What Is Threat Hunting?
Threat hunting is the proactive search through the full spectrum of environmental data to identify advanced threats while developing additional detection measures.
Threat hunting has two key aspects:
- It’s proactive. Many detection and response solutions only detect known threats when those threats are acting. Threat hunting proactively scans data and environments to solve for an unknown.
- It’s not about finding an attacker. If an active attack is found, that is great, but is not the end goal of threat hunting. The goal is to find new ways to identify threats passively in order to free up threat hunters and better secure the entire environment.
Threat hunting feeds detection and response solutions by working to improve detections (in both accuracy and scope) and providing better concierge service from the security operations center. It also provides critical visibility for cyber defenses. You can’t defend against what you don’t know, and threat hunting solves for that unknown.
Threat hunting is also focused on detecting abnormalities. Those abnormalities fall into three groups:
- Network anomalies include port usage, protocols, IP information, and packet inspection
- Command and control anomalies such as DNS inspection
- Unusual services such as service names, context, lineage, creation time, resources usage, and run time
Threat Hunting and the Human Element
Threat Hunting relies heavily on the human element. It’s about bringing humans and technology together to not only scan and gather data, but add context to that data — creating hypotheses, identifying anomalies, and making action plans.
The combination of the human element and technology creates what are called indicators, which then inform threat intelligence and detection and monitoring processes. These indicators, and the context around them, are crucial to preventing false positives and noise, as well as stopping attacks before they enter the attack cycle.
Being able to fully identify new abnormalities, or what’s normal versus abnormal is a piece of threat hunting that only the human element can achieve.
How is Threat Hunting Done?
Every security operations center will implement their own methodologies and processes when it comes to threat hunting. So, we will focus on how Arctic Wolf conducts threat hunting, which comes down to duality-style approach:
- Preventative. This uses human-derived intel to improve security posture.
- Post-mortem. This uses human-derived intel to detect and remediate cyber incidents.
There are also two kinds of methodologies that this threat hunting falls into:
- Deductive. This starts with multiple events to create a hypothesis.
- Inductive. This starts with a single event and looks for artifacts to support hypothesis.
When threat hunting is conducted, it focuses on one of three objectives:
- Actual hunting. This is when the team is looking for a specific threat of abnormality.
- Data gathering. This is when the team is seeking data to support a hypothesis or to improve a specific solution.
- Remediation. This is when an attack has occurred, and the team is going in to gather intelligence around the attack and make sure the network or system is now secure.
The main goals, no matter how threat hunting is initiated, is either discovery, where the team is hunting for evolving threats or difficult to detect threats, or creation, where the team is hunting for additional threat intel, new detection capabilities, and enhanced and refined detection.
Threat Hunting v. SIEM (or MDR or EDR)
The main difference between threat hunting and a monitoring and detection solution like SIEM, MDR, and EDR is that threat hunting takes a proactive approach, while other solutions offer a passive approach. Both are needed to reduce risk and improve security posture; however, they serve different purposes.
Monitoring and detection solutions rely on known rules to detect known anomalies, while threat hunting is the work done to set the perimeters of those anomalies. It comes through data to make conclusions, and it creates the telemetry that is used to fine tune those solutions
Threat Hunting v. Threat Intelligence
Threat hunting and threat intelligence complement each other but are also different. Threat hunting uses threat intelligence (the data set of attempted or successful intrusions) to inform the act of hunting. The team uses that data, especially in the remediation stage of an attack cycle, to carry out a system-wide search for bad actors. Threat hunting often begins where threat intelligence ends, and vice versa.
Threat Hunting and Artificial Intelligence
While the human element is critical to threat hunting when it comes to drawing conclusions, testing hypotheses, and identifying abnormalities, there is often more data than any human could sift through. That’s where machine learning and artificial intelligence (AI) come in. By utilising AI, the threat hunting team can narrow down irregularities and create leads that can then be further investigated.