Finding threat actors before they find you is key to strengthening your cyber defenses. Doing this efficiently and effectively is no small task – but with a small investment of time, you can master threat hunting and save your organization millions of dollars.
Consider this staggering statistic. Cybersecurity Ventures estimates that cybercrime will cost the global economy $10.5 trillion by 2025. Measuring this amount as a country, cybercrime losses are equal to the third largest economy in the world after the US and China. But with effective threat hunting, you can prevent bad actors from wreaking havoc on your organization.
This article offers a detailed explanation of threat hunting – what it is, how to do it thoroughly and effectively, and how cyberthreat intelligence (CTI) can support your threat hunting efforts.
What is threat hunting?
Cyber threat hunting gathers evidence that threats materialize. It’s an ongoing process that helps you discover the threats that pose the most significant risk to your organization and empowers your team to stop them before an attack is launched.
Protect your organization from harmful cybercrimes with the latest comprehensive report entitled ‘Threat Hunting for Effective Cybersecurity.’ Download now to learn how to efficiently plan, execute, and evaluate threat hunting, ensuring that your systems are fortified against the evolving cyber threat landscape.
Threat hunt in six parts
Throughout the hunt, careful planning and attention to detail is essential, as well as ensuring all team members follow the same plan. To maintain efficiency, document each step so others on your team can easily repeat the same process.
1 — Organize a hunt.
Keep your team ready and organized by taking inventory of your critical assets, including endpoints, servers, applications, and services. This step helps you understand what you want to protect against and the threats you are most vulnerable to. Next, determine the location of each asset, who has access, and how access is provisioned.
Finally, determine your priority intelligence needs (PIR) by asking questions about potential threats based on your organization’s environment and infrastructure. For example, if you have a remote or hybrid workforce, such questions might include:
What threats are remote devices most vulnerable to?
- What evidence will those threats leave behind?
- How do we determine if an employee is compromised?
2 — Plan the hunt.
In this phase, you will set the required parameters through the following:
State your goals – including why the hunt is necessary and what threats you should focus on, as determined by your PIR. (For example, a remote workforce may be more vulnerable to phishing attacks under a BYOD model.)
- Define scope – identify your assumptions and state your hypothesis based on what you know. You can narrow your scope by understanding what evidence will emerge if the threat you are looking for is launched.
- Understand your limitations, such as what data sets you can access, what resources you must analyze, and how much time you have.
- Set a time frame with realistic deadlines.
- Decide which environments to exclude, and look for contractual relationships that could prevent you from hunting in certain settings.
- Understand the legal boundaries and regulations you must follow. (You can’t break the law, even when hunting the bad guys.)
3 — Use the right tool for the job.
There are many tools for threat hunting, depending on your inventory and asset hypothesis. For example, if you are looking for a potential intrusion, SIEM and investigation tools can help you review your logs and determine if there is a leak. The following is an example of a list of options that can significantly improve threat hunting efficiency:
- Threat intelligence – specifically, an automated feed and investigation portal that retrieves threat intelligence from the deep and dark web
- Search engines and web spiders
- Information from cybersecurity and antivirus vendors
- government resources
- Public media – cybersecurity blogs, online news sites and magazines
- SIEM, SOAR, investigation tools and OSINT tools
4 — Run the hunt.
When executing a hunt, it’s best to keep it simple. Follow your plan point by point to stay on track and avoid diversions and distractions. Execution takes place in four phases:
- Gather: this is the most labor-intensive part of threat hunting, especially if you use manual methods to gather threat information.
- Process: compile data and process it in an organized, readable format for other threat analysts to understand.
- Analyze: specify what your findings reveal.
- Conclusion: if you found a threat, do you have data to back up the severity?
5 — Summarize and evaluate the hunt.
Evaluating your work before starting your next hunt is essential to helping you improve over time. Below are some questions to consider in this phase:
- Is the selected hypothesis compatible with the hunt?
- Is the scope narrow enough?
- Are you gathering helpful intelligence, or could some processes be done differently?
- Do you have the right tools?
- Is everyone following the plan and process?
- Does leadership feel empowered to answer questions along the way, and do they have access to all the information they need?
6 — Report and act on your findings.
At the end of your search, you can see if your data supports your hypothesis – and if so, you’ll notify the cybersecurity and incident response team. If there is no evidence of a specific problem, you should evaluate your resources and ensure that there are no gaps in your data analysis. For example, you may notice that you review your logs for intrusions, but don’t check for leaked data on the dark web.
Take threat hunting to the next level with CTI
CTI can be an effective component of your threat hunting program, especially when the threat intelligence data is comprehensive and includes business context and relevance to your organization. Cybersixgill removes barriers to access to CTI’s most valuable resources and provides deep investigative capabilities to help your team seek the highest priority of potential cyberthreats.
Our investigative portal allows you to compile, manage and monitor your full asset inventory on the deep, dark and clean web. This intelligence helps you identify potential risks and exposures, understand potential attack pathways, and threat actor TTPs to proactively expose and prevent emerging cyberattacks before they are weaponized.
Notes: This article was expertly written and contributed by Michael-Angelo Zummo, Senior Cyberthreat Intelligence Analyst at Cybersixgill.