Top 10 Threat-Hunting Terms for the Security Practitioner
In recognition of October being National Cybersecurity Awareness Month (NCSAM), we present the second of a three-part series on incident response, threat hunting, and insider threat.
We’ve put together the top 10 terms as a refresher for enterprise security staff who deal with them on a daily basis. Each term is linked to a previous Exabeam blog posts and educational resources that provide greater detail on the topic.
This post is also a good resource to share with CISOs and security leaders who, before finalizing the annual IT budget, might need more information about cybersecurity with respect to their organization’s needs.
Let’s dive into the alphabet soup.
- Anomaly – Unusual behavior by a person or device.
Not all anomalies are malicious, but all malicious activity is anomalous. To be more thorough in its automated detection, Exabeam adds context (what is normal behavior for each person and device) and risk (how dangerous an anomalous behavior might be). This combination allows analysts to understand the impact of an incident very quickly.
- Data loss prevention (DLP) – Both a technique and technology type undertaken to keep malicious insiders or hackers from leaking or stealing confidential information.
DLP products scan emails, files, and other assets, as they move through the network. In this way they’re able to determine if any given assets contain confidential information and, if so, block them. DLP products can be very “noisy” on their own. Exabeam profiles DLP behavior to determine if such an alert is normal noise (i.e., a false positive) or if the matter is of a serious nature that requires analysts’ attention.
- Indicators of compromise (IOCs) – An indicator that provides high confidence of malicious activity.
The challenge is that IOCs are static. For example, advanced persistent threat (APT) groups use specific malware. Once it’s discovered, they modify their malware so as to continue to remain unknown. IOC examples can include hashes, IP addresses, domains, URLs, email addresses, and other assets.
- Incident response (IR) – An organized approach to receiving, reviewing, and responding to a cybersecurity breach or attack.
Leveraging incident workflows and playbooks, SOAR (security orchestration, automation, and response) combines operations, analytics, and reporting technologies in automating an organization’s incident response procedures.
- UEBA – A data-driven approach to security through user and entity behavioral analysis.
With the addition of entities, user and entity behavior analytics is a more recent extension of the former UBA term. UEBA acknowledges that servers (i.e., entities) often hold embedded account credentials and can access sensitive databases and other resources when compromised. For example, a threat actor can use an endpoint to infiltrate and compromise an entity, then use its credentials to access and steal information.
- Insider threat – A.k.a., malicious insider.
A person who is using their access permissions to steal confidential information. It’s often difficult to detect such behavior until it’s too late. But Exabeam UEBA profiles each person’s and device’s normal behavior to create benchmarks. This information is used to flag users who are anonymously accessing sensitive data.
- Tactics, techniques, and procedures (TTPs) – A threat actor’s behavior.
A tactic is the highest-level description, while techniques provide a more detailed, contextual description of the behavior. A procedure is a lower-level, highly detailed methodology in the context of a given technique. Exabeam’s detection content maps to 51 techniques identified by the MITRE ATT&CK framework.
- Threat hunter – A cybersecurity professional who sufficiently understands the enterprise to be able to identify anomalous network behavior.
For example, a threat hunter might identify a large amount of traffic to AWS, but knows that the organization doesn’t have an authorized presence with that cloud provider. Threat hunters leverage MITRE ATT&CK in their hunt for TTPs.
- Threat intelligence – Information relevant to protecting an organization from internal and external cyber threats.
Threat intelligence also includes the processes, policies, and technology used to gather and analyze that information.The focus around threat intelligence includes sharing IOCs and contextual information of adversaries with partner organizations.
- SIEM (security information and event management) – Technology that supports threat detection, analytics, and incident response (IR) through the collection and correlation of security events from a number of data sources.
SIEMS correlate log sources to identify potentially malicious activity and generates alerts for security analyst to investigate.
Threat detection and remediation has become increasingly complex in the face of threat actors who grow more sophisticated. Relying only on a signature-based approach leaves gaps in your security and continuing to rely on yesterday’s time-consuming, manual methods is a hit-or-miss proposition—mostly the latter. Applying modern threat detection technologies with a multi-dimensional approach is the most efficient way to effectively reduce business risk, remain in full regulatory compliance, and ease the burden placed on over-taxed security analysts.