Threat hunting: Tips and Tools

Threat Hunting: Tips and Tools

September 24, 2019

Orion Cassetto

Need a threat hunting solution? Click here for an threat hunting demo.

Traditional information security threat management consists of automated solutions to prevent threats from entering the organization’s network components, such as antivirus, and firewalls.

Today, many cyberattacks cannot be detected solely with automated solutions, so more companies are using threat hunters to track and hunt APTs (advanced persistent threats) and insider threats. The following will cover what is threat hunting, what a threat hunter does, and discuss some tips and tools for effective threat hunting.

In this article:

What is threat hunting?

Threat hunting is an active defense strategy used by security analysts. It consists of searching iteratively through networks to detect indicators of compromise (IoCs) and threats such as Advanced Persistent Threats (APTs) evading your existing security system.

Analysts track, intercept and eliminate adversaries lurking in a network. They do this as early as possible to prevent damage, and to reduce the time taken to detect a hidden threat.

Analysts use threat hunting software and tools to search for and intercept hidden attacks. An example of a threat hunting interface, integrated as part of a next-generation SIEM platform, is Exabeam Threat Hunter.

What makes threat hunting different?

A proactive approach sets threat hunting apart from other protection methods. Threat hunters continuously monitor and respond to advanced threats.

What does a threat hunter do?

A threat hunter is a security analyst who uses manual or machine-assisted techniques to detect, isolate, and neutralize APTs that are not detected by automated security tools. Threat hunters typically report to a director of information security, who ultimately reports to the chief information security officer (CISO). When working in a security operations center (SOC), they report to the SOC manager.

Threat hunting involves a continuous loop of hypothesis and trial. A threat hunter assumes an attacker is already in the system, formulates a hypothesis, and works to prove or disprove it.

Some important skills for a good threat hunter include:

  • Data analytics and reporting skills—these include pattern recognition, technical writing, data science, problem solving and research.
  • Operating systems and networks knowledge—needs to know the ins and outs of the organizational systems and network.
  • Information security experience—including malware reverse engineering, adversary tracking and endpoint security. A threat hunter needs to have a clear understanding of past and current tactics, techniques and procedures (TTPs) used by the attackers.
  • Programming language fluency—at least one scripting language and one compiled language is common, though modern tools are increasingly eliminating the need for using scripting language.

A threat hunter’s responsibilities include:

  • Hunts for insider threats or outside attackers—cyber threat hunters can detect threats posed by insiders, typically a member of the staff, or outsiders, like a criminal organization.
  • Proactively hunts for known adversaries—a known attacker is one who is listed in threat intelligence services, or whose code pattern matches the blacklist of known malicious programs.
  • Searches for hidden threats to prevent the attack from happening—by constant monitoring, threat hunters analyze the computing environment. They use behavioral analysis to detect anomalies indicating a threat.
  • Executes the incident response plan—when they detect a threat, hunters gather as much information as possible before executing the incident response plan to neutralize it. This is used to update the response plan and prevent similar attacks.

Analysts look for three types of hypotheses when threat hunting:

  • Analytics-driven—makes use of machine learning (ML) and user and entity behavior analytics (UEBA) to develop aggregated risk scores and formulate hypotheses.
  • Intelligence-driven—includes malware analysis, vulnerability scans, and intelligence reports and feeds.
  • Situational-awareness driven—enterprise risk assessments and crown jewel analysis (the identification of the digital assets critical for the company).

The large amounts of data collected mean threat hunters need to automate a great part of the process using machine learning techniques and threat intelligence.

3 tips to improve your threat hunting

Data breaches and cyber-attacks cost organizations millions of dollars a year. The following tips can help your organization better detect these threats:

1. Know what is normal for your organization

Threat hunters need to sift through anomalous activities and recognize the actual threats, so understanding what are normal operational activities of the organization is crucial. To accomplish this the threat hunting team collaborates with key personnel in and outside of IT to gather valuable information and insight to decide what is a threat and what is unusual but normal activity.

2. Observe, orient, decide, act

Threat hunters use this strategy, borrowed from the military, in cyber warfare. OODA stands for:

  • Observe—routinely collect logs from IT and security systems.
  • Orient—cross-check the data against existing information. Analyze and look out for signs of an attack, such as signs of command & control.
  • Decide—identify the correct course of action according to the incident status.
  • Act—in case of an attack, execute the incident response plan. Take measures to prevent similar attacks in the future.

3. Have appropriate and sufficient resources

A threat hunting team should have enough:

    • Personnel—a threat hunting team that includes at least one experienced cyber threat hunter.
    • Systems—a basic threat hunting infrastructure that collects and organizes security incidents and events.
    • Tools—software designed to identify anomalies and track down attackers.

Threat hunting tools

Threat hunters use software and tools to find suspicious activities. There are three main categories of solutions and tools:

  1. Security monitoring tools—tools such as firewalls, antivirus, and endpoint security solutions collect security data and monitor the network.
  2. SIEM solutions—security information and event management (SIEM) help manage the raw security data and provide real-time analysis of security threats.
  3. Analytics tools—statistical and intelligence analysis software. These tools provide a visual report through interactive charts and graphs, making it easier to correlate entities and detect patterns.

Getting started with Exabeam Threat Hunter

Exabeam threat hunter

Exabeam Threat Hunter helps analysts outsmart attackers by simplifying threat detection. Threat Hunter allows investigators to use point-and-click search of specific criteria including by user, asset, event, risk type, alerts and attacker TTPs. Investigators can also search through timelines for unusual behavior. With Threat Hunter, analysts can respond faster, stopping attacks when they appear.

How can Exabeam Threat Hunter help your threat hunting?

These key features of the platform will help your organization build more effective threat hunting capabilities:

  • Easy to use interface—point-and-click interface makes it simple to query data.
  • Context-aware data—enables complex searches.
  • Automatic incident timelines—automation makes gathering evidence simpler and faster than maintaining logs.
  • Provides visual aid—represent relationships, revealing hidden relations between data.

Need a threat hunting solution? Click here for an threat hunting demo.

Want to learn more about Information Security?
Have a look at these articles:

Recent Security Operations Center Articles

Demystifying the SOC, Part 2: Prevention isn’t Enough, Assume Compromise

Read More

Demystifying the SOC, Part 1: Whether You Know It or Not, You Need a SOC

Read More

US, Australia Security Teams are Behind the Times in Gender Pay Equality

Read More

CISO Liability and Lawsuits in the Face of a Crisis, Part 2

Read More

‘Twas the Night Before the Pen Test

Read More

Recent Information Security Articles

Expand Coverage Against Threats with Exabeam Content Library and TDIR Use Case Packages

Read More

Demystifying the SOC, Part 2: Prevention isn’t Enough, Assume Compromise

Read More

How Attackers Leverage Pentesting Tools in the Wild

Read More

The Differences between SIEM and Open XDR

Read More

Why I Joined Exabeam

Read More

Exabeam Growth and the Opportunity Ahead

Read More