Threat hunting: Methodologies, Tools and Tips for Success

Threat Hunting: Methodologies, Tools and Tips for Success

Published
July 16, 2021

Author
Orion Cassetto

What is threat hunting?

Cyber threat hunting is an active information security strategy used by security analysts. It consists of searching iteratively through networks to detect indicators of compromise (IoCs), hacker tactics, techniques, and procedures (TTPs), and threats such as Advanced Persistent Threats (APTs) evading your existing security system.

Threat hunting activities include:

  • Hunting for insider threats or outside attackers — cyber threat hunters can detect threats posed by insiders, typically a member of the staff, or outsiders, like a criminal organization.
  • Proactively hunting for known adversaries — a known attacker is one who is listed in threat intelligence services, or whose code pattern matches the blacklist of known malicious programs.
  • Searching for hidden threats to prevent the attack from happening — by constant monitoring, threat hunters analyze the computing environment. They use behavioral analysis to detect anomalies indicating a threat.
  • Executing the incident response plan — when they detect a threat, hunters gather as much information as possible before executing the incident response plan to neutralize it. This is used to update the response plan and prevent similar attacks.

In this article, you will learn:

A three-step threat hunting framework

A proactive threat hunting process typically completes three phases – an initial trigger phase, followed by an investigation, and ending on a resolution.

Step 1: Trigger

Threat hunting is typically a focused process. The hunter collects information about the environment and raises hypotheses about potential threats. Next, the hunter chooses a trigger for further investigation. The trigger can be a certain system, a network area, or a hypothesis. 

Step 2: Investigation

Once a trigger is chosen, the hunting efforts are focused proactively looking for anomalies that either prove or disprove the hypothesis. During the investigation, threat hunters leverage a wide range of technologies that assist them in investigating anomalies, which may or may not be malicious.  

Step 3: Resolution

Threat hunters collect important information during the investigation phase. During the resolution phase, this information is communicated to other teams and tools that can respond, prioritize, analyze, or store the information for future use. 

Whether the information is about benign or malicious activity – it can be of use for future analysis and investigations. You can leverage the gathered information to predict trends, prioritize and remediate vulnerabilities, and improve your security measures.

Threat hunting methodologies

Intel-based hunting

This reactive threat hunting technique is designed to react according to input sources of intelligence. You can input intel such as Indicators of Compromise (IoC), IP addresses, hash values, and domain names. 

You can integrate this process with your SIEM and threat intelligence tools, which use the intel to hunt for threats. Another great source of intelligence is the host or network artifacts provided by computer emergency response teams (CERTs), which let you export automated alerts. 

You can input the information into your SIEM using Trusted Automated Exchange of Intelligence Information (TAXII) and Structured Threat Information eXpression (STIX).

Hypotheses-based hunting

This threat hunting technique involves testing three types of hypotheses:

  • Analytics-driven — makes use of machine learning (ML) and user and entity behavior analytics (UEBA) to develop aggregated risk scores and formulate hypotheses.
  • Intelligence-driven — includes malware analysis, vulnerability scans, and intelligence reports and feeds.
  • Situational-awareness driven — enterprise risk assessments and crown jewel analysis (the identification of the digital assets critical for the company).

The large amounts of data collected mean threat hunters need to automate a great part of the process using machine learning techniques and threat intelligence.

Investigation using indicators of attack

This is the most proactive threat hunting technique. It starts by identifying advanced persistent threat (APT) groups and malware attacks, leveraging global detection playbooks. It commonly aligns with threat frameworks such as MITRE ATT&CK.

Here are the typical actions involved in the process:

  1. Use Indicators of Attack (IOAs) and tactics, techniques, and procedures (TTPs) to identify threat actors. 
  2. To create a hypothesis that aligns with MITRE, the hunter assesses the domain, environment, and attack behaviors. 
  3. After identifying a behavior, the threat hunter attempts to locate patterns by monitoring activities. The goal is to locate, identify, and then isolate the threat.

Hybrid hunting

This threat hunting technique combines all of the above, letting security analysts customize the hunt. It typically incorporates industry-based hunting with situational awareness, alongside specified hunting requirements. You can, for example, customize the hunt using data about geopolitical issues. You can also use a hypothesis as the trigger and leverage IoAs and IoCs. 

What makes a great threat hunter?

A threat hunter is a security analyst who uses manual or machine-assisted techniques to detect, isolate, and neutralize APTs that are not detected by automated security tools. To improve their skills, security staff may undergo threat hunting training, obtain a threat hunting certification such as Certified Cyber Threat Hunting Professional (CCTHP), or an ethical hacker certification.

Threat hunters typically report to a director of information security, who ultimately reports to the chief information security officer (CISO). When working in a security operations center (SOC), they report to the SOC manager.

Some important skills for a good threat hunter include:

  • Data analytics and reporting skills — these include pattern recognition, technical writing, data science, problem solving and research.
  • Operating systems and networks knowledge — needs to know the ins and outs of the organizational systems and network.
  • Information security experience — including malware reverse engineering, adversary tracking and endpoint security. A threat hunter needs to have a clear understanding of past and current tactics, techniques and procedures (TTPs) used by the attackers.
  • Programming language fluency — at least one scripting language and one compiled language is common, though modern tools are increasingly eliminating the need for using scripting language.

3 tips to improve your threat hunting

Data breaches and cyber-attacks cost organizations millions of dollars a year. The following tips can help your organization better detect these threats:

1. Know what is normal for your organization

Threat hunters need to sift through anomalous activities and recognize the actual threats, so understanding what are normal operational activities of the organization is crucial. To accomplish this the threat hunting team collaborates with key personnel in and outside of IT to gather valuable information and insight to decide what is a threat and what is unusual but normal activity. This process can be automated using a technology like UEBA, which can show normal operation conditions for an environment and the users and machines within it.

2. Observe, orient, decide, act

Threat hunters use this strategy, borrowed from the military, in cyber warfare. OODA stands for:

  • Observe — routinely collect logs from IT and security systems.
  • Orient — cross-check the data against existing information. Analyze and look out for signs of an attack, such as signs of command & control.
  • Decide — identify the correct course of action according to the incident status.
  • Act — in case of an attack, execute the incident response plan. Take measures to prevent similar attacks in the future.

3. Have appropriate and sufficient resources

A threat hunting team should have enough:

  • Personnel — a threat hunting team that includes at least one experienced cyber threat hunter.
  • Systems — a basic threat hunting infrastructure that collects and organizes security incidents and events.
  • Tools — software designed to identify anomalies and track down attackers.

Threat hunting platforms

Threat hunters use software and tools to find suspicious activities. There are three main categories of solutions and tools:

1. Security monitoring tools — tools such as firewalls, antivirus, and endpoint security solutions collect security data and monitor the network.

2. SIEM solutions — security information and event management (SIEM) help manage the raw security data and provide real-time analysis of security threats.

3. Analytics tools — statistical and intelligence analysis software. These tools provide a visual report through interactive charts and graphs, making it easier to correlate entities and detect patterns.

Exabeam Threat Hunter

Exabeam Threat Hunter helps analysts outsmart attackers by simplifying threat detection. Threat Hunter allows investigators to use point-and-click search of specific criteria including by user, asset, event, risk type, alerts and attacker TTPs. Investigators can also search through timelines for unusual behavior. With Threat Hunter, analysts can respond faster, stopping attacks when they appear.

How can Exabeam Threat Hunter help your threat hunting?

These key features of the platform will help your organization build more effective threat hunting capabilities:

  • Easy to use interface — point-and-click interface makes it simple to query data.
  • Context-aware data — enables complex searches.
  • Behavioral threat hunting – Allows analysts to search for IoAs, which are much higher value indicators than IoCs.
  • Automatic incident timelines — automation makes gathering evidence simpler and faster than maintaining logs.
  • Provides visual aid — represents relationships, revealing hidden relations between data.

Need a threat hunting solution? Click here for a threat hunting demo.

Want to learn more about Information Security?

Have a look at these articles:

Recent Security Operations Center Articles

Automated SOCs — Musings from Industry Analysts (and Ex-analysts)

Read More

Demystifying the SOC, Part 5: The New SOC Maturity Model based on Outcomes

Read More

Demystifying the SOC, Part 4: The Old SOC Maturity Model based on Speeds and Feeds

Read More

Demystifying the SOC, Part 3: Whether You Know It or Not, You Have a SOC

Read More

Demystifying the SOC, Part 2: Prevention isn’t Enough, Assume Compromise

Read More



Recent Information Security Articles

SIEM Gartner: Get the 2021 Magic Quadrant Report

Read More

Five Steps to Effectively Identify Insider Threats

Read More

Detecting the New PetitPotam Attack With Exabeam

Read More

The Challenges of Today’s CISO: Navigating the Balance of Compliance and Security

Read More

Human Managed Selects Exabeam to Drive Faster Decision-making

Read More