What is Threat Hunting?
A Part of the Security Program
How to Hunt: Threat Hunting Cycle
Developing a Hunt Plan
Threat Hunting Techniques
Threat Hunting Tools
A Mandatory Task for Acceptable Security
Learn More About Cyber Threat Hunting
Threat hunting is an analyst-driven process that is iterative and repeatable in order to identify the presence of adversaries and their tools before an attack is conducted or detected. It combines security tools, analytics, threat intelligence, as well as experience, analysis, and instinct.
As a practice, hunting will often identify new or previously undetected threats hidden within an environment. But, for the most part it has been left to only a small percentage of companies because of the limited amount of skilled threat hunters.
With the right tools, data, and time, skilled threat hunters are able to “find the bad” that traditional security controls have missed. This practice provides exceptional depth to organizations’ security programs, however it is also one of the most expensive and slow-to-develop functions for a security team to build. In order to realize the return on investment (ROI), it is imperative to realize that threat hunting isn’t just there to serve as a backstop against so-called advanced persistent threats (APTs) for organizations. The best security programs integrate hunt teams into the overall security operations cycle.
There is still a lack of definition and formal model for all hunt operations to follow. Despite this, there are two unique approaches:
While unstructured threat hunts can be perfectly valid, they aren’t consistently successful and rarely find the most advanced threats hiding in environments. Instead, to accomplish this, threat hunters can us a structured
approach using the threat hunting cycle based on the US’ Department of Defense Joint Targeting Cycle model, which aims to capture intent, prioritization of targets, resource allocation, execution of operations, as well as feedback.
A threat hunt plan is a formal document around the hunt cycle that sets the course for threat hunting techniques and methodologies for teams to use to prove or disprove the hypothesis. The hunt plan is a formal document that should include:
Hypothesis-based threat hunts start with forming a hypothesis, or an educated guess about the types of activity that might be going on within an IT environment. After that, analysts or teams within the security operations center will drive forward a cycle of investigation using hunting techniques to discover malicious patterns within their data and reconstruct attack paths to reveal the attacker’s Tactics, Techniques, and Procedures (TTPs).
To find anomalous activity, threat hunters use a variety of tools and solutions, including:
Hunting has become a mandatory task for establishing an acceptable level of security. But current the demand for skilled hunters far exceed the number of available specialists. That’s why Cyborg Security has created the HUNTER Platform. With HUNTER, organizations can augment analysts and upgrade SOC processes.