Cyber threat hunting is a proactive cyber defence approach which involves actively searching for more advanced types of threat that may be missed by other security approaches.
In this blog post, we outline some of the key tools and approaches involved with effective cyber threat hunting.
What is proactive threat hunting?
Reactive threat hunts focus on known threats, with hunts typically triggered by a security incident or set of high-risk alerts. In contrast, proactive threat hunting is a cyclical, proactive and hypothesis-driven process that assumes an undiscovered breach of an unknown type has already occurred. It is not undertaken in response to a precipitating incident or roadmap, and no high-fidelity detection rules are triggered.
Key tools for cyber threat hunting
Threat hunters utilise a variety of data sources, tools and techniques to uncover threats, including:
Security data and telemetry – Security Information and Event Management (SIEM) platforms help hunters shortcut data navigation and forensic analysis by collecting and correlating data from endpoint protection platforms (EPP), endpoint detection and response platforms (EDR), cloud security platforms, intrusion detection and prevention systems (IDS/IPS) and network monitoring tools.
Digital risk monitoring (DRM) – DRM tools crawl the dark web, social media and other digital channels to give hunters an external view of the organisation’s current threat exposure.
Security analytics – These platforms utilise artificial intelligence (AI), machine learning (ML) and behavioural analysis of network data to flag anomalous and potentially malicious activity. Hunters can leverage these detections for clues to an ongoing breach.
MITRE ATT&CK Framework – Hunters can draw from MITRE ATT&CK‘s documented Indicators of Attack (IoA) and tactics, techniques and procedures (TTP) to inform and test their hypotheses.
Threat models – Mature organisations document detailed cyber risk scenarios and countermeasures to protect their most critical data and business systems. Hunters can draw on these to target and prioritise investigations.
Security and risk leader perspectives
Kroll’s 2021 State of Incident Response report surveyed 500 security and risk leaders at large organisations about issues related to their cybersecurity programs, specifically threat detection and incident response, and respondents are keenly aware of the risks. Two-thirds (66%) acknowledge they’re vulnerable to a cyberattack that could disrupt business or lead to a data breach. Nearly half (49%) lack adequate tools (including staff and expertise) to detect or respond to cyber threats. Another 46% say they cannot acquire cloud-based services logs and other relevant data needed to investigate incidents.
First and foremost, it’s essential to distinguish proactive threat hunting from other investigative methods. It is critically important to collect and preserve log and telemetry data for root cause analysis and threat hunting. Yet, this continues to be a significant problem for many organisations. One cause is the sheer volume of data that must be ingested, correlated and analysed daily. Another is that actors often attempt to cover their tracks with Indicator Blocking and other techniques that impair or prevent access to investigative data. To reduce risks, organisations must do everything possible to preserve and make this data available at scale.
SIEM and Security Orchestrations and Response (SOAR) solutions are helpful in partially automating data management, alert triage and incident response playbooks. However, these tools still rely on detection rules that sophisticated actors routinely circumvent due to their intrinsic limitations. If rules are overly specific, they can miss crucial clues of a cyberattack. If overly broad, they can impair routine business processes and overwhelm SOC teams with spurious alerts. Most importantly, they cannot detect evidence of attacks that have never been seen before. That goal can only be achieved with proactive threat hunting.
How Kroll can help
ThreatDetect™, Kroll’s outcome-focused Managed Detection and Response (MDR) service, integrates the latest detection technologies and intelligence plus a team of cyber offensive security professionals to provide the hunting capability needed to proactively detect threats.
Our experienced team of Red and Blue Team security professionals have a deep knowledge of offensive security and apply this knowledge to help better identify unknown threats.