Cyber Threat Hunting

Increasingly, organizations of all sizes are starting to augment their cyber defenses through Threat Hunting. In this post we will explore what Cyber Threat Hunting is and how it can help you to improve your cyber defenses.

One of the realities that organizations of all sizes have to deal with is that the cyber threat landscape is only becoming more complex, and cybercriminals are becoming more resourceful. As a result, it is often becoming a case of “when”, rather than “if” a threat is going to breach your defenses. To make matters worse, according to the IBM Cost of Data Breach Report, threat actors are managing to remain undetected, on average, for over 200 days before organizations detect them.

We now have a situation where you need to assume that threats can bypass your defenses and you now need tools and techniques which will allow you to detect threats that are lurking in your infrastructure. This is where Threat Hunting comes in. While tools like firewalls and antivirus software stop attackers from getting in, the practice of Threat Hunting is a proactive activity that assumes that attackers are already lurking in your environment. In the same way that a hunter stalks his quarry by looking for the telltale signs of its activity, like hoof or paw marks on the ground or twigs broken off trees, the cyber threat hunter methodically looks for evidence of the activities of cyber attackers before removing any tools used by them and restoring systems to their normal state.

Threat Hunting Methodologies

The approaches followed by threat hunters generally follow a few well-defined methodologies. We will explore three of the most widely-used approaches:

Investigation based on known Indicators of Compromise

Vast troves of threat intelligence exist, providing details of the Tactics, Techniques and Procedures (TTPs) used by threat actors together with the Indicators of Compromise (IOCs) which provide the telltale signs to identify an attack. By searching through telemetry data (such as logs) for known IOCs, threat hunters can zero in on attackers that are trying to remain undetected.

Advanced Analytics and Machine Learning

When you collect telemetry data, such as system logs, it becomes possible to analyze these for anomalies or unusual behavior. By using tools such as Advanced Analytics and Machine Learning, it becomes possible to find irregularities hidden in vast troves of data.

Hypothesis-driven Threat Hunting

When a new threat, which is able to bypass existing security tools, is identified in the wild and the TTPs associated with that threat have been identified, threat hunters can use historical data to determine whether the behaviors associated with that threat can be identified in your environment.

Threat Hunting Process

Regardless of the methodology being used, Threat Hunting activities normally follow a process which has a few standard steps:

Trigger

Threat Hunts usually start with a Trigger, which points hunters to a location in the network or a specific system usually as a result of detection tools identifying unusual behavior which warrants further investigation. Alternatively, a hypothesis regarding the possible presence of a newly identified type of threat might trigger a hunt.

Investigation

Once a Trigger has initiated the threat hunting process, the next step is to conduct an investigation. This is where threat hunters will use tools which are able to detect the activities of threat actors or which allow you to analyze historical data. XDR, with its ability to analyze vast amounts of telemetry data and its capability to store historical data can play an important role in this step. For example, Samurai XDR’s Advanced Query feature allows you to perform complex queries on a year’s worth of historical logs and alerts, allowing you to do things like discover newly identified threats from historical events that are already in the data lake.

Along with Advanced Query tools, you need to manage an investigation. That starts with creating and managing an investigation (such as assign owner, alerts, notes, severity etc).

Resolution

Once a Threat Hunt is concluded, the results need to be communicated and, if a threat has been detected, operations and security staff need to respond to the incident, mitigate the threat and, where required, restore data and systems.

What is Required for Threat Hunting?

To perform effective Threat Hunting some key components of capabilities are required. We will explore these briefly here:

Human Skills

Traditionally, Threat Hunting has relied very heavily on the skills of experienced security analysts. While human skills remain important, the increasing complexity of the cyber threat landscape, the vast volumes of data that have to be searched and ingenuity of threat actors mean that we cannot rely on human skills alone. This is especially important for smaller organizations who cannot afford to retain large security teams - for them modern tools are critical to augment human skills.

Historical Data

In order to perform Threat Hunts, you have to gather historical data, such as logs which give you visibility of events on network and endpoint assets across your entire on-premises and cloud-hosted technology estate. Tools such as XDR can play a crucial role in collecting, analyzing and storing data.

Threat Intelligence

The activity of Threat Hunting involves cross-referencing historical data against threat intelligence, matching data from your infrastructure against the TTPs of threat actors. The curation threat intelligence is the speciality of groups such as NTT’s Global Threat Intelligence Center which provides the threat intelligence which drives Samurai XDR’s detection capabilities.

As we already alluded, modern tooling is critical in bringing together and augmenting these three components. XDR especially is designed to provide an integrated solution that can efficiently ingest large amounts of data, analyze it against threat intelligence and efficiently store telemetry and alerts in a data lake for future use.

The Importance of Data Retention in Threat Hunting

Some threat actors can lurk in your infrastructure undetected for long periods of time, meaning that we need to be able to “go back in time” for quite a while to be able to detect when a threat actor initially “broke in”. On top of that, we need a comprehensive view across our entire estate, covering all endpoints, network elements and cloud assets to be able to tell exactly where an attacker has been while inside our organization. These factors underscore why we need to make sure we gather data from all of our infrastructure and store it for a period of time, typically up to a year, which is sufficient to detect threat actors who have been lurking quietly, waiting for the right opportunity to steal data or disrupt systems.

How can Smaller Organizations Build a Threat Hunting Capability?

While Threat Hunting has traditionally been the preserve of enterprises who own large and complex security tooling stacks, maintained by highly skilled teams of analysts, the modern threat landscape demands that even smaller organizations develop the capability to hunt for cyber threats. This is where XDR democratizes capabilities which were previously reserved for larger enterprises by providing a turnkey, integrated detection and response solution which combines the capabilities required to ingest telemetry and analyze it against threat intelligence with the tools and interfaces required to undertake investigations and hunt for threats. Another important focus of XDR applications is simplification: making user interfaces intuitive and embedding the knowledge of years of cybersecurity experience into tools which make it easy for less experienced users to deliver results.

A key area of focus for Samurai XDR is to integrate decades of knowledge into an application which provides smaller organizations with tools that allow them to perform tasks like investigations and Threat Hunts without having to rely on highly specialized security operations teams. To learn more about how you can benefit from the capabilities of Samurai XDR, start your free 30 day trial today.