Most threats security analysts deal with are relatively unsophisticated and can be easily detected and mitigated with standard tools and good security hygiene. But a small percentage of them are advanced threats that will breach your defenses and gain a foothold in your network or data. After gaining that foothold, an attacker can remain hidden in your network for months as they quietly collect data, look for confidential material, or obtain login credentials that will allow them to move laterally across the environment. In fact, the average time to identify and contain a breach is 280 days, and the average total cost of a breach is $3.86 million (Ponemon, Cost of a Breach, 2020).
This is where the cyber threat hunter comes into play. Their job is to proactively investigate and defuse adversaries who cannot be caught with other methods. The threats they hunt for can be initiated by an insider, such as an employee, partner, or contractor of the organization, but are typically created by a state actor or organized crime group.
The cyber threat hunter searches for unknown threats, seeking evidence, chasing anomalies, and building a comprehensive picture of the hacker activity to ensure similar attacks do not occur in the future. The cyber threat hunter aims to understand the full extent of the intrusion and collect all the forensic evidence. The role also includes detecting vulnerabilities and mitigating associated risks before they affect the organization.
A threat hunter needs to be a seasoned analyst with a broad skill set, including
There are a variety of cyber threat hunting tools that can be used for threat hunting. Using a variety of tools provides different perspectives into the data. Here are some examples of cyber threat hunting tools you will want to consider:
For example, using un-sampled network flow data, such as NetFlow or IPFIX, gathered from across the hybrid enterprise, you can assemble a forensically accurate record of traffic. This can be used to identify threats like botnet command-and-control (C2) channels, which are often extremely difficult to expose. These communications — typically small, periodic, or oddly timed — are indicators of compromised hosts, and are steppingstones to even more damage. Riverbed NPM’s full-fidelity network visibility and anomaly detection allow the operator to discover details like this and map them out to eliminate the threat completely.
Selected Country/Language: English