What is cyber threat hunting?
Cyber threat hunting is the art of actively seeking out, tracking, and disabling the most skilled and dangerous network intruders. It is an analyst-centric process that typically starts with a hypothesis or trigger and proactively and iteratively searches through network, endpoints, and data to detect and isolate advanced persistent threats (APTs) that have evaded traditional preventative controls. Cyber threat hunting is a proactive, investigative mindset fed by curiosity and the recognition that the adversary is an intelligent human being, not just a simple “bot”, who is constantly adjusting his or her approach to beat your defenses.
Why use cyber threat hunting?
Most threats security analysts deal with are relatively unsophisticated and can be easily detected and mitigated with standard tools and good security hygiene. But a small percentage of them are advanced threats that will breach your defenses and gain a foothold in your network or data. After gaining that foothold, an attacker can remain hidden in your network for months as they quietly collect data, look for confidential material, or obtain login credentials that will allow them to move laterally across the environment. In fact, the average time to identify and contain a breach is 280 days, and the average total cost of a breach is $3.86 million (Ponemon, Cost of a Breach, 2020).
This is where the cyber threat hunter comes into play. Their job is to proactively investigate and defuse adversaries who cannot be caught with other methods. The threats they hunt for can be initiated by an insider, such as an employee, partner, or contractor of the organization, but are typically created by a state actor or organized crime group.
What does a cyber threat hunter do?
The cyber threat hunter searches for unknown threats, seeking evidence, chasing anomalies, and building a comprehensive picture of the hacker activity to ensure similar attacks do not occur in the future. The cyber threat hunter aims to understand the full extent of the intrusion and collect all the forensic evidence. The role also includes detecting vulnerabilities and mitigating associated risks before they affect the organization.
A threat hunter needs to be a seasoned analyst with a broad skill set, including
- Data analytics, to gather data and analyze it for signs of compromise.
- Pattern recognition to match techniques, tactics, strategies and procedures to the hackers, malware, etc. to which they belong.
- Deep knowledge of the environment to know the best hiding places so you can check them regularly. In addition, understand the implications that change has on the environment and what they might mean from a risk perspective.
- Security forensics to capture the data in a forensically accurate manner so that it holds up in a legal proceeding.
What cyber threat hunting tools are required for cyber threat hunting?
There are a variety of cyber threat hunting tools that can be used for threat hunting. Using a variety of tools provides different perspectives into the data. Here are some examples of cyber threat hunting tools you will want to consider:
- Unsampled flow monitoring for network traffic reports with port mapping and dependency mapping
- Packet capture and analysis with deep packet inspection (DPI) to identify protocols details and URLs and abundant packet storage for historical analysis
- Anomaly detection for changes in volume and velocity of traffic between IPs
- Infrastructure monitoring for change management or to detect unusual activity on a network devices, such as saturation of an interface by an attack
- Auditing and regulatory compliance tools
- Log analysis, for extracting data from logs for trend and pattern analysis
For example, using un-sampled network flow data, such as NetFlow or IPFIX, gathered from across the hybrid enterprise, you can assemble a forensically accurate record of traffic. This can be used to identify threats like botnet command-and-control (C2) channels, which are often extremely difficult to expose. These communications — typically small, periodic, or oddly timed — are indicators of compromised hosts, and are steppingstones to even more damage. Riverbed NPM’s full-fidelity network visibility and anomaly detection allow the operator to discover details like this and map them out to eliminate the threat completely.