Ultimately, these attack vectors either become a single-thread or full kill chain attack, resulting in a data exfiltration breach. Data exfiltration breaches result in the organization facing countless lawsuits, compliance violations, and loss of trust from their customers, employees, and partners.
Documenting and Reporting Findings
Effective threat hunting is about discovering vulnerabilities, existing persistence attacks, and what future exploitations could resemble. After a completed threat hunting engagement, SecOps teams need to document their findings along with remediation recommendations to help the organization reduce their risk of future attacks. This documentation will prove valuable if the organization plans to apply for cyber insurance or SOC 2 compliance or must explain a security breach to law enforcement.
Here are critical components all threat hunting reports should include.
- Summary: The SecOps team needs to craft a summary of the engagement, including method, source of data, tools used, and what elements within the enterprise environment were the core focus.
- Remediation Recommendations: SecOps needs to provide a priority of remediation based on the Common Vulnerability Scoring System (CVSS) score to help the organization focus on the highest- to low-risk areas of concern.
- Noted Areas of Concern: SecOps needs to craft a narrative disclosing areas of concern, including issues discovered that were a complete surprise or could become a much bigger issue in the future.
- Conclusion: SecOps needs to provide artifacts and a conclusion on how this threat hunting helped reduce the organization’s risk.
Continuous Improvement in Threat Hunting Strategies
Organizations moving ahead with threat hunting exercises need to consider a continuous monitoring strategy between this engagement. Managed detection and response (MDR) services from ForeNova help organizations monitor their most critical assets between threat hunting engagements to look for any possible new threats. MDR services also help organizations recognize potential areas missed during the threat hunting exercise.
