Even though threat detection and incident response technologies are constantly evolving, so are the threat actors and their tactics. These days, instead of directly deploying malware or carrying out a destructive attack as soon as they get their hands on a vulnerability, criminals take their time – they scout the network, gather confidential data, and look for credentials that would allow them access to more resources.
What’s striking is that even organizations equipped with advanced defense systems sometimes fail to detect stealthy intruders, allowing adversaries to spend weeks or even months lurking in the company networks before they are even discovered.
With increasing attacks and cases of zero-day exploits reaching record numbers in 2021, companies must adopt a new, proactive approach to cybersecurity.
Experts believe that threat hunting is the way to go.
What is threat hunting?
To put it simply, threat hunting is a set of processes that include proactively searching for threats that have evaded detection and might be running in the background. However, it is not the same as investigating IoCs uncovered during monitoring – threat hunting assumes that the attackers have already bypassed any security measures.
Threat hunting is an ongoing, active exercise that seeks to uncover threats before an attack is even carried out. The process is usually either data-driven or hypothesis-based.
Data-driven threat hunting is a process where experts go through log files across various data sources within an enterprise infrastructure looking for any suspicious activity or anomalies. While sifting through such massive amounts of data can be time-consuming, it is a great way for threat hunters to examine recent acquisitions into the infrastructure or to get an idea of the company’s attack surface, especially if this exercise has never been done before.
When it comes to hypothesis-based threat hunting, experts start out by developing a hypothesis based on security data or a trigger, and then, instead of scouting all the assets looking for all types of anomalies, threat hunters narrow their search and examine specific environments in search for a specific type of threat.
Why should threat hunting be a regular procedure?
While there are many dangers that organizations can be exposed to if threat hunting is not performed as a standard practice, one of the main ones is the fact that attackers can sneakily get in and lurk in the network for weeks or months without being noticed.
The thing is, automated cybersecurity measures like antivirus software don’t always catch sophisticated threats because of notification thresholds. Security systems don’t report every single suspicious action because if they did, administrators would be overwhelmed with false alarms while actual threats would go undetected. Cybercriminals take advantage of this flaw and once inside, they lay low and move laterally to avoid ringing any alarm bells.
This allows them to eventually get their hands on user accounts with more privileges and access to more critical information, which can lead to a significant data breach – not only costing the company millions of dollars but also its reputation.
Another reason why attackers manage to stay under the radar for so long is that threats can appear as legitimate activity. If an insider participates in an attack or a user’s login credentials are stolen, it’s possible to make data theft look like ordinary behavior. Abnormal patterns in user activity can definitely raise suspicion, but if the intruder avoids being too greedy, their actions in the system may not be enough to trigger an alert.
It is also important to mention that some areas of the security infrastructure can be neglected and become attractive entry points for attackers. There might be older devices that the employees don’t think are important anymore but are still running and providing easy access to valuable information.
And finally, let’s not forget that criminals are constantly developing new tactics to evade detection. It is highly likely that the next big attack will be carried out using techniques that current automatic defenses are not familiar with. Having that said, creating a quality threat hunting program for your organization is a must if you haven’t already.
How to get started with threat hunting?
To start threat hunting, an organization must first have a pool of data collected from its security systems, as it provides valuable information for threat hunters. However, when examining the data, it is important to keep an open mind and avoid threat biases and bad analytical habits, which can lead to certain threats getting overlooked.
Another thing to note is that threat hunting is most successful when the context of the organization is taken into consideration and a hypothesis is developed based on the threats a company of that size and sector is likely to experience.
It is especially helpful if the threat hunters already come from the organization’s IT department as they are familiar with the environment and the company’s operations. Nevertheless, it is also common for organizations to hire an outside specialist or a whole team that completely takes care of threat hunting for them.
As attacks get more sophisticated and more destructive, solely relying on an automated threat detection system is not a wise decision. Since cybercriminals are often able to sneakily infiltrate a network and lurk around in the infrastructure for months, regular threat hunts are instrumental in uncovering intruders before an attack can be executed.
Adopting threat hunting as a standard practice takes time, resources, and expertise but that’s the only way to ensure no threat goes overlooked.