What is Threat Hunting?
Threat hunting to best put it is the pursuit of abnormal activity on servers and endpoints that may be signs of compromise, intrusion, or exfiltration of data. Though the idea of threat hunting is not new, for many organizations it sure is.
Commonly speaking, the mindset regarding intrusions is to simply wait until it has happened. The issue with this is that if you wait for the intrusion, you will be waiting for an average of 220 days between the intrusion and the first time you hear about it. By then you probably will not find out about it unless you are notified by law enforcement or a credit agency.
To perform threat hunting effectively, you need tools that give you highly granular visibility into the goings‐on in the operating systems of every endpoint and server. These activities can be things like processes that are launched, files that are opened, and network communications that take place.
Threat hunting can be considered systematic. Threat hunting involves identifying anything that is remotely similar to an intrusion and also needs to be instilled as a process that security teams make and schedule a time for.
The types of threat attributes that are hunted include the following:
✓ Processes: Hunters are looking for processes with certain names, file paths, checksums, & network activity. Hunters want to find processes that make changes to registry entries, have specific child processes, access certain software libraries, have specific hashes, make specific registry key modifications, and include known bad files.
✓ Binaries: Here hunters look for binaries with certain checksums, file names, paths, metadata, specific registry modifications, and many other characteristics.
✓ Network activity: This threat attribute includes network activity to specific domain names and IP addresses.
✓ Registry key modifications: Hunters can look for specific registry key additions and modifications.
The thing with threat hunting is, it isn’t about just finding “evil malicious vectors” within your systems. Instead, it’s about anything that could be evidence that evildoers leave behind on your systems. With threat hunting, you’re looking for things that indicators of compromise (IOC)‐based detection otherwise would not catch.
When attackers’ go for an organization’s sensitive data, their initial objectives generally include stealing valid login credentials. These attackers are virtually insiders that will seek out activities of organizations’ networks, systems, and applications. But like the personnel whose login credentials they’ve stolen, attackers use these credentials to carry out search‐and‐steal (or search‐and‐destroy) missions, using tools and techniques that end‐users don’t use. These are the ANOMALIES that threat hunters should be actively looking for.
Threat hunting is needed for the following reasons:
✓ Malware stealth: Passive intrusion detection doesn’t work because of the stealthy techniques used by cybercriminal organizations and the malware they produce. Today’s malware is able to easily evade antivirus software through polymorphic techniques that enable it to change its colors like a chameleon.
✓ Evolving attack vectors: Attackers are innovating at a furious rate, which results in new forms of attack that are
✓ Dwell time: You can’t afford to wait weeks or months to learn about incidents. From the moment of intrusion, the cost, damage, and impact from a breach grow by the hour and by the day. The average time for detection of 220 days is no longer acceptable.
Threat hunting is becoming a part of the infosec set of rules. Threat hunting will soon be a part of the due care for information protection expected by customers, regulators, and the legal system.