The effectiveness of a cyber security solution depends on a business’ ability to defend against both known and unknown threats. In practice, this means not only implementing defences against existing cyber threats but searching for emerging threats, and testing the network for vulnerabilities.
What is threat hunting?
Threat hunting refers to the process of proactively searching for threats to a network that may have gone undetected by existing security measures or are as-yet unknown. As a discipline, threat hunting emphasises the need for vigilance and evolution: the cyber threat landscape can change dramatically in a relatively short space of time, and so organisations need to build agility into their security solutions in order to grow and adapt to new challenges, such as new types of virus and malware, or new hacking techniques.
Why is threat hunting important?
Static, inflexible security solutions develop vulnerabilities surprisingly quickly, either as a result of hackers and criminals learning to better exploit or circumvent defensive measures, or the increasing sophistication of active threats such as malware, viruses and phishing strategies.
Having penetrated a network, intruding malware can wreak havoc, with hackers stealing and selling customer data, imposing ransoms for encrypted files, or even lurking undetected for weeks in order to maximise damage at an opportune time. The cyber security stakes are high: beyond reputational damage, a security failure may impose significant financial costs. In 2023, for example, the global average cost of a data breach was $4.88 million. Depending on the nature of the breach, firms may also contend with potential regulatory penalties.
Threat hunting aims to help avoid that kind of outcome, providing firms with the means to stand up to threats in their immediate environment and shape their security solution to unique challenges. Threat hunting practices also help businesses create and reinforce a positive security culture, in which employees at all levels of seniority are aware of the potential dangers, and of their own responsibilities.
How does threat hunting work?
Threat hunting programmes vary depending on a business’ needs, industry, and regulatory environment. However, certain core steps are common:
Threat supposition
The threat hunting process begins with the supposition that a business’ network has been compromised by a cyber attack. A previously-unknown vulnerability may have come to light, or the network itself may have generated an indicator of compromise (IoC). Security employees may need to develop a hypothesis about the nature of the unknown attack in order to steer subsequent hunting activities.
Research and investigation
Following the hypothesis, security teams must work to establish the nature of the threat and its potential effects. The process should involve research into attack methodologies informed by threat intelligence, including tactics, techniques, and procedures (TTP) which may identify specific hackers or criminals. Security teams will also investigate the impact of the malicious activity to establish the scale of any damage to the company.
Incident response
The security team must work to resolve the threat against the network by mitigating its impact and eliminating the possibility of further damage. While time is usually a factor, the resolution phase should draw on the data and insight gained in previous steps, and will likely provide new threat intelligence that can strengthen existing defensive measures.
Types of Hunting Activity
While specifics vary by organisation, key types of threat hunting include:
Structured hunts
A company may base its hunt for threats on established TTPs associated with a specific attacker. In structured hunts, where those TTPs are detected, security teams usually strongly suspect or know who is behind the attack, and can draw on the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK) framework in response to it.
Unstructured hunts
In an unstructured hunt, security teams initiate their hunting activities after finding indicators of compromise (IoC) on their network. While these are not necessarily as specific as TTPs, they may include unusual log-in activities, network traffic anomalies, or changes to system configurations. As part of the process, hunters may need to trace indicators back to a source in order to gather actionable intelligence about a threat.
Situational hunts
In a situational hunt, a company assesses its vulnerabilities, including high risk systems or even employees, and then conducts its subsequent hunting activities from those start points. By identifying and prioritising those areas of concern in its IT ecosystem, companies can allocate security resources more efficiently and more effectively during the hunt.
Optimise Your Threat Hunting Capabilities with Labyrinth
The outcome of threat hunting often depends on the quality of the data that security teams have to work with. The better the threat intelligence, the faster, and more impactful the security response, and the greater the chance of avoiding serious negative consequences.
Ripjar’s Labyrinth for Threat Investigations (LTI) is built to empower your threat hunting activities with next-generation AI-enabled analytic capabilities. LTI provides multiple out of the box threat intelligence workflows and coordinated threat data feeds to supercharge hunting strategies and help security teams zero-in on, and respond to, network intrusions quickly and decisively.
Unlock your business’ threat hunting potential