What is Threat Hunting?
Threat hunting is a proactive and iterative cyber defense activity essential to security operation (SOC) centers. This activity is done to find the unknown in a virtual environment and detect, identify, and isolate sophisticated threat actors that cannot be easily seen by traditional detection technology. If these threats cannot be detected as soon as possible, it can result in a hard disruption to the virtual environment or network that can cause tremendous damage. Thus, it should be implemented at the early stage of cybersecurity.
It has posed its importance as the techniques of many commercial security tools become more aware of these sophisticated threat actors. Even if newer devices, such as AIs and machine learning security tools, become more advanced, there would still be more recent variations of threats that cannot be identified by these advanced security tools.
Several methods exist to do hunting, such as the use of Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) tools. However, to have a successful and smooth hunt, the environment/network must have an indicator of attack (IoA) and an indicator of compromise (IoC) that can be used when hunting.
Listed below are also tips from hunting experts that can be leveraged:
Tip 1: Define your threat hunting mission
Having a defined mission is the same as having a ready list of groceries to buy; that is, it gets the job done more efficiently. Instead of wandering aimlessly through an extensive network with a defined mission, you can quickly know what threats you are planning to find and subdue. Missions with clear objectives are essential for the strategy to be successful. Without a defined task or goals, you are only monitoring and not proactively hunting.
Tip 2: Look for tunneled communications
Tunneled communications are one particular place in a network where traffic is usually emulated to carry network protocols. Sophisticated threat actors usually embed their private communications in the DNS traffic since corporate firewalls generally allow outbound DNS traffic. Because of this, they can easily send out their own network protocol into the environment and easily disrupt it from the inside. Thus, these tunneled communications sites must be watched constantly.
Tip 3: Scope your data
To scope data needed for the hunting, you must put parameters around the data volume you will sift. You can find good data sources at network logs, data logs, or even the SIEM. It is recommended to search through a week or a month’s worth of data – but not more or less than that. Utilizing rending data can help better identify sophisticated attacks and misconfigurations. Large data sets across multiple sources can generate valuable insights. It is also essential to identify the characteristics of the found threat first, such as the URL used, which can make it easier to match suspicious activities in the data sources. SOCs can use machine learning tools to accelerate this process of identifying abnormal behaviors in the network.
Tip 4: Use sorting techniques to narrow the hunt
Since you have to work through many data sets, use sorting techniques to narrow down the hunt for possible threats. There are tons of sorting methods available, but one typical example is sorting by HTTP method used for web traffic and is a good tip for sorting data.
Tip 5: Look for service oddities
Another thing to look out for oddities aside from the traffic is the service oddities. These service oddities are network anomalies wherein a port or protocol is being used rarely or unusually. Threat hunting does not entirely focus on finding suspicious activities in the network. It also includes hunting issues or weaknesses within the web that can pose security issues that sophisticated attackers can use to infiltrate the network.
Tip 6: The hunt continues
It is not a one-time activity but rather a campaign that is continuous and iterative. SOCs constantly track findings and improve their security and hunting strategies over time. The first set of hunts are used as a baseline to remove noise that gets in the way of accurately identifying malicious activity. Its goals are to constantly learn, understand, and improve your environment to identify “abnormal” with higher fidelity. By fully understanding the expected behavior of your network, you can easily see the abnormalities within it.
The Bottom Line
The process of hunting gives you the chance to examine your network from the perspective of a threat actor. Finding threats in each hunt is not always guaranteed. But the opportunity to see misconfigurations, network anomalies, and potential weaknesses is the main virtue of exercising threat hunting over time. Applying the tips will improve your environmental understanding and strengthen your overall cyber security defenses.