Threat hunters are the bodyguards of your network. They monitor your system, keeping track of any suspicious activity. If something doesn’t seem right, the threat hunter will identify the culprit and take immediate action.
Some companies hire humans for the job; others prefer to automate it. For best results, though, organizations need to combine the two: Human-driven automation is going to give you your most comprehensive protection perimeter. Here’s what you need to know about threat hunting and what it takes to do it right.
What Is Threat Hunting?
The security mindset is shifting from a reactive cyber threat detection focus to an intensely proactive one. Central to that new mindset is a new concept — the assumption of breach.
True, you have to put defenses in place, but you should also assume those defenses will be breached at some point. That’s why you need to have a Plan B What will you do to identify and contain those threats?
Threat hunting is an important part of the answer. It aims to actively seek out attackers who have nefariously penetrated your network. Threat hunters, like security guards performing regular scans of a sensitive building, sweep over corporate IT systems and look for signs of compromise.
According to this IBM report, it takes an average of 191 days for organizations to discover that they have been breached and remediate their systems. During that terrifyingly-long period, attackers move laterally, quietly and gradually obtaining access to more and more sensitive systems. They continue to move through the network until they put their hands on the crown jewels. Threat hunting can dramatically shorten that window of opportunity for attackers.
Threat hunting also helps identify a special kind of cyber attack: Advanced Persistent Threats (APT). APTs are carried out by organized, sophisticated groups of cybercriminals, who launch a carefully planned attack campaign against a specific organization.
APT attackers may be sophisticated enough and have enough time to evade your strongest defenses. But a skilled threat hunter can catch them after they enter — hopefully before they wreak their damage.
What Does it Take to Become a Threat Hunter?
Not just any security pro can become a threat hunter. Threat hunting requires multidisciplinary expertise, including:
- Security knowledge This refers to security data analysis, forensics, threat intelligence, malware investigation and reverse engineering, as well as network and endpoint security tools.
- History of attacks You need knowledge of current and past attack techniques and the threat actors who carry out those techniques. The ability to augment knowledge with threat intelligence and data feeds that provide up-to-date information about cyber attacks.
- Advanced IT expertise We’re talking operations systems and networks, as well as common applications like databases, email servers and web servers. Threat hunters must know their way around a network and what buttons to push to exploit a vulnerability or evade security, just like a sophisticated attacker.
- Programming skills A threat hunter must be able to write scripts, and should also know compiled languages like Java or C++. This enables them to understand automated techniques deployed by attackers and analyze the internals of malware.
- Creativity and independence Also, threat hunters must be problem solvers with a combination of analytical, logical and technical skills. Like detectives, they need to be able to put together the pieces of the puzzle to identify what attackers are up to. They’ve got to be good at working alone, able to identify threat opportunities and deal with them without close oversight.
The SANS Institute’s Threat Hunting Process
How does a threat hunter work? The SANS institute suggests a 5-step process for effective threat hunting.
1. Data collection and processing
A threat hunter starts by identifying what data they need to pinpoint a threat, grabs that data from security tools or from a Security Information and Event Management (SIEM) solution, and then performs an independent analysis.
2. Establishing a hypothesis
Asking one or more questions that can lead to the discovery of a threat. For example, if there is a suspicious network traffic, this could be a sign that malware is communicating with a command and control center.
Looking at the data to find the Indicators of Compromise (IoC) included in the hypothesis, and then analyzing them to see if they really do indicate a threat. This requires expertise, diligence, and a lot of patience.
4. Threat identification
Recognizing that a certain piece of forensic data is probably a threat. Threat hunters don’t stop there, they need to analyze the threat in more detail, obtain and correlate other relevant information, and identify what type of threat it is, which systems are affected, what was the timeline and what is the best course of action.
Threat hunters take immediate steps to stop the attack, for example by quarantining an affected system or resetting it to a last known good state. They should then identify how to eradicate the threat and prevent it from recurring.
Threat hunters are expected to complete the cycle independently, but if the threat is very severe or affects a large part of the organization, the threat hunter may escalate to senior analysts in the Security Operations Center (SOC), to devise a coordinated response.
The bottom line
In today’s chaotic digital atmosphere, threat hunters need as many skills, tools, and information as they can get. Keeping track of a security perimeter is a 24/7/7 job, which is where automation tools come in handy. These systems can monitor the network, assisting and alerting the human threat hunter. Quick response and collaborative work can help organizations protect themselves against data breaches and advanced threats.
For aNewDomain, I’m Gilad David Maayan.
Cover image: Pixabay