Threat Hunting

What is Threat Hunting?

Threat Hunting is the proactive and iterative process of searching for and identifying advanced threats or adversaries that have evaded your security measures. Whereas your monitoring and detection functions, such as the Security Operations Centre (SOC) and SIEM/EDR tools will alert you once a security event is discovered, a Threat Hunting team looks beyond the tools and reads between the logs, seeking to ensure that attackers haven’t slipped through your defences.

By taking an ‘assumed breached’ approach, Threat Hunters aim to prove that an attack hasn’t taken place, rather than wait to be told that one has. In this way, Threat Hunting can be described as a security assurance exercise – evaluating the effectiveness of your current security controls: detective, preventative, and recovery.

What is the Threat Hunting Methodology?

An effective Threat Hunting methodology is to develop several hypotheses of threats that have gone undetected by your existing security controls. Developing good hypotheses is essential in getting value out of your Threat Hunting engagement. Hypotheses will be influenced by several factors relating to your organisation, including:

• Threat Intelligence – Who are the attackers targeting your region and industry? Which tactics, techniques, and procedures (TTPs) do they use?
• Asset Inventory – What are our digital assets that could be impact by a threat? What is the sensitivity and criticality of these assets?
• Risk Appetite – What are our crown jewels? Which assets, if impacted, would prevent us from carrying out our mission critical/business critical functions?

Methodology

1. Analyse available, relevant, and timely threat intelligence.
2. Develop several hypotheses based on threat intelligence, assets, and risk appetite.
3. Investigate each hypothesis, aiming to prove it either true or false to a high level of confidence. This may involve deploying forensic tools and analysing log files.
4. Capture findings in the Threat Hunting report.
5. If a threat is detected, initiate your Incident Response playbooks.
6. Repeat as often as practical.

Would a Threat Hunting Engagement Benefit my Company?

While threat hunting is an advanced cyber security practice that requires specialised skills and tools, it is not something that should be reserved only for large or mature organisations. In fact, any organisation that stores sensitive data or conducts critical operations can benefit from implementing a threat hunting program.

However, to enable Threat Hunting, your organisation should have a basic level of cyber security maturity in place, including:

1. A solid understanding of your network infrastructure and systems.
2. A strong understanding of cyber security risks and threats relevant to their business.
3. Basic cyber security controls in place, such as firewalls, antivirus software, and intrusion detection systems.
4. A security operations centre (SOC) or a designated team responsible for managing and responding to security incidents.

It’s also important to note that threat hunting is an ongoing process that requires continuous improvement and refinement. As a company’s security posture evolves and the threat landscape changes, the threat hunting program should also adapt to ensure that it remains effective in detecting and mitigating potential threats.

---