Threat Hunting In Cyber Security

When we visit websites, our systems can be exposed to malicious content like malware and viruses through malicious ads, phishing scams, etc.

This threat is not limited to individuals, but it also extends to organizations, which are often targeted by bad actors (hackers) for financial exploitation, political statements, or other malicious motives.

There is a range of cybersecurity practices aimed at protecting systems, networks, and devices from unauthorized access, cyber threats, and attacks. One of the security measures used in identifying threats within a system or network is called threat hunting.

In this article, we explore what threat hunting is and why it is important in cyber security but first;

A Cybersecurity Overview

Cybersecurity is the practice of protecting networks, systems and programs from digital attacks. These attacks may include hacking, data breaches, malware, ransomware, etc.

This security practice ensures that data or information remains protected, confidential, and secure from any unauthorised access.

There are several components of cyber security, which include:

• Confidentiality: It ensures that sensitive information is accessed only by authorised systems or individuals.

• Integrity: It protects data from being tampered with by unauthorised entities. It does this by applying techniques like hashing and digital signatures to protect the integrity of data.

• Availability: It ensures that systems and resources are accessible when required by authorised users.

There are different types of cybersecurity, such as cloud security, network security, application security, identity and access management, information security, etc. However, as technology continues to evolve to become more sophisticated, so will attackers. With more advanced tools and techniques to evade traditional security measures, cybersecurity as a broad defence is not enough.

There is a need to stay ahead of these new threats. It is important to be able to identify and mitigate hidden risks, and this is where proactive methods like threat hunting come in:

What is Threat Hunting?

Threat hunting is a technique of searching for cyber security threats that are hiding undetected within a network. It is considered a proactive security measure because threat hunters search for signs of malicious activities and investigate to find bad actors that may have broken past a network's defences.

Cyberattacks often catch an organisation off guard. If an organisation is not prepared for a breach, the consequences are dire, resulting in financial, operational, and reputational loss. This is why it's important to have advanced detection capabilities to detect and counter attacks before they occur.

What happens before a cyber-attack occurs?

Before any attack occurs, hackers perform investigations or reconnaissance on their target. This phase helps the attacker gather information about the infrastructure, and systems vulnerabilities before attacking.

It could be getting information about the company's website, employees, or the organisation's IP addresses or servers, fully understanding the system or network and how it can be exploited.

When the hacker gets access to a system, this access might not give full control to the entire system. As a result, the hacker may lurk around the system to gather more information such as financial records and intellectual property, or to understand the system’s complexity and security architecture. This helps the hacker identify vulnerabilities to exploit.

Hackers may remain in the system for an extended period of time, setting up backdoors to ensure continuous access even if the initial entry point is discovered.

What happens after the hacker or bad actor has access to a system or network?

After hackers gather all the necessary information and have strategized, they launch their attack. For instance, the hacker may start extracting data from the vulnerable system or deploy ransomware that encrypts sensitive data and asks for a ransom in exchange for the decryption key or destroy the systems if the case is to disrupt the organisation's operations.

After the attack, what happens next?

The next phase after a cyber-attack is recovery, this involves restoring operations, mitigating further attacks or damage, and strengthening security defences against future attacks.

Recovery time is crucial because the faster an organisation recovers from an attack, the more it can minimise losses. There have been cases where businesses lost millions of dollars due to cyberattack.

Having a quick recovery plan in place can also prevent an attacker from further exploiting other parts of a system or network.

This is why threat hunting is important to help companies stay one step ahead of cyber threats and also respond to potential cyber-attacks effectively.

Steps in Threat Hunting

The basic steps of threat hunting include:

• Trigger: The trigger directs threat hunters to the area where suspicious activity is detected. A threat detection tool can be used to identify exactly where the threat is located so the threat hunter or expert knows where to investigate.

• Investigation: In this stage, the threat hunter uses technology to perform a detailed analysis of the potential vulnerabilities within a system or network. This investigation continues until the hunter is certain that no threat exists or the threat has been fully understood.

• Resolution: During this stage, information gathered after the investigation is communicated to the operations and security so they can respond and mitigate the attack.

This stage addresses threats immediately and also helps security experts enhance the security of the organisation making them resilient and more prepared for future threats.

How do threat hunters gather information?

Different sources of information provide insights into potential or ongoing attacks, and they include;

Indicators of Compromise (IOC)

IOC refers to data or evidence during forensic analysis that shows a system/network has been invaded by a cyber threat.

IOC provides security teams with crucial information about potential breaches by allowing them to trace an attacker's footprint and check for anomalies in the network traffic and system activities.

IOC signals that attacks, such as malware and data exfiltration, have already occurred. Threat hunters search for IOCs on event logs, extended detection and response (XDR) solutions, and security information and event management (SIEM) solutions.

Examples of IOCs include unusual sign-in attempts, irregularities in privileged accounts, multiple requests for the same file, unexpected software installations and other irregular activities.

Indicators of Attack (IOA)

IOAs are forensic signs that show the intent of what an attacker is trying to accomplish. IOAs provide insights into the techniques and procedures used by the attacker, helping security teams understand the attacker's behaviour and develop effective strategies for responding to the attack.

Examples of IOAs include; unusual login attempts, public servers communicating with internal hosts, multiple honeytoken alerts from a host, excessive SMTP (simple mail transfer protocol) traffic, etc.

Intel

Intel or threat intelligence refers to information gathered from different sources that inform the threat hunter about attack trends or potential threats.

Vulnerability scans

These scans assess an organisation's systems and applications for vulnerabilities such as misconfigurations or outdated software so they would not be exploited by attackers.

Types of Threat Hunting

There are different types of threat hunting, such as;

• Structured Hunting: Structured hunting is based on indicators of attack (IOA) and the tactics, techniques and procedures (TTPs) used by an attacker. All hunts are organised based on the TTPs of the attacker, enabling the hunter to identify and understand the threat actors before any damage is caused to the environment.

• Unstructured Hunting: This type of hunt is initiated based on a trigger, which may be one of many indicators of compromise (IOC).

The trigger prompts the hunter to search for patterns in activities before and after a trigger. This approach allows the hunter to investigate historical data within the data retention period and compare the findings with previous incidents.

• Situational/entity-driven hunt: A situational hypothesis is derived from an organisation's internal risk assessment or trends and vulnerabilities analysis tailored to its IT environment. Entity-oriented leads come from crowd-sourced attack data, revealing the latest Tactics Techniques and Procedures (TTPs) of current cyber threats.

The threat hunter can then search for specific behaviours based on this data within the organisation's environment.

Threat Hunting Tools

Tools used in threat hunting to gather information include:

Extended Detection and Response (XDR): XDR involves gathering information and running it through an analytics engine which produces a detection of malicious activities and a response. This involves proactively looking for problems and reactively responding to them.

XDR correlates data from various sources and automates incident response, enabling it to detect and respond to threats quickly. It provides effective detection and response capabilities to mitigate potential threats from various security technologies, including;

• EDR (Endpoint Detection and Response): This focuses on gathering reports from endpoints such as desktops and laptops.

• NDR (Network Detection and Response): This focuses on security from the network perspective.

• SIEM: This gathers information from applications, databases, and other security components.

• Threat intelligence feeds: These feeds come from sources that tell of current threats in the security world.

All this information is integrated into a higher-level system in this case, XDR. XDR correlates information from all the mentioned systems and provides a single view of security incidents.

It may analyse information using AI to increase the ability to understand the underlying cause of threats. Additionally, XDR can incorporate User Behaviour Analytics, which monitors abnormal user behaviour, etc.

XDR includes security orchestration and response (SOAR) capabilities that allow security personnel to manage cases and figure out what the underlying cause is and how to recover from security events.

Security Information and Event Management (SIEM): It is a tool that aggregates and consolidates data that pulls in sources and sorts the data to identify threats. It is a threat protection technology used by organisations against hackers.

What you can integrate into your SIEM includes logs, threat intel, vulnerability feeds, network detection and response (NDR) data, including endpoint and response (EDR) information.

SIEM is often infused with AI, Machine Learning (ML) and Analytics to correlate data in real-time generating high-quality alerts prioritised by severity.

User Behaviour Analytics (UBA): UBA looks for anomalous user activity. This involves looking for anomalies within a log record. For instance, this log is fed into a funnel (user analytics) that uses machine learning to identify patterns and anomalies. It examines;

• Volumes: For instance, the user starts downloading more data than normal.

• Frequency: The number of times a user logs into a system

• Location: The activities coming from a location that's not normal behaviour of the user.

• Anomalous Sequence: For instance, a system administrator logs into a system, and creates and deletes accounts repeatedly.

These rules are used with Machine Learning (ML) techniques to look for patterns across a user base and determine normal or suspicious user behaviour

Threat hunters can also apply these rules to entities within the environment like network routers, servers, switches, etc. through User and Entity Behaviour Analytics (UEBA). When used in conjunction with SIEM, it helps prioritise and directs focus on areas to be investigated, identifying users creating threats in an environment.

Network Detection and Response (NDR): NDR technology detects abnormal system behaviours by applying behavioural analytics to network traffic data. The purpose is to capture network data and find anomalies in the network traffic in real-time.

Also, this technology provides network-specific content when incidents occur, like traffic analysis, unusual communication patterns within a network, unauthorised access attempts, and so on.

Endpoint Detection and Response (EDR): Endpoint detection and response solutions are designed to detect, prevent and respond to threats in real-time. They are designed to work at the endpoint level where cyber-attacks typically originate, and these endpoints can be any device that's a potential target for cyber-attacks, such as mobile devices, servers, laptops, and desktops.

EDR collects and analyses data, including process execution, network connections registry modification and file access. Machine Learning (ML) algorithms are used to detect abnormal behaviour and identify potential threats, including malware and zero-day attacks.

The response to security incidents may include quarantining infected files, blocking network connections, or alerting the Security Operations Center (SOC) for forensic and threat hunting.

Threat hunters analyse the endpoint to identify indicators of compromise and respond to the threat effectively.

All of this technology can be infused with AI to quickly find sources and get an investigation done faster to discover issues before an attack or immediately after.

Summary

Threat hunting identifies and mitigates threats that may have breached traditional security measures in an organisation.

It is a proactive and continuous search for malicious activities in a system or network, focusing on looking out for signs to uncover any anomalies or suspicious behaviours before they escalate.

Hackers use sophisticated tools to find a weakness in applications, systems or networks to carry out their attacks which is why companies need to become proactive in discovering cyber threats, and threat-hunting tools aid in the fight against these cyberattacks.

Frequently Asked Questions