Threats to cyber security have been around for decades, but the sophistication and motivations of attackers have evolved. In the early days, they carried out relatively simple, insignificant attacks in an attempt to show off their programming abilities; now, sophisticated cybercriminals (sometimes sponsored by governments and companies) launch serious attacks to steal products and ideas, or other data, from digital infrastructure.
This change in the cyber security landscape has revealed a need for cyber threat hunting, a proactive way for companies and governments to protect their intellectual property and products from theft. In this article, we’ll identify what cyber threat hunting is, how it works, and the tools and processes used to carry it out.
What is cyber threat hunting?
Cyber threat hunting, also called cyber threat detection, describes the activities of a specialized or experienced security analyst. A cyber threat hunter aims to proactively search for evidence of suspicious activity that could be indicative of a breach or malicious intent.
According to SecurityIntelligence, while 80% of cyber threats can be mitigated by automated security tools and security operations center (SOC) analysts, the remaining 20% of attackers who sneak into networks undetected require more sophisticated methods of threat-hunting. Of that 20%, half can’t be detected with programmatic solutions; for this most advanced 10%, threat hunting is the best solution.
Threat hunting assumes that attackers are already inside your network. Studies show U.S. companies take an average of 206 days to detect a data breach, and that breaches that take more than 100 days to identify cost businesses 30% more than those that are identified within 100 days. This is where the importance of cyber threat hunting comes into play.
Not all cyber threat hunters follow one specific process; instead, they follow guidelines and best practices based on the data collected and the tools their team has available.
According to InfoSec, a threat hunter’s job generally includes the following:
- Collect & process data. Threat hunters must collect vast amounts of data from endpoint and network devices, as well as data from security solutions already in place. Threat intelligence data is essential to identifying gaps in security and activity patterns.
- Establish a hypothesis. Based on the data and threat intelligence gathered, cyber threat hunters formulate a possible attack scenario.
- Hunt. Using the data they’ve collected and the threat intelligence gathered, threat hunters then begin the hunt and attempt to confirm their hypothesis. Sometimes the hypothesis is proven and sometimes it’s not; in the case of the latter, the process begins again.
- Identify threats. If a hypothesis is validated and a threat is identified, cyber hunters work to see the scope of the threat’s impact and determine an action plan.
- Respond. In addition to stopping the attack, the hunt team will need to remove and/or restore affected files, identify what caused the event, and take steps to prevent similar attacks from happening again in the future.
How Threat Hunting Works
The success cyber threat hunting often depends on the quality of the tools, the breadth and completeness of data at the team’s disposal, as well as established processes for both active and passive threat hunting.
Threat Hunting Tools
In order to be successful, cyber threat hunting requires data, baseline information, and threat intelligence.
- Data—Cyber threat hunters need information gathered from organizations’ network devices, firewalls, data logs, antivirus software, and endpoints (cloud assets and physical workstations). The more data available, the better your cyber hunting team’s chances of success.
- Organization baseline—Identifying what “normal” looks like in the organization is one of a threat hunter’s key tasks. For example, all of the endpoints in an organization might be connecting to IP addresses in the United States, but suddenly one endpoint made connection to an IP address that is in North Korea, which could be considered an anomaly. Thus, baselining an organization’s environment helps make finding anomalies significantly easier.
- Threat intelligence—This data is a cyber threat hunting team’s basic source of information. Threat intelligence tools may include security information and event management (SIEM) tools, open-source threat intelligence platforms, and even intel from companies and government agencies.
Active & Passive Threat Hunting
Once the tools are in place, cyber threat hunters must perform both active and passive threat hunting to get a complete, 360-degree view of the security landscape.
- Active threat hunting means looking for threats on live machines using real time queries. For example: If the security community publishes APT32 indicators of compromise, you can run a query to see if any of your systems are currently infected. However, sophisticated attackers sometimes use multiple stages of attack, and often hide their tracks, so hunting on live machines (or real-time hunting) alone might not be sufficient to uncover malicious activities.
- Passive threat hunting means scanning historical data of system states, and comparing it against the latest threat intelligence. Where real-time threat intelligence can only reveal fragments of an attack, historical data permits you to reconstruct exactly what happened, and when. Moreover, historical data lets you uncover malicious activities which may have been completely overlooked using real-time threat detection tools alone. Using the same example as above: When the security community publishes APT32 indicators of compromise, you can run a query on the historical data to see if any of your systems were infected at any point in
time in the past. The Uptycs platform is unique in that it allows security professionals to query both real-time and historical data against threat intelligence feeds, making it a versatile tool for more comprehensive threat assessment.
Want to learn more about how threat hunting with Uptycs works?
Uptycs combines the open source universal agent, osquery, with a scalable security analytics platform for collection, aggregation, and analysis of your endpoint telemetry at scale. Uptycs combines this telemetry with integrated third-party threat intelligence feeds. Passive and active threat hunting can be done using pre-scheduled and ad hoc SQL queries, providing you threat visibility across macOS, Linux, and containers. To learn more, sign up for our on-demand webinar or ask us to see it live.