Threat hunting is a critical component of your cybersecurity strategy. Whether you’re starting out or advanced, this article will help you improve your threat intelligence program.
What is Threat Hunt?
The cybersecurity industry is moving from a reactive approach to a proactive one. Instead of waiting for cybersecurity alerts and then dealing with them, security organizations are now deploying red teams to actively look for breaches, threats and risks, so they can be isolated. This is also known as “threat hunting.”
Why is Threat Hunt Necessary?
Threat hunting complements existing preventive and detection security controls. These controls are critical to mitigating threats. However, they are optimized for low false positive warnings. The hunting solution, on the other hand, is optimized for low false negatives. This means that anomalies and outliers that are considered false positives for the detection solution, are solution hunting clues, to be investigated. This enables threat hunting to eliminate existing gaps between detection solutions. A strong security strategy will leverage both types of solutions. Tal Darsan, Security Services Manager at Cato Networks, added, “Overall, threat hunting is critical because it allows organizations to proactively identify and address potential security threats before they can cause significant damage. Recent studies have shown that threat dwell time in an organization’s network until threat actors reach their final destination, it can take weeks to months. Therefore, having an active threat hunter program can help detect and respond promptly to cyberthreats that other security engines or products miss.”
How to Threat Hunt
Threat hunters will start by doing in-depth research about the network and its vulnerabilities and risks. To do so, they need a wide range of technology security skills, including malware analysis, memory analysis, network analysis, host analysis, and offensive skills. Once their research yields a “clue,” they use it to challenge existing security hypotheses and try to identify how a resource or system could have been compromised. In order to prove/disprove their hypothesis, they would run repeated hunting campaigns.
If they are “successful” at a breach, they may help the organization develop methods of detecting and fixing vulnerabilities. Threat hunters may also automate some or all of these processes, so they are scalable.
Taldarsan added “MDR (Detection and Managed Response) the team plays a critical role in achieving effective threat hunting by providing specialist expertise and tools to monitor and analyze potential security threats. Hiring an MDR service provides organizations with expert cybersecurity support, state-of-the-art technology, 24/7 monitoring, fast incident response, and cost-effectiveness. MDR service providers have specialized expertise and use sophisticated tools to detect and respond to potential threats in real time.”
A Place to Look for Threats
A good threat hunter needs to be an Open Source Intelligence (OSINT) expert. By searching online, threat hunters can find malware kits, breach lists, customer and user accounts, zero-days, TTP, and more.
This vulnerability can be found on the obvious web, i.e. the heavily used public Internet. Additionally, a great deal of valuable information is actually found on the deep web and dark web, which are the layers of the internet beneath the clear web. When logging into the dark web, it’s advised to mask your personality carefully; otherwise, you and your company may be compromised.
It is recommended to spend at least half an hour a week on the dark web. However, since it’s hard to find vulnerabilities out there, most of what you identify are probably from the deep and clean web.
Considerations for Your Threat Intelligence Program
Setting up a threat intelligence program is an important process, one that should not be taken lightly. Therefore, it is very important to research and plan the program thoroughly before starting implementation. Here are some considerations to consider.
1. “Crown Jewel” thinking.
When building a threat hunting strategy, the first step is to identify and protect your own crown jewels. What constitutes a mission critical asset varies from organization to organization. Therefore, no one can define it for you.
Once you’ve decided what they are, use Team Purple to test if and how they can be accessed and breached. By doing so, you will be able to see how attackers think so you can implement security controls. Continue to verify these controls.
2. Choose a Threat Hunting Strategy
There are many different threat hunting strategies you can implement into your organization. It’s important to make sure your strategy meets the needs of your organization. Examples of strategies include:
- Build a wall and block access completely, to ensure everything related to initial access and execution is blocked
- Building a minefield, assuming the threat actor is already in your network
- Prioritize where to start according to the MITER framework
3. When to Use Threat Intelligence Automation
Automation drives efficiency, productivity and error reduction. However, automation is not a requirement for threat hunting. If you decide to automate, it’s recommended to make sure you:
- Have staff to develop, maintain and support the tool/platform
- Have completed basic housekeeping to identify and secure crown jewels. Preferably, automate it while you are at an advanced level of maturity
- Have a repeatable process
- Be able to monitor and optimize automation closely so that it continues to deliver relevant value
Threat Hunting Maturity Model
Like any other implemented business strategy, there are different levels of maturity that organizations can achieve. For threat hunting, the various stages include:
- Stage 0 – Responding to security alerts
- Stage 1 – Enter threat intelligence indicators
- Stage 2 – Analyze data according to procedures made by others
- Stage 3 – Create a new data analysis procedure
- Stage 4 – Automate most of the data analysis procedures
Threat Intelligence Best Practices
Whether you’re building your program from scratch or iterating to enhance an existing one, here are best practices that can help you improve your threat hunting activity:
1. Determine What’s Important
Determine the critical assets in your threat space. Keep in mind the “crown jewel” thinking that recommends taking an inventory of your mission critical assets, examining the risk landscape, i.e., how they can be breached, and then protecting them.
Automate all the processes you can, if you can. If you can’t, that’s okay too. You will get there as you become more mature.
3. Build Your Network
Protecting against cyber attacks is very difficult. You can never go wrong, whereas an attacker only needs to succeed once. In addition, they do not adhere to any rules. That’s why it’s important to build your network and get (and provide) information from other players and stakeholders in the industry. This network should include colleagues at other companies, influencers, online groups and forums, employees at your company from other departments, your leadership, and your vendors.
4. Think Like a Criminal & Act Like a Threat
Threat hunting means moving from a reactive to a proactive way of thinking. You can encourage this thinking by looking at threat intel, tracking groups, trying out tools, and leveraging Team Purple for testing. While this may seem counter-intuitive, remember that this is how your organization is protected. Remember, you or the attacker.
To learn more about the different types of cybersecurity practices and how to leverage them to protect your organization, Cato Networks’ Cyber Security Masterclass series is available for you to watch.