A Beginner’s Guide to Cyber Threat Hunting
What is threat hunting?
In cyber security, offense is the best form of defense. Automated security intercepts the majority of uninvited guests that a network might face, but sophisticated attackers can enter undetected and cause great damage. Most cyber security strategies focus on detection. They are reactive, waiting for a warning to appear before dealing with a threat. The problem with this approach is that it presumes that threats can be neutralized before they cause too much damage. Proactive threat hunting aids organizations in detecting and responding to unknown, undetected, and non-remediated threats that have been missed by threat detection.
The cyber threat hunter engages in a search and destroy mission. Cyber hunters take the battle to the bad guys by digging deep into the system to find out where cyber security threats are lurking. Once they locate covert indicators of compromise (IOC) or indicators of attack (IOA), they destroy them before the attackers can complete their objectives.
What are the threats in cyber security?
Cybercriminals are constantly evolving and the types of threat that they use to target businesses and organizations grow concurrently. Cyber threat hunting works on the premise that there are already undetected network security threats within an organization’s system. After slipping into the network undetected by automated security defenses, these threats patiently lurk for extended periods. Over days, weeks, and even months, attackers silently monitor an organization’s network and gather confidential data and credentials to allow further access, enabling them to move laterally across the network. Once an attacker is inside the system, organizations may lack sufficient cyber threat detection capabilities to remove advanced persistent threats from their networks. The sophisticated cybercriminal may have the goal of extracting data from the system after embedding themselves undetected deep in the organization. Common attacks include advanced persistent threats that could lead to a full-blown data breach.
What are the types of threat hunting?
Threat hunting uses a threat hunting framework, following specific hunting steps in order to maximize the efficiency of the hunt. First, the hunters select a target, then they decide between performing a manual or automated threat hunt. Approaches vary between hunters, but three commonly utilized threat hunting methodologies are:
- Hypothesis Hunting. Threat hunting begins with creating a hypothesis and testing it. Such investigations focus on new threats identified in crowdsourced data on attacks, providing information about tactics, techniques and procedures (TPP) used by cybercriminals. The hunter will then investigate their network to either prove or disprove the hypothesis. If the hypothesis is proved, the hunter will try to identify the activities of the attacker, with the goal of finding, identifying and isolating the threat.
- Intel Hunting. This reactive technique employs IOCs from intelligence sharing platforms. Intel Hunts use information from intelligence sources to identify how different attackers strike and the steps they follow to achieve their nefarious goals. After receiving an automated alert from an intelligence platform, the threat hunter can investigate the effect of the attack on their network.
- Hybrid Hunting. As the name suggests, this method combines Hypothesis and Intel based hunting models in a customized approach to threat hunting. Hybrid hunts are tailored to meet the needs of an individual organization, and remedy situations such as targeted attacks. By combining hunting approaches, the hybrid method maximizes value and efficacy of the hunt.
How do you hunt for threats?
To effectively go out and hunt for threats, you will need the holy trinity of highly skilled security professionals, a wealth of data and threat intelligence.
- Threat analysts. Highly skilled cybersecurity professionals proactively use their unique knowledge to repel sophisticated attacks. The success of a hunt hinges upon the hunter and their effective use of the tools available to them in order to identify and resolve any threats.
- Data. Sourced from cloud, network and endpoint sources, hunters will need access to an organization’s data sets in order to scour them for indicators of cyber threat activities.
- Intelligence. It is easy to focus too much on the view inside the network, but to understand what’s going on inside, we must first look outside at threat intelligence in order to assist the hunters in identifying IOC’s. With intelligence from global, evidence-based sources, hunters are greatly assisted in their quest by threat detection technologies including security analytics tools and security information.
What tools do you need?
In the endless campaign against the cybercriminal menace, the cyber threat hunter needs to be equipped with a quiver of tools that will allow them to search through vast quantities of data to identify various threats and events. The use of hunting platforms makes the process of sifting data more practical, reducing reliance on human data processing. The three commonly encountered types of threat hunting platforms are:
- SIEM. Security information and event management solutions aggregate the data of an organization into a single platform, identifying irregularities for further analysis.
- MDR. Managed detection and response combines intelligence and hunting to pinpoint and fix advanced threats before they are able to wreak havoc on the network.
- Analytics. Tools to analyze the wealth of security data from a hunt render the data valuable to the hunter. Analytics tools using AI turn data into insight by helping hunters identify trends and anomalies in their data.
The future of threat hunting
Cybercriminals will continue to think up smarter and smarter methods of attack, so cyber threat hunters must remain resolute in finding ways to outsmart them. Cyber attacks increased by 125% in 2021, and continue to grow exponentially. With this increase in attacks, the demand for cyber threat hunters will continue to increase. The average salary for a cyber threat hunter in the United States is $143,000 in 2023, and as demand increases, so will salaries. It is a cat and mouse game. Cyber threat hunters need to stay up to date with the latest threat intelligence in order to analyze trending threats with their internal network data and act accordingly.
How do you become a threat hunter?
If becoming a threat hunter sounds appealing to you, there are a few things to consider. Firstly, you will need an eye for detail and an instinct for identifying the subtle clues left by cyber criminals. In addition, you will need a hound-dog like intent to constantly go after the bad guys to find and solve cyber threats. You will also need to be willing to continually update your skills to stay abreast of the latest trends in cyber threats. If you tick these boxes, then you should identify an organization that will invest the time to train you how to use the tools mentioned above. With talent, time, and knowledge, you can fine tune your skills and grow into an effective cyber threat hunter.
*The opinions reflected in this article are the sole opinions of the author and do not reflect any official positions or claims by Acer Inc.
About Edmund McGowan: Edmund is an English copywriter based in New Taipei City, Taiwan. He is a widely published writer and translator with two decades of experience in the field of bridging linguistic and cultural gaps between Chinese and English.
Edmund is an English copywriter based in New Taipei City, Taiwan. He is a widely published writer and translator with two decades of experience in the field of bridging linguistic and cultural gaps between Chinese and English.