Threat Hunting 101

Our networks are attacked hundreds, sometimes thousands of times a day by hackers and fraudsters alike.  Occasionally, these attacks are successful in gaining a foothold onto the targeted network.  Worse, skilled attackers have repeatedly demonstrated they can remain hidden for months, sometimes years, before being detected.

The reality of today’s situation is that, within a complex enterprise network, no amount of investment in security controls will stop every breach, nor will it stop a well-resourced and determined attacker from getting in if they want to.  This realization has pressed many organizations to expand beyond reactive intrusion detection systems and invest in a proactive approach called threat hunting.

What is Threat Hunting?

Threat hunting, as defined by the SANS Institute’s Rob Lee, is “a focused and iterative approach to searching out, identifying and understanding adversaries internal to the defender’s networks.” In other words, it’s how you find the attackers lurking within your network today.  

Threat hunting is not about preventing a breach.  Threat hunting proactively searches for a breach or adversary you didn’t already know was there so you can take appropriate actions to eradicate the threat. A successful hunt program should aim to:

  • Provide early detection of adversaries and malicious software that sneak past prevention measures, as well as identify the severity of the compromise.
  • Reduce the dwell time of attackers and remove them before they can cause further damage.
  • Increase confidence in the integrity of your network.

What worked yesterday doesn’t work today

Your firewall, intrusion detection system, and even antivirus are primarily in place for one reason - to prevent hacks and malicious software from getting on your network.  They employ reactive techniques that will flag malicious activity and take immediate action via either alerting or blocking actions.  Unfortunately, when they fail, they serve little use in searching the network for the missed threat.  They are like the gate guard who is tethered to their post – they can check ID’s at the door, but should someone sneak in with ill-intent, they’re powerless to stop them.

Becoming a Hunter

When it comes to building a hunt program within an enterprise, there are three requirements.

  1. The first thing that is required is visibility within the network.  Visibility of actions and events, centralized collection of logs, and an ability to survey networked devices, workstations, and servers.  
  2. Second, you need to know what to look for. Threat intelligence feeds of technical indicators of compromise, and/or knowledge or reports on the latest post-compromise techniques used by hackers to hide and maintain persistence in a network will give you the ammo you need to search it out.  
  3. Third, it requires an inquisitive mind and right tools to guide you.  It’s the collection of people, process, and technology that will enable you to hunt within your network and achieve both efficacy and efficiency.

While threat hunting includes some activities that defenders have historically used such as log analysis and incident response techniques, there are new technologies that can assist you with the hunt process to improve the speed and efficacy of your hunt program. These tools automate the search for threats and empower your internal security teams to hunt without esoteric knowledge. And the faster you can identify a threat the less harm it can do.

Key take-away

Threat hunting today is really about changing our security mindset. Organizations must assume they will be breached. A threat hunter assumes you already are and is charged with finding it. I have personally worked with organizations, large and small, that record thousands of attacks and several incidents each and every year.  I’ve also spoken with organizations that claim to have never been breached.  In every case where we’ve been given a chance to prove that last one wrong, we have found a threat they didn’t know about. I truly believe that anyone who claims they have never been breached has simply never looked hard enough.

Learn how to jump start your threat hunting program with Infocyte HUNT.