Information Security Explainers:
What Is Threat Hunting? Complete Guide
What is threat hunting?
Threat hunting is an active information security process and strategy used by security analysts. It consists of searching iteratively through network, cloud, and endpoint system logs to detect indicators of compromise (IoCs); threat actor tactics, techniques, and procedures (TTPs); and threats such as advanced persistent threats (APTs) that are evading your existing security system.
Threat hunting activities include:
- Hunting for insider threats or outside attackers – Cyber threat hunters can detect threats posed by insiders, like an employee, or outsiders, like a criminal organization.
- Proactively hunting for known adversaries – A known attacker is one who is listed in threat intelligence services, or whose code pattern is on the denylist of known malicious programs.
- Searching for hidden threats to prevent the attack from happening – Threat hunters analyze the computing environment by using constant monitoring. Using behavioral analysis, they can detect anomalies which could indicate a threat.
- Executing the incident response plan – When they detect a threat, hunters gather as much information as possible before executing the incident response plan to neutralize it. This is used to update the response plan and prevent similar attacks.
Threat hunting steps
There are three phases in a proactive threat hunting process: an initial trigger phase, followed by an investigation, and ending with a resolution (or, in a few cases, an escalation to other teams as part of a communications or action plan.)
Step 1: Trigger
Threat hunting is typically a focused process. The hunter collects information about the environment and raises hypotheses about potential threats. Next, the hunter chooses a trigger for further investigation. This can be a particular system, a network area, or a hypothesis triggered by an announced vulnerability or patch, information about a zero-day exploit, an anomaly within the security data set, or a request from elsewhere in the organization.
Step 2: Investigation
Once a trigger is identified, the hunting efforts are focused on proactively searching for anomalies that either prove or disprove the hypothesis. A threat hunter often assumes, “We are compromised or vulnerable to this new exploit” and works backward to prove the assumptions true or false. During the investigation, threat hunters use a wide range of technologies to assist them in reviewing system logs and investigating anomalies, which may or may not be malicious.
Step 3: Resolution
Threat hunters collect important information during the investigation phase, answering important questions such as “Who?” (if it involves credentials), “What?” (the events that happened in order), “When?” (exact timestamps for anomalies and incursions), “Where?” (the scope of the affected systems, with lists of all devices and entities that will require remediation), and, if possible from the evidence presented, “Why?” (lack of adherence to security plan/guidelines, disgruntlement, carelessness, outside attack, etc.). During the resolution phase, this information is communicated to other teams and tools that can respond, prioritize, analyze, or store the information for future use.
Whether the information uncovered is about benign or malicious activity, it can be useful in future analyses and investigations. It can be used to predict trends, prioritize and remediate vulnerabilities, and improve security measures.
Types of threat hunting
Here are three common approaches to threat hunting:
Structured hunting involves the systematic search for specific threats or IoCs based on predefined criteria or intelligence. This approach typically starts with a well-defined question or hypothesis about a potential threat, such as, “Do we use X software with an announced vulnerability and exploit?”, “Are there any signs of a specific malware strain within our network?”, or, “Is there any evidence of unauthorized access to sensitive data?”
To answer these questions, threat hunters use threat intelligence, log data, and other relevant sources to search for patterns of activity or entity behavior anomalies that may indicate the presence of a threat. This process may involve the use of automated tools and queries, along with manual analysis and correlation of data.
Unstructured hunting, also known as exploratory hunting, is a more open-ended approach to threat hunting that does not rely on predefined criteria or hypotheses. Instead, threat hunters use their expertise and intuition to search for potential threats or vulnerabilities within an organization’s network or systems, often focusing on areas that are perceived as high-risk or have a history of security incidents. Whether the “crown jewels” of the organization are data such as intellectual property, customer information/financial records/personal healthcare information, or merely availability of assets and ability to perform transactions, the threat hunter should be informed of the risk register and the highest-value entities on the network to focus their efforts.
This risk-based approach may involve the use of various data sources, such as network logs, endpoint data, and threat intelligence, along with creative techniques and tools to identify patterns, anomalies, or other IoCs. Unstructured hunting is particularly useful for identifying unknown or emerging threats, as it allows threat hunters to think outside the box and look for signs of malicious activity that may not fit traditional IoCs or threat profiles.
Situational or entity-driven hunting
Situational or entity-driven hunting is a targeted approach to threat hunting that focuses on specific events, entities, or situations that may pose a heightened risk to an organization’s security. This may include high-profile events like mergers and acquisitions, product launches, or security incidents, as well as specific entities, such as high-value assets, VIP laptops or tablets, or third-party vendors and their credentials or service accounts that can access the network.
Some threat hunting teams partner with their own HR organization to track new and leaving employees, as both are potential targets for adversary behavior or information leakage. Threat hunters may have limited data to begin with here, such as a list of new credentials or departing employee information, and begin their hunt around the time of these events.
In this situational approach, threat hunters use threat intelligence, along with other relevant data and contextual information about the entities on the network, to identify potential threats or vulnerabilities associated with the situation. This may involve the use of both structured and unstructured hunting techniques, as well as collaboration with other stakeholders within the organization, such as IT, legal, or business teams.
Threat hunting methodologies
Intelligence-based hunting is an active threat hunting technique designed to react according to input sources of intelligence. You can input and search on threat intelligence such as IoCs, IP addresses, hash values, and domain names.
This process can be integrated with your security information and event management (SIEM) and threat intelligence tools, which use the intelligence to hunt for threats. Another great source of intelligence is the host or network artifacts provided by computer emergency response teams (CERTs) or information sharing and analysis centers (ISAC), which may allow you to export automated alerts or share key information about new attacks seen in other organizations. You can often input the information into your SIEM system using Trusted Automated eXchange of Intelligence Information (TAXII) and Structured Threat Information eXpression (STIX). Many SIEM systems have embedded threat information services to enhance context and help build search events and dashboards.
This threat hunting technique involves testing three types of hypotheses:
- Analytics-driven: makes use of machine learning (ML) and user and entity behavior analytics (UEBA) to develop aggregated risk scores and formulate hypotheses
- Intelligence-driven: includes malware analysis, vulnerability scans, internet-discovered exploits, and intelligence reports and feeds
- Situational-awareness driven: enterprise risk assessments and crown jewel analysis (the identification of the digital assets that are critical to the company)
The large amounts of data collected means threat hunters need to automate a big part of the process using machine learning techniques and threat intelligence.
Investigation using indicators of attack (IoA)
The most proactive threat hunting technique is investigation using indicators of attack (IoAs). The first step is to identify APT groups and malware attacks by leveraging global detection playbooks. This technique commonly aligns with threat frameworks such as the MITRE ATT&CKTM framework.
Here are the actions that are most often involved in the process:
- Use IoAs and TTPs to identify threat actors.
- The hunter assesses the domain, environment, and attack behaviors to create a hypothesis that aligns with ATT&CK.
- After identifying a behavior, the threat hunter attempts to locate patterns by searching log repositories for matching hashes or events, and monitoring ongoing activities. The goal is locating, identifying, and then isolating the threat to prevent spread or proliferation.
The hybrid threat hunting technique combines all of the above methods, allowing security analysts to customize the hunt. It usually incorporates industry-based hunting with situational awareness, combined with specified hunting requirements. For example, the hunt can be customized using data about geopolitical issues. You can also use a hypothesis as the trigger, and leverage IoAs and IoCs.
What makes a great threat hunter?
A threat hunter is a security analyst who uses manual or machine-assisted techniques to detect, isolate, and neutralize APTs that are not detected by automated security tools or by signature/hash matching alone. To improve their skills, security staff may undergo threat hunting training, obtain a threat hunting certification, such as Certified Cyber Threat Hunting Professional (CCTHP), or Certified Ethical Hacker (CEH).
Threat hunters typically report to a director of information security, who ultimately reports to the chief information security officer (CISO). When working in a security operations center (SOC), threat hunters report to the SOC manager.
Some important skills for a good threat hunter are:
- Communication: It is vital for threat hunters to be able to communicate both verbally and in writing with great clarity about their activities, from investigation all the way through to findings and recommendations for remediation.
- Data analytics and reporting: pattern recognition, technical writing, data science theories, problem solving and troubleshooting, and research
- Operating systems and networks knowledge: need to know the ins and outs of organizational systems and networks, including “traditionally” IT-centric functions such as authentication and authorization
- Information security experience: malware reverse engineering, adversary tracking, and endpoint security; need to have a clear understanding of past and current TTPs used by the attackers
- Programming language familiarity: at least one scripting language and one compiled language is common, though modern tools are increasingly eliminating the need for using scripting language
- Application security (AppSec) principles: Because many attacks start at the web interface level due to insecure coding or compromised third-party libraries or unpatched frameworks, threat hunters should have at least a passing familiarity with how to identify and communicate back into the development team what is needed for full remediation or mitigation.
Threat hunting vs. threat intelligence: What is the difference?
While both threat hunting and threat intelligence are essential components of a comprehensive cybersecurity strategy, they serve different purposes and require different approaches.
Threat intelligence is the collection, analysis, and dissemination of information about potential or existing cyberthreats, vulnerabilities, and risks. This information is typically gathered from a variety of sources, such as open-source intelligence (OSINT), Open Worldwide Application Security Project (OWASP), industry-specific threat feeds, and internal network and monitoring data. The primary goal of threat intelligence is to provide organizations with actionable insights that can help them make informed decisions about their cybersecurity posture and response strategies.
Threat hunting is an active, human-driven process that leverages threat intelligence, along with other data sources and tools, to proactively search for potential threats within an organization’s network or systems. Threat hunters use threat intelligence, as well as other information sources and their own knowledge and expertise, to identify patterns, anomalies, and other IoCs that might indicate the presence of attackers in the environment.
In summary, threat intelligence provides the necessary information and context for threat hunting activities, while threat hunting utilizes this information to actively search for and mitigate hidden threats within an organization’s environment.
3 tips to improve your threat hunting
Data breaches and cyberattacks cost organizations millions of dollars every year. These tips can help your organization better detect these threats:
1. Identify your organization’s “normal”
Threat hunters need to sift through anomalous activities and recognize the actual threats, so it is crucial to understand what the normal operational activities of the organization are. To accomplish this, the threat hunting team collaborates with key personnel both within and outside of IT to gather valuable information and insights. This enables them to decide what is a threat and what is unusual, but normal, activity. This process can be automated using a technology like UEBA, which can show normal operation conditions for an environment, and the users and machines within it.
2. Observe, orient, decide, act (OODA)
Threat hunters use this strategy, borrowed from the military, in cyber warfare. OODA stands for:
- Observe – Routinely collect logs from IT and security systems.
- Orient – Cross-check the data against existing information. Analyze and look for indicators of an attack, such as signs of command & control.
- Decide – Identify the correct course of action according to the incident status.
- Act – In case of an attack, execute the incident response plan. Take measures to prevent similar attacks in the future.
3. Have appropriate and sufficient resources
A threat hunting team should have enough of the following:
- Personnel – a threat hunting team that includes, at minimum, one experienced cyber threat hunter
- Systems – a basic threat hunting infrastructure that collects and organizes security incidents and events
- Tools – software designed to identify anomalies and track down attackers
Threat hunting platforms
Threat hunters use solutions and tools to find suspicious activities. These are the three main categories:
1. Security monitoring tools – Tools such as firewalls, antivirus, and endpoint security solutions collect security data and monitor the network.
2. SIEM solutions – Security information and event management (SIEM) solutions help manage the raw security data and provide real-time analysis of security threats.
3. Analytics tools – Statistical and intelligence analysis software provides a visual report through interactive charts and graphs, making it easier to correlate entities and detect patterns.
Exabeam Threat Hunter
Exabeam Threat Hunter helps analysts outsmart attackers by simplifying threat detection. Exabeam Threat Hunter allows investigators to use point-and-click search of specific criteria including by user, asset, event, risk type, alerts and attacker TTPs. Investigators can also search through timelines for abnormal behavior. With Exabeam Threat Hunter, analysts can respond faster, stopping attacks when they appear.
How can Exabeam Threat Hunter help your threat hunting?
These key features of the platform will help your organization build more effective threat hunting capabilities:
- Easy to use interface — Point-and-click interface makes it simple to query data
- Context-aware data — enables complex searches
- Behavioral threat hunting – Allows analysts to search for IoAs, which are much higher value indicators than IoCs
- Automatic incident timelines — Automation makes gathering evidence faster and easier than maintaining logs
- Provides visual aid — represents relationships, revealing hidden correlations between data
Need a threat hunting solution? Click here for a threat hunting demo.
Learn more about Information Security
- Information Security (InfoSec): The Complete Guide
- PCI Security: 7 Steps to Becoming PCI Compliant
- Cloud Security 101
- Threat Hunting: Tips and Tools
- IT Security: What You Should Know
- Machine Learning for Cybersecurity : Next-gen Protection Against Cyber Threats
- Penetration Testing: Process and Tools
- Cyber Kill Chain: Understanding and Mitigating Advanced Threats