Finding threat actors before they find you is key to beefing up your cyber defenses. How to do that efficiently and effectively is no small task – but with a small investment of time, you can master threat hunting and save your organization millions of dollars.
Consider this staggering statistic. Cybersecurity Ventures estimates that cybercrime will take a $10.5 trillion toll on the global economy by 2025. Measuring this amount as a country, the cost of cybercrime equals the world's third-largest economy after the U.S. and China. But with effective threat hunting, you can keep bad actors from wreaking havoc on your organization.
This article offers a detailed explanation of threat hunting – what it is, how to do it thoroughly and effectively, and how cyber threat intelligence (CTI) can bolster your threat-hunting efforts.
What is threat hunting?
Cyber threat hunting is gathering evidence that a threat is materializing. It's a continuous process that helps you find the threats that pose the most significant risk to your organization and empowers your team to stop them before an attack launches.
Protect your organization from costly cybercrime with the latest comprehensive report titled 'Threat Hunting for Effective Cybersecurity.' Download now to learn how to efficiently plan, execute, and evaluate threat hunts, ensuring that your systems are fortified against the evolving landscape of cyber threats.
Threat hunting in six parts
Throughout the hunt, careful planning and attention to detail are essential, as well as ensuring all team members follow the same plan. To maintain efficiency, document every step so others on your team can easily repeat the same process.
1 — Organize the hunt.
Ensure your team is prepared and organized by inventorying your critical assets, including endpoints, servers, applications, and services. This step helps you understand what you're trying to protect and the threats they are most prone to. Next, determine each asset's location, who has access, and how provisioning of access takes place.
Finally, define your priority intelligence requirements (PIRs) by asking questions about potential threats based on your organization's environment and infrastructure. For example, if you have a remote or hybrid workforce, such questions might include:
- To which threats are remote devices most vulnerable?
- What sort of evidence would those threats leave behind?
- How will we determine if an employee is compromised?
2 — Plan the hunt.
In this phase, you will set the necessary parameters through the following:
- State your purpose – including why the hunt is necessary and which threat(s) you should focus on, as determined by your PIRs. (For example, a remote workforce may be more prone to phishing attacks under a BYOD model.)
- Define the scope – identify your assumptions and state your hypothesis based on what you know. You can narrow your scope by understanding what evidence will surface if the threat you're looking for launches.
- Understand your limitations, such as what data sets you can access, what resources you must analyze, and how much time you have.
- Set the time frame with a realistic deadline.
- Determine which environments to exclude, and look for contractual relationships that may prevent you from carrying out the hunt in specific settings.
- Understand the legal and regulatory constraints you must follow. (You can't break the law, even when hunting for bad guys.)
3 — Use the right tools for the job.
There are plenty of tools for threat hunting, depending on your assets inventory and hypothesis. For example, if you're looking for a potential compromise, SIEM and investigative tools can help you review logs and determine if there are any leaks. Following is a sample list of options that can significantly improve threat-hunting efficiencies:
- Threat intelligence – specifically, automated feeds and investigative portals that fetch threat intelligence from the deep and dark web
- Search engines and web spiders
- Information from cybersecurity and antivirus vendors
- Government resources
- Public media – cybersecurity blogs, online news sites, and magazines
- SIEM, SOAR, investigative tools, and OSINT tools
4 — Execute the hunt.
When executing the hunt, it's best to keep it simple. Follow your plan point by point to stay on track and avoid diversions and distractions. Execution takes place in four phases:
- Collect: this is the most labor-intensive part of a threat hunt, especially if you use manual methods to gather threat information.
- Process: compile data and process it in an organized and readable format for other threat analysts to understand.
- Analyze: determine what your findings reveal.
- Conclusion: if you find a threat, do you have data to support its severity?
5 — Conclude and evaluate the hunt.
Evaluating your work before you begin the next hunt is imperative to help you improve as you go. Below are some questions to consider in this phase:
- Was the chosen hypothesis appropriate to the hunt?
- Was the scope narrow enough?
- Did you collect helpful intelligence, or could some processes be done differently?
- Did you have the right tools?
- Did everyone follow the plan and process?
- Did leadership feel empowered to address questions along the way, and did they have access to all the needed information?
6 — Report and act on your findings.
In concluding the hunt, you can see if your data supports your hypothesis – and if it does, you'll alert the cybersecurity and incident response teams. If there is no evidence of the specific issue, you'll need to evaluate resources and ensure there were no gaps in the data analysis. For example, you may realize that you reviewed your logs for a compromise but did not check for leaked data on the dark web.
Take threat hunting to the next level with CTI
CTI can be an effective component of your threat-hunting program, particularly when the threat intelligence data is comprehensive and includes business context and relevance to your organization. Cybersixgill removes the access barrier to the most valuable sources of CTI and provides deep-dive investigative capabilities to help your team seek the highest-priority potential cyberthreats.
Our investigative portal enables you to compile, manage and monitor your complete asset inventory across the deep, dark and clear web. This intelligence helps you identify potential risks and exposure, understand potential attack paths and threat actor TTPs to proactively expose and prevent emerging cyber attacks before they are weaponized.
Note: This article was expertly written and contributed by Michael-Angelo Zummo, Senior Cyber Threat Intelligence Analyst at Cybersixgill.