Threat Hunting 101

Our networks are attacked hundreds, sometimes thousands of times a day

by hackers and fraudsters alike.  Occasionally, these attacks are successful in gaining a foothold onto the targeted network.  Worse, skilled attackers have repeatedly demonstrated they can remain hidden for months, sometimes years, before being detected.

The reality of today’s situation is that, within a complex enterprise network, no amount of investment in security controls will stop every breach, nor will it stop a well-resourced and determined attacker from getting in if they want to.  This realization has pressed many organizations to expand beyond reactive intrusion detection systems and invest in a proactive approach called threat hunting.

What is Threat Hunting?

Threat hunting, as defined by the SANS Institute’s Rob Lee, is “a focused and iterative approach to searching out, identifying and understanding adversaries internal to the defender’s networks.” In other words, it’s how you find the attackers lurking within your network today.

Threat hunting is not about preventing a breach.  Threat hunting proactively searches for a breach or adversary you didn’t already know was there so you can take appropriate actions to eradicate the threat. A successful hunt program should aim to:

  • Provide early detection of adversaries and malicious software that sneak past prevention measures, as well as identify the severity of the compromise.
  • Reduce the dwell time of attackers and remove them before they can cause further damage.
  • Increase confidence in the integrity of your network.

What worked yesterday doesn’t work today

Your firewall, intrusion detection system and even antivirus are primarily in place for one reason – to prevent hacks and malicious software from getting on your network.  They employ reactive techniques that will flag malicious activity and take immediate action via either alerting or blocking actions.  Unfortunately, when they fail, they serve little use in searching the network for the missed threat.  They are like the gate guard who is tethered to their post – they can check ID’s at the door, but should someone sneak in with ill-intent, they’re powerless to stop them.

Becoming a Hunter

When it comes to building a hunting program within an enterprise, there are three requirements.

  1. The first thing that is required is visibility within the network.  Visibility of actions and events, centralized collection of logs, and an ability to survey networked devices, workstations, and servers.
  2. Second, you need to know what to look for. Threat intelligence feeds of technical indicators of compromise, and/or knowledge or reports on the latest post-compromise techniques used by hackers to hide and maintain persistence in a network will give you the ammo you need to search it out.
  3. Third, it requires an inquisitive mind and the right tools to guide you.  It’s the collection of people, process, and technology that will enable you to hunt within your network and achieve both efficacy and efficiency.

While threat hunting includes some activities that defenders have historically used such as log analysis and incident response techniques, there are new technologies that can assist you with the hunting process to improve the speed and efficacy of your hunt program. These tools automate the search for threats and empower your internal security teams to hunt without esoteric knowledge. And the faster you can identify a threat the less harm it can do.

Key takeaway

Threat hunting today is really about changing our security mindset. Organizations must assume they will be breached. A threat hunter assumes you already are and is charged with finding it. I have personally worked with organizations, large and small, that record thousands of attacks and several incidents each and every year.  I’ve also spoken with organizations that claim to have never been breached.  In every case where we’ve been given a chance to prove that last one wrong, we have found a threat they didn’t know about. I truly believe that anyone who claims they have never been breached has simply never looked hard enough.

Learn how to jump start your threat hunting program with Infocyte HUNT.

See Infocyte HUNT in Action. Request a Live Demo.

Request a Live Demo of Our Award-winning Threat Hunting and Incident Response Platform.

More from our blog

cybersecurity siem alert validation fatigue

Security Brief: SIEM Alert Validation and the Dangers of Alert Fatigue

March 27, 2019

Despite the rich data provided by SIEMs, organizations find themselves drowning in false positives, making it difficult to focus on high-priority events. This problem of alert fatigue prevents cyber security teams from identifying and addressing real threats – impacting small teams with no SOC, large enterprise teams with a SOC, and MSSPs overseeing the security for many SOCs/customers.

Read More »
2018 healthcare data breaches report

5 Takeaways From Reviewing 2018’s Healthcare Data Breaches

March 19, 2019

In 2018, the U.S. Healthcare Industry Remained a Hot Target for Data Breaches. Last year alone, over 15 million patient records were affected with an average of one data breach occurring every 24 hours in the healthcare industry. It goes without saying that hackers and cyber attackers are finding ways around/through/past security defenses—exploiting vulnerabilities and…

Read More »
hidden cyber attacks

Hunting, Detecting, and Responding to Hidden Threats Using FSA

March 12, 2019

A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…

Read More »