Threat hunting is an essential component of your cybersecurity strategy. Whether you're getting started or in an advanced state, this article will help you ramp up your threat intelligence program.
What is Threat Hunting?
The cybersecurity industry is shifting from a reactive to a proactive approach. Instead of waiting for cybersecurity alerts and then addressing them, security organizations are now deploying red teams to actively seek out breaches, threats and risks, so they can be isolated. This is also known as "threat hunting."
Why is Threat Hunting Required?
Threat hunting complements existing prevention and detection security controls. These controls are essential for mitigating threats. However, they are optimized for low false positive alerting. Hunt solutions, on the other hand, are optimized for low false negatives. This means that the anomalies and outliers that are considered false positives for detection solutions, are hunting solutions' leads, to be investigated. This enables threat hunting to eliminate existing gaps between detection solutions. A strong security strategy will utilize both types of solutions. Tal Darsan, Security Services Manager at Cato Networks, adds, "Overall, threat hunting is crucial because it enables organizations to proactively identify and address potential security threats before they can cause significant damage. Recent studies show that the dwell time of a threat in an organization's network until the threat actor achieves their final objective, could last for weeks to months. Therefore, having an active threat-hunting program can help detect and respond to cyber threats promptly which other security engines or products miss."
How to Threat Hunt
A threat hunter will start by conducting in-depth research of the network and its vulnerabilities and risks. To do so, they will need a wide variety of technological security skills, including malware analysis, memory analysis, network analysis, host analysis and offensive skills. Once their research yields a "lead," they will use it to challenge existing security hypotheses and try to identify how the resource or system can be breached. To prove/disprove their hypothesis, they will run iterative hunting campaigns.
If "successful" in breaching, they might help the organization develop detection methods and fix the vulnerability. Threat hunters might also automate some or all of this process, so it can scale.
Tal Darsan adds "MDR (Managed Detection and Response) teams play a critical role in achieving effective threat hunting by providing specialized expertise and tools to monitor and analyze potential security threats. Hiring an MDR service provides organizations with expert cybersecurity support, advanced technology, 24/7 monitoring, rapid incident response, and cost-effectiveness. MDR service providers have specialized expertise and use advanced tools to detect and respond to potential threats in real time."
Where to Search for Threats
A good threat hunter needs to become an Open Source INTelligence (OSINT) expert. By searching online, threat hunters can find malware kits, breach lists, customer and user accounts, zero-days, TTPs, and more.
These vulnerabilities can be found in the clear web, i.e, the public Internet that is widely used. In addition, plenty of valuable information is actually found in the deep web and the dark web, which are the internet layers below the clear web. When going into the dark web, it's recommended to carefully mask your persona; otherwise, you and your company might be compromised.
It's recommended to spend at least half an hour a week on the dark web. However, since it's hard to find vulnerabilities there, most of what you identify will probably be from the deep and clear webs.
Considerations for Your Threat Intelligence Program
Setting up a threat intelligence program is an important process, which is not to be taken lightly. Therefore, it is essential to thoroughly research and plan out the program before beginning implementation. Here are some considerations to take into account.
1. "Crown Jewel" Thinking
When building your threat-hunting strategy, the first step is to identify and protect your own crown jewels. What consists as mission-critical assets differs from organization to organization. Therefore, no one can define them for you.
Once you've decided on what they are, utilize a Purple Team to test if and how they can be accessed and breached. By doing so, you will be able to see how an attacker would think so you can put security controls in place. Continuously verify these controls.
2. Choosing a Threat Hunting Strategy
There are many different threat-hunting strategies that you can implement into your organization. It's important to ensure your strategy addresses your organization's requirements. Example strategies include:
- Building a wall and blocking access entirely, to ensure anything related to initial access and execution is blocked
- Building a minefield, when assuming the threat actor is already inside your network
- Prioritizing where to start according to the MITRE framework
3. When to Use Threat Intelligence Automation
Automation drives efficiency, productivity and error reduction. However, automation is not a must for threat hunting. If you decide to automate, it is recommended to ensure you:
- Have the staff to develop, maintain and support the tool/platform
- Have completed the basic housekeeping of identifying and securing the crown jewels. Preferable, automate when you're at an advanced maturity level
- Have processes are easily repeatable
- Can closely monitor and optimize the automation so it continues to yield relevant value
The Threat Hunting Maturity Model
Like any other implemented business strategy, there are various levels of maturity organizations can reach. For threat hunting, the different stages include:
- Stage 0 - Responding to security alerts
- Stage 1 - Incorporating threat intelligence indicators
- Stage 2 - Analyzing data according to procedures created by others
- Stage 3 - Creating new data analysis procedures
- Stage 4 - Automating the majority of data analysis procedures
Threat Intelligence Best Practices
Whether you're building your program from scratch or iterating to improve your existing one, here are come best practices that can help you boost your threat-hunting activities:
1. Define What's Important
Determine the important assets in your threat space. Keep in mind the "crown jewel" thinking that recommends creating an inventory of your mission-critical assets, checking the risk landscape, i.e., how they can be breached, and then protecting them.
Automate any processes that you can, if you can. If you can't, that's OK, too. You will get there as you become more mature.
3. Build Your Network
Protecting from cyber attacks is very hard. You can never be wrong, while attackers only need to be successful once. On top of that, they don't abide by any rules. That's why it's important to build your network and get (and provide) information from other players and stakeholders in the industry. This network should include peers in other companies, influencers, online groups and forums, employees at your company from other departments, leadership and your vendors.
4. Think Like a Criminal & Act like a Threat Actor
Threat hunting means shifting from a reactive to a proactive way of thinking. You can encourage this thinking by looking at threat intel, tracking groups, trying out tools and leveraging Purple Teaming for testing. While this may seem counter-intuitive, bear in mind that this is how to protect your organization. Remember, it's either you or the attacker.
To learn more about different types of cybersecurity practices and how to leverage them to protect your organization, Cato Networks' Cyber Security Masterclass series is available for your viewing.