Threat Hunting

What Is Threat Hunting?

Threat hunting is the proactive search through the full spectrum of environmental data to identify advanced threats while developing additional detection measures.

Threat hunting has two key aspects:

It’s proactive. Many detection and response solutions only detect known threats when those threats are acting. Threat hunting proactively scans data and environments to solve for an unknown.
It’s not about finding an attacker. If an active attack is found, that is great, but is not the end goal of threat hunting. The goal is to find new ways to identify threats passively in order to free up threat hunters and better secure the entire environment.

Threat hunting feeds detection and response solutions by working to improve detections (in both accuracy and scope) and providing better concierge service from the security operations center. It also provides critical visibility for cyber defenses. You can’t defend against what you don’t know, and threat hunting solves for that unknown.

Threat hunting is also focused on detecting abnormalities. Those abnormalities fall into three groups:

Network anomalies include port usage, protocols, IP information, and packet inspection
Command and control anomalies such as DNS inspection
Unusual services such as service names, context, lineage, creation time, resources usage, and run time

Threat Hunting and the Human Element

Threat Hunting relies heavily on the human element. It’s about bringing humans and technology together to not only scan and gather data, but add context to that data — creating hypotheses, identifying anomalies, and making action plans.

The combination of the human element and technology creates what are called indicators, which then inform threat intelligence and detection and monitoring processes. These indicators, and the context around them, are crucial to preventing false positives and noise, as well as stopping attacks before they enter the attack cycle.

Being able to fully identify new abnormalities, or what’s normal versus abnormal is a piece of threat hunting that only the human element can achieve.

How is Threat Hunting Done?

Every security operations center will implement their own methodologies and processes when it comes to threat hunting. So, we will focus on how Arctic Wolf conducts threat hunting, which comes down to duality-style approach:

Preventative. This uses human-derived intel to improve security posture.
Post-mortem. This uses human-derived intel to detect and remediate cyber incidents.

There are also two kinds of methodologies that this threat hunting falls into:

Deductive. This starts with multiple events to create a hypothesis.
Inductive. This starts with a single event and looks for artifacts to support hypothesis.

When threat hunting is conducted, it focuses on one of three objectives:

Actual hunting. This is when the team is looking for a specific threat of abnormality.
Data gathering. This is when the team is seeking data to support a hypothesis or to improve a specific solution.
Remediation. This is when an attack has occurred, and the team is going in to gather intelligence around the attack and make sure the network or system is now secure.

The main goals, no matter how threat hunting is initiated, is either discovery, where the team is hunting for evolving threats or difficult to detect threats, or creation, where the team is hunting for additional threat intel, new detection capabilities, and enhanced and refined detection.

Threat Hunting vs. SIEM (or MDR or EDR)

The main difference between threat hunting and a monitoring and detection solution like SIEM, MDR, and EDR is that threat hunting takes a proactive approach, while other solutions offer a passive approach. Both are needed to reduce risk and improve security posture; however, they serve different purposes.

Monitoring and detection solutions rely on known rules to detect known anomalies, while threat hunting is the work done to set the perimeters of those anomalies. It comes through data to make conclusions, and it creates the telemetry that is used to fine tune those solutions

Threat Hunting vs. Threat Intelligence

Threat hunting and threat intelligence complement each other but are also different. Threat hunting uses threat intelligence (the data set of attempted or successful intrusions) to inform the act of hunting. The team uses that data, especially in the remediation stage of an attack cycle, to carry out a system-wide search for bad actors. Threat hunting often begins where threat intelligence ends, and vice versa.

Threat Hunting and Artificial Intelligence

While the human element is critical to threat hunting when it comes to drawing conclusions, testing hypotheses, and identifying abnormalities, there is often more data than any human could sift through. That’s where machine learning and artificial intelligence (AI) come in. By utilizing AI, the threat hunting team can narrow down irregularities and create leads that can then be further investigated.

Sule Tatar

Sule Tatar is a Senior Product Marketing Manager at Arctic Wolf, where she does research on security trends and brings groundbreaking cybersecurity products and services to market. She has extensive experience in the B2B cybersecurity space and holds a bachelor's degree in computer engineering and an MBA.

© 2024 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Accessibility Statement	Information Security	Sustainability Statement	Cookies Settings

SOLUTIONS

INDUSTRIES

Quickly detect, respond, and recover from advanced threats.

Detect and respond to advanced threats targeting your cloud infrastructure and applications.

Discover, assess, and harden your environment against digital risks.

Explore, harden, and simplify your cloud environment against misconfiguration vulnerabilities.

Engage and prepare employees to recognize and neutralize social engineering attacks.

Recover quickly from cyber attacks and breaches, from threat containment to business restoration.

HOW IT WORKS

Delivering security operations outcomes.

Collect, enrich, analyze.

Ecosystem integrations and technology partnerships.

Tailored security expertise and guided risk mitigation.

Security experts proactively protecting you 24×7.

Meet some of the security experts working alongside you and your team.

TRENDING RESOURCES

Understanding ransomware — from its origins to its impacts to the TTPs that allow ransomware gangs to exploit victim organizations and make off with millions in ransom payments and extortion fees.

The elite security researchers, data scientists, and security developers of Arctic Wolf Labs share forward-thinking insights along with practical guidance you can apply to protect your organization.

Learn how our Concierge Security® and Triage Security Teams help end cyber risk.

SECURITY BULLETINS

CVE-2024-3400: Follow Up: Patches Released for Actively Exploited Critical Vulnerability in GlobalProtect Feature of PAN-OS

CVE-2024-26234 for Windows and CVE-2024-29053 for Defender for IOT highlighted in Microsoft’s April 2024 Patch Tuesday

CVE-2024-3400: Critical Vulnerability in GlobalProtect Feature of PAN-OS being Actively Exploited

COMPANY

Threat Hunting

What Is Threat Hunting?

Threat Hunting and the Human Element

How is Threat Hunting Done?

Threat Hunting vs. SIEM (or MDR or EDR)

Threat Hunting vs. Threat Intelligence

Threat Hunting and Artificial Intelligence

Sule Tatar

Cybersecurity Beginners

Arctic Wolf Networks 8939 Columbine Rd, Suite 150 Eden Prairie, MN 55347

1.888.272.8429

© 2024 Arctic Wolf Networks Inc. All Rights Reserved.

Arctic Wolf Networks
8939 Columbine Rd, Suite 150
Eden Prairie, MN 55347