In order to keep up with the deluge of new cyber threats and malware attacks, cyber threat hunting is becoming more popular. Cybercriminals continue to get more adept at using techniques and building tools that make it extremely difficult for traditional signature-based technologies to detect them. So difficult in fact, that it’s fairly common for an organisation to not know an intrusion has occurred for days, weeks, or even months.
Passively monitoring for signs of malware and relying on traditional signature-based technology is not effective. That’s why we’re seeing a shift to a more proactive approach, including hunting for potential network threats, by many organisations.
What is Threat Hunting?
SANS defines threat hunting as a focused and iterative approach to searching out, identifying, and understanding adversaries internal to the defender’s networks. It’s a method of searching through networks and datasets to find advanced persistent threats that evade existing security defenses.
A Crowd Research Partners survey of the Information Security Community on LinkedIn revealed that many organisations are quickly discovering that cyber threat hunting is the next step in the evolution of the modern Security Operations Center (SOC) to combat an increasing array of sophisticated threats from attackers.
It’s important to note that Threat Hunting is not a technology. It takes highly-trained security experts for accurate and consistent threat detection.
The Tools of the Hunter
There are three important tools that a threat hunter needs.
- Data. This should include log data from all your network devices, including servers, firewalls, databases, routers, switches, etc., along with all endpoint activity. It’s important to have a central location to assemble the data for analysis. This should include a process to aggregate, correlate, and normalize the millions of data points you’ll be collecting.
- A Baseline of the Environment. One way to get a better understanding of your network's behavior is to baseline it over time. If you develop your network traffic baseline, and confirm the events in that baseline are expected and authorised, then you can spend less time looking at the noise on your network, and more time looking at those events that do not fit your baseline.
- Current Threat Intelligence. With cyber-attacks increasing, the likelihood that many organisations are experiencing the same attack is also increasing. When such an incident occurs, the intelligence gathered – including what happened, how it was dealt with, and lessons learned – can teach you what to do in the same situation. Stay up-to-date on the current threat environment, so you can quickly understand and effectively respond to evolving threats.
10 Things Threat Hunters Watch For
From an article in ITWorld, here are 10 things a threat hunter watches for:
- Low and slow connections.
- Same number of bytes in and out.
- Suspicious sites.
- Failed logon attempts.
- Explicit credentials.
- Privilege changes.
- Signs of password dumping programs.
- Common backdoors.
- Dropper programs.
- Custom detections.
Benefits of Threat Hunting
The SANS 2017 Threat Hunting Survey found that 60% of organisations using threat hunting tactics are seeing measurable improvements in security. Of significance, 91% of those cited measuring improvement in both the speed and accuracy of response and in attack surface exposure. Other benefits mentioned were:
- Reduced time from infection to detection.
- Prevented spread of infection or lateral movement through network.
- Reduced number of actual breaches based on the number of incidents detected.
- Reduced exposure to external threats.
- Reduced time and money spent on response.
- Reduced frequency and number of malware infections.
Challenges of Threat Hunting
That same SANS study also found that while many organisations understand the need to adopt threat hunting practices, it’s not an easy task to undertake. “The inability to detect advanced threats and find expert security staff to assist with threat mitigation are the top two challenges SOCs are facing. As a result, about four in five respondents stated their SOC does not spend enough time searching for emerging and advanced threats.”
Many IT and security teams are already stretched thin, so it can be difficult to effectively focus on hunting. Plus it takes a highly-trained professional to hunt. They need to understand what they are reviewing and be able to read the context clues to piece an attack together.
Because the cybersecurity workforce shortage is projected to hit 1.8 million by 2022 [Source: ISC2], it could become even more difficult to find hunters moving forward. That’s why increasing number of organisations are looking to specialised security service providers, like nDiscovery, to fill this gap.
While threat hunting may be a new buzz word circulating throughout the cybersecurity world, the concept of human analysts hunting threats is not new. In fact, for more than a decade nDiscovery has employed this methodology to detect incidents before they become breaches.