What is Threat Hunting and Why is it Necessary?
Advanced persistent threats (APTs) are increasingly prevalent and frequently circumvent conventional security measures through tactics such as phishing, smishing, credential compromise, or supply chain infiltration. There is a need to go beyond automated security alerts because these systems primarily flag known attack patterns and may miss novel or sophisticated threats that have bypassed initial defenses.
That is why threat hunting is an essential component of any defense strategy. Threat hunting is defined as the proactive and iterative process of searching for latent cyberthreats that remain undetected within a network environment. This strategic approach allows organizations to identify unknown or ongoing cyberthreats before they can cause harm.
How Does Threat Hunting Differ from Traditional Security Measures?
Unlike traditional security measures that primarily rely on automated alerts and predefined threat signatures, threat hunting involves a proactive, manual investigation by skilled analysts. The analysts leverage technology to scan and gather data, formulate hypothesis, identify anomalies, and make action plans. They delve deep into systems and data, seeking out hidden threats that have successfully evaded automated detection.
Many organizations mistakenly believe that having an incident response (IR) plan alone is sufficient. However, this reactive approach is isn't going to cut it as organizations face relentless and evolving cyberthreats. While IR focuses on the actions an organization takes after it believes its systems or data have been compromised or breached, threat hunting, in contrast, centers on discovering the unknown, not just responding to known threats.
However, threat hunting is crucial to incident response because it enables teams to proactively identify and mitigate risks and reduce response time. For example, if a hunter uncovers an incident during a hunt, the incident response team will be significantly better equipped to handle the situation since a significant amount of scoping and triaging was completed during the hunt and the hunters have already analyzed the data they collected. The incident response team is able to act quickly and mitigate risks before any severe damage is done.
In an RSACTM 2024 presentation, Sierra Stanczyk, Senior Manager, Global Threat Intelligence at PwC, stated that threat intelligence involves documenting facts, identifying gaps for further review, and then analyzing a series of related occurrences to assemble a cohesive view. As Stanczyk noted, this contextualizes incidents based on findings and aids in conducting impact and damage assessments. While her focus was on threat intelligence, threat hunting uses threat intelligence to conduct its investigations. Ultimately, both threat hunting and threat intelligence significantly enhance incident response security measures.
What are the Key Methodologies and Tools Used in Threat Hunting?
During his RSACTM 2024 presentation, David Bianco, Staff Security Strategist at SURGe by Splunk, detailed the PEAK Threat Hunting Framework, which is available for free download here.
Bianco discussed three distinct threat hunting methodologies that organizations can employ based on their security posture and specific needs:
1. Hypothesis-Based Hunting
This threat hunting method begins with a threat hunter creating a hypothesis about potential risks within the network. They then decide what information and analysis are needed to confirm this theory and proceed with their investigation. While this targeted approach is important, it's usually not enough by itself to uncover all threats.
2. Baseline Hunting
When encountering a new dataset, environment, or technology, a threat hunter needs to establish a thorough understanding of what constitutes normal behavior. This involves becoming familiar not only with the data format but also with the typical activities within that environment. Understanding regular activity is crucial for identifying anomalies. Baseline threat hunting helps determine the parameters of normal behavior by examining various data fields and the relationships between them. This allows organizations to establish a baseline of typical activity, which can then be used to identify deviations that may indicate suspicious behavior. This method is particularly useful when onboarding new technologies or environments, or during mergers and acquisitions. Given that environments and activities evolve over time, it is beneficial to periodically re-baseline and utilize this hunting method.
3. Model-Assisted Threat Hunting
This approach is a hybrid of hypothesis-based and baseline hunting. The key difference is that the analysis is not performed manually but rather by training a computer to do it.
Figure one illustrates a decision-making process to help organizations determine the most suitable hunting method based on specific questions or criteria.
Figure 1. Source: RSAC 2024 presentation
Once a hunting type is selected, Bianco outlined a three-step process (Figure 2): prepare the topic and generate hypotheses, execute by gathering and analyzing data, and act on the findings by documenting and communicating them for further action.
Figure 2. Source: RSAC 2024 presentation
Tools like Event Management (SIEM), endpoint detection and response (EDR), and User and entity behavior analytics (UBEA) are crucial for the threat hunting process. These tools monitor and log data, enabling the real-time detection of anomalies.
The MITRE ATT&CK framework also significantly aids threat hunting. As Simon Dyson, Cybersecurity Operations Centre Lead at NHS Digital, explained in an RSACTM 2022 presentation, "It helps describe the attack cycle and map it to identify gaps. We can also look at threat actor Tactics, Techniques, and Procedures (TTPs) to map them to alerts and security controls." Fundamentally, MITRE ATT&CK is a common language and matrix of adversary actions, helping hunters track attacks and identify bypassed TTPs
These represent just a few of the hunt types, tools, and frameworks that can be used in threat hunting.
The Power of Proactive Hunting
While implementing threat hunting presents challenges such as skills gaps, data volume, and the need for continuous improvement, it offers significant benefits, including reduced dwell time, an improved security posture, and early threat detection. Organizations must establish dedicated threat hunting teams focused on uncovering hidden threats, alongside separate incident response teams prepared to manage confirmed breaches. Embracing a proactive threat hunting strategy is crucial for navigating the ever-evolving threat landscape and building a more resilient security posture.