Cyber Threat Hunting Basics

What is Cyber threat hunting?

Cyber Threat hunting is a type of proactive cyber defense. Unfortunately, advanced persistent threats (APTs) can be on a company network for weeks, months, or even years before its notices. On average, it takes about 228 days for a company to realize that it has been breached, according to IBM. To prevent, these companies do routine threat hunting, which is when security professionals look through the companies network for any signs of compromise. The goal is to find anyone who gained access to the company's network without notice. For very large companies, threat hunting can require most of a person's time, and it's become its unique specialty within Cybersecurity.

The four steps of Cyber Threat Hunting

Step 1: Hypothesis

A threat hunt usually begins with a hypothesis that outlines the expected threats for the environment. This hypothesis determines the scope of the team's devices and the threats, tactics & procedures (TTPs) they will research during the threat hunting exercise.

Step 2: Information Gathering

Similar to a penetration test situation, Based on step 1, the threat hunters will gather information about their suspected targets which will help them. This information will be indicators of compromise (IOCs), which, simply put, are signs that you have been hacked. Some of the IOCs, a threat hunter, will look for includes:

• IP Addresses
• Geolocation
• Encrypted Traffic Metadata
• Log Detection
• Domains
• File names

Step 3: Investigation

Knowing what kind of threat you're researching and you've mapped these to a list of IOCs, you can start your investigation. Typically threat hunters will use endpoint detection and response software to search through hundreds or thousands of machines at once. This allows them to narrow down the devices of interest pretty quickly.

Step 4: Response/Resolution

Based on what is found, the final step is to remove anything that doesn't belong on the network. Firstly, you remove the item. This can mean quarantining, or deleting the malware, or deleting a user account that shouldn't exist. Secondly, you should perform an investigation to figure out the root cause and make changes to prevent that from happening again. For example, suppose you find out someone browsed an adult entertainment website and accidentally downloaded the malware. Then you may need to update your web filtering rules to prevent other employees from accessing similar websites.

How to get into Cyber Threat Hunting?

If you're interested in getting into threat hunting, you can start by taking some courses on the topic. Once you have a basic understanding, you can get professional certification through institutions like SANs. Their certification courses are considered some of the best in the industry and are respected within the industry. A perfect place to get experience in threat hunting is working in a security operations center(SOC) in terms of work experience. They get hundreds to thousands of alerts every day, and you will get many chances to perform investigations you work in that environment.

Conclusion

Cyber threat hunting is all about finding hackers that may be sitting on your company's network without you even knowing it. It's a 100% proactive activity intended to help companies be more confident that their security operations function as intended. In addition to finding hackers, many companies incorporate a vulnerability assessment aspect into threat hunting programs. The people doing the investigation will also look for potential vulnerabilities that would allow someone to hack into the company. This way, threat hunting serves a dual purpose and still adds value to the company even if it hasn't been compromised.