What is Threat Hunting?It is a focused and iterative approach used to detect and remove cyber threats that may have evaded traditional security tools. These threats include attacks or malware that infiltrate a business or organization’s network, leading to stolen intellectual property or personal information. Show
As network complexity has increased, the sophistication of “bad actors” and their cyber-crimes has followed suit. Threat hunting is now an important and fast-growing element of the cybersecurity landscape. To qualify as a threat, a bad actor must have malicious intent, capability, and the opportunity to carry out their attacks. The field of cyber threat hunting has been established to counteract the most advanced malicious activity. Many such threats can slip under the radar of existing security tools. Resource: Threat Hunting PodcastListen to the below podcast from Enterprise Security Weekly to learn threat hunting techniques and understand the important role it plays in identifying subtle attacks that can disrupt common AI and machine learning tools. Threat Hunting ToolsEffective threat hunting begins with a foundation of planning, baselining, and hypothesis testing performed by experienced cybersecurity professionals. Beyond these basics, there is a growing need for advanced threat hunting tools and practices. Automated security tools can be used to boost the horsepower behind your analytics for more intelligent hypothesis generation. Analytics tools can perform data-mining activities on a large scale and identify suspicious patterns and relationships. Many threat detection tools also provide intuitive displays and graphs. These interfaces aid cyber threat hunters in their investigations and analysis. Forensic capability is another essential arrow in the threat hunter’s quiver. Security professionals should have quick access to enriched-flow records including traffic and application types, volumes, IP addresses, and device type history on the network. Observer GigaFlow can support threat hunting activities through forensic recall capability of unstructured flow-based data sets from hybrid environments. This enables easy identification of unauthorized devices or malicious activity. Indicators of compromise IOC such as odd-hour traffic and exposure to known bad actor IP addresses can then be flagged for further analysis at the packet level. Powerful packet capture appliances such as Observer GigaStor provide outstanding packet-level storage and recall with over a petabyte of capacity. Security professionals and threat hunters benefit from the long-term retention and analysis of granular packet level data sets. This captured data can be used to reconstruct specific file and URL details from the most critical times or traffic sequences identified at the flow level. GigaStor can also assist in validating the root cause of compromise. Network performance monitoring tools such as Observer Apex combine access to packet level data and enriched flow records in a single interface. This creates a powerful threat detection, investigation, and analysis tool. Post-event security forensics are supported by long-term data retention and advanced analytics capabilities. Observer Apex and GigaFlow working together can be used to profile traffic for every host and device. Access to packet level data via GigaStor allows for a seamless transition into deep packet analysis. For example, if a known malicious IP has touched internal IP addresses, details of the transactions can be quickly reviewed in-depth at the packet level with the click of the mouse. Do you have network performance or security issues in your queue? Learn how comprehensive network visibility from Observer can help you with your business goals at viavisolutions.com/observerdemo Why Threat Hunting is ImportantBasic threat detection tools, such as firewalls and antivirus software, can usually weed out most cybersecurity threats, particularly the less sophisticated ones. The rare attacker who manages to go undetected requires a more advanced cybersecurity approach that utilizes automated security tools. This includes external attackers as well as malicious insiders who carry out IT sabotage or fraud. Insider threats can be very difficult to detect. Since access to sensitive data is often part of the job description, malicious activity can be difficult to separate from normal activity. Whether they originate from within or outside the organization, advanced cyber threats can often go weeks or months evading detection. All the while, sensitive data is exposed to corruption or theft. The 80/20 rule is based on the “pareto” principle that 80% of all effects are the result of 20% of the causes. This can also be applied to network security, since roughly 80% of the problems are induced by 20% of the threats. This means a higher level of focus, technology and manpower should be directed towards the most dangerous attackers. Performing Threat HuntingEach organization uses their own unique blend of cyber security tools and talent to develop effective threat hunting practices. Once this process is established, it can be used as a blueprint for future hunting activities.
Cyber Threat HuntersCyber threat hunting is now a full-time job for many security professionals. With a growing number of organizations now performing continuous threat hunting, the value of this specialty is being recognized. Along with extensive experience in the cyber security field, the best threat hunters also share common abilities and talents, including pattern recognition, data analytics, forensics, and communication skills. Effective communication by professional cyber threat hunters helps them to navigate the dynamic, human element of this specialty. The talents and abilities that make a threat hunter successful must be backed up by solid technical skills. Coding experience in multiple languages, operating system expertise, and advanced knowledge of TTPs are other preferred traits of threat hunters.Take this threat hunting training today! Threat Hunting ChallengesThe challenges for threat hunters will intensify as the tactics, techniques and procedures of the bad actors evolve. The landscape has shifted from random malware attacks towards more customized, professional, and focused attacks. Mining data, developing hypotheses, and performing investigations all consume precious time in a field where the adversary is moving quickly. Having the right data sets readily available in the right format can make the threat hunter’s task faster and more effective. Moving rapidly between metadata, enriched flow records, and packet level data is often necessary to reach conclusions. The right combination of automated security tools can beat the attackers to the punch. Another challenge faced by threat hunters is the lack of standardization and infrastructure built around this process. Since threat hunting practices have developed independently at different organizations, there are few standard guidelines and protocols available for would-be threat hunters. Unfortunately, creating more threat hunting standardization could unintentionally provide intelligence to the bad actors themselves. Despite these challenges, organizations that have employed effective threat hunting practices have improved their response times and accuracy, reduced dwell (undetected infection) and containment times, decreased frequency of breaches, and optimized resource allocation. The best threat hunters can stay one step ahead through their skills and talents, along with a proactive mode of operation that continually seeks rather than simply monitors and waits. As security threat intelligence and forensics tools develop and improve, threat hunting can tip the balance of power in cybersecurity. Why Investing in Threat Hunting is EssentialEnterprises dedicate 50x more budget to prevention than investigation, but it is not working. Learn why. Threat Hunting ResourcesWhat is most important when developing a threat hunting program?Threat hunters need to have a good understanding of the company's profile, employee behavior, company valuable data, as well as business activities that could be of interest to attackers so they can baseline what is “normal”.
What are the three steps in the threat hunting process?The process of proactive cyber threat hunting typically involves three steps: a trigger, an investigation and a resolution.. Step 1: The Trigger. ... . Step 2: Investigation. ... . Step 3: Resolution.. Which of the following are threat hunting techniques?Types of threat hunting. Structured hunting. A structured hunt is based on an indicator of attack (IoA) and tactics, techniques and procedures (TTPs) of an attacker. ... . Unstructured hunting. An unstructured hunt is initiated based on a trigger, one of many indicators of compromise (IoC). ... . Situational or entity driven.. What is primary objective threat hunting?The main goal of threat hunting is to identify and detect threats faster and respond quicker. This reduces the dwell time of adversaries in the environment and results in a more effective reactive portion of the cybersecurity program.
|