When cybersecurity teams are primarily oriented toward responding to attacks – a "right of bang" approach – they have an inherently limited scope. A security team that prioritizes remediation and containment assumes the inevitability of security breaches.This is why the idea of incorporating cyber threat hunting into your cybersecurity program is growing in popularity… it takes a "right of bang" approach and shifts it to something more proactive… something that is more "left of bang".
Cyber threat hunting is a proactive cybersecurity strategy that searches through networks to detect and isolate advanced threats before they present themselves. Threat hunters do not simply search for active threats – they are in search of hacker tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), indicators of attack (IoAs), and threats such as Advanced Persistent Threats (APTs) evading your existing security system. Although cyber threat hunters have a variety of strategies at their disposal, the best strategy is often determined by the type of threat they are hunting.
Related Resource: Understanding Cybersecurity Best Practices
At its core, threat hunting is more than just detection and response. While threat detection focuses on identifying evidence of an attack such as correlated events or signature-based detection, threat hunting takes a more proactive approach to cybersecurity. Proactive threat hunting is intended to counteract an adversary that is in the organization’s environment but has not yet shown any indicators of compromise (IoC).
Threat detection relies on indicators of compromise because:
In comparison, threat hunting uses threat indicators as a starting point or hypothesis for a quest. Virtual fingerprints left by malware or an attacker, a weird IP address, phishing emails, or other unexpected network traffic are all threat signs. In other words, threat hunting does not wait for IoCs to appear before seeking out security breaches.
Threat hunting is more focused on indicators of attack (IoA):
Both threat detection and threat hunting are complementary approaches to identifying and responding to security threats and are most effective when used in tandem. While threat detection provides vital defensive measures, threat hunting is the offensive playbook for outmaneuvering an enemy before they have the chance to act.
Applied to a non-security setting, think about it this way: An effective criminal does research before staging a robbery. A bank that relies solely on threat detection is only alerted once IoCs are flagged when the criminal has already accessed the vault. A bank that also threat hunts would be continuously on alert for IoAs that would allow their security team to respond to suspicious activity before any plan is executed. A plotting bank robber would likely investigate security systems, walk around the premises, and note the layout of the bank and the location of the vault prior to returning to perform a heist. None of these IoAs may individually signal an imminent threat, but they give reason to monitor the individual when viewed together in context.
As cybersecurity technology continues to innovate and evolve, adversarial tactics become more sophisticated as well. Threat hunting is an essential strategy because it offers a solution to this dilemma, taking a more proactive approach to cybersecurity threats and using a human element instead of technology. This is important for fending off threats before they become a problem because:
Effective threat hunters hypothesize the most likely tactics and attack chains by thinking like their enemies. That said, there is no one-size-fits-all tactical approach to threat hunting. Instead, effective threat hunters rely on an arsenal of effective tools, frameworks, and methodologies for hunting threats.
Additional tools that could be used within your threat hunting program:
Related Resource: Using MITRE ATT&CK Framework for Beyond-Checkbox Cybersecurity
Threat hunting frameworks offer structured strategies for combing through data points for IoAs based on tactics often employed by hackers.
Underneath the methodologies, tools, and frameworks, implementing threat hunting in your cybersecurity requires a significant paradigm shift.
Below is a scenario from Avertium’s Sr. Cybersecurity Analysts, Lee Tibbals who has years of real-world experience with threat hunting to keep our clients safe.
“I may take a different approach to threat hunting compared to other cybersecurity professionals (hence the art and science) when using a SIEM/EDR solution. In my experience, it starts with having a knowledge of the client’s environment, such as what logs I can parse through (in addition to other vital information). Having a good knowledge of the client’s environment is the foundation to a successful threat hunt, along with the understanding of the threat indicators that make up a malicious campaign one might find when going through the logs.
One thing to note is that not all of the threat hunts I’ve worked on have been reported, but most do – two, in particular, being the SolarWinds and Log4j activity.
To start a threat hunt from scratch, I begin by finding out what is available in the client’s environment. Then, I proceed with that information and conduct research for exploits/malicious activity that may apply to that client’s infrastructure. As theories are developed involving the malicious activity I am searching for, I come to find that sometimes those theories will not pan out… but, it can lead us to something else.
For instance, I started with a DNS threat hunt once looking for C2 traffic and malicious domains that may lead to other campaigns only to find traffic that was not malicious. It was simply a configuration issue that the clients did not know about. While the hunt did not provide any malicious activity, it helped them fix a configuration issue they did not know about.”
The tactics, techniques, and procedures of bad actors are always evolving. Adaptive enemies call for adaptive security. Avertium’s holistic, risk-based approach to cybersecurity layers services, technology capabilities, and tried-and-true security frameworks like MITRE ATT&CK with strategy and client collaboration to deliver a more resilient security posture.
Avertium puts the context of threat hunting into action. Attacks are highly orchestrated sequences of events. Learning how to “see them” requires the broadest view of data – not just from security tools. By combining our robust threat hunting tools and advanced threat intelligence with a heat map of your existing environment, Avertium gives you the broadest possible coverage across your network, your assets, and your people. After all, you are not fighting technology; you are fighting humans behind the technology. It is essential to understand your own systems’ vulnerabilities (Know Thyself) and how they may be susceptible to exploitation from your continuously adapting adversaries (Know Thy Enemy).
NIST CSF: Using proven frameworks like NIST CSF alongside our in-depth onboarding diagnostic, we get to know your business, your attack surface, your protocols, and your areas of greatest weakness + strength.
Threat Hunting, MITRE ATT&CK: Leveraging our cyber threat intelligence (CTI) alongside the MITRE ATT&CK framework, we then understand current and most likely future attack scenarios.
Related Resource: Cybersecurity Begins in the C-Suite