What is threat hunting?
Threat hunting - A preemptive measure to assess environments for threats that are not detected by current security tools and practices.
Why is threat hunting important
In fact, the SANS’ institute’s 2020 threat hunting survey showed that 65% of organizations have threat hunting programs and that 29% of organizations plan to implement threat hunting practices over the next year1.
Many companies support effective malware analysis programs with threat hunting programs, ensuring that they consistently identify active and benign threats across their environment.
For example, In 2020, SolarWinds used ReversingLabs threat hunting tools. They located the active threats behind their supply chain attack which impacted 18,000 organizations and generated $40 million in damages2.
With malware analysis tools, this attack would have remained undetected for the foreseeable future, targeting more users and causing more damages to victims’ systems.
Best practices for effective threat hunting
To effectively identify benign threats that could contribute to severe incidents, teams must follow several best practices around methodologies, technology, specialized teams, and threat intelligence.
There are three popular threat hunting methodologies that are 1) hypothesis driven, 2) reviewing attack indicators, and 3) based on ML and AI.
Hypothesis driven methodologies - Reviewing abnormalities, formulating an educated guess, and reviewing data to validate whether potential threats should be investigated.
Reviewing attack indicators - Use threat intelligence platforms to find indicators of compromise or attack to research further.
Study ML and AI based assessments - With machine learning, data is automatically reviewed and abnormal behaviors can be identified.
Threat hunting tools complement existing endpoint detection and response (EDR) tools by offering more complex and detailed analysis to discover suspicious behaviors and patterns that EDR tools cannot detect.
It is also important to create specialized teams who exclusively focus on threat hunting as it requires a unique set of skills as threat hunters must understand how to operate specific tools, follow the methodologies listed above, and be creative when deciding which potential threats and attack vectors should be addressed.
Finally, threat intelligence helps guide threat hunters on the severity of threats and indicators of compromise, how it could impact their systems, and how to respond to them, allowing them to effectively address security weaknesses.
Business benefits of threat hunting
There are several key benefits for threat hunting, including faster response times, more efficient investigations, greater visibility, less false positives, and reduced risk.
Faster response times - By reviewing anomalies and assessing threats proactively, teams understand the behaviors and location of malware and are able to formulate remediation strategies and have faster responses times.
Efficient investigations - When threats emerge, there are high levels of urgency and stress which may cause companies to inefficiently address and resolve issues. By preemptively reviewing issues, organizations can take a calm, measured, and methodical approach towards remediating problems.
Greater visibility - When hunting for threats, analysts must review their environments’ composition and understand what typical behaviors are, providing greater visibility into how their systems function on a day-to-day basis.
Fewer false positives - False positives lead to inefficient security practices as teams spend too much time responding to alerts and issues that do not impact their security integrity. By implementing threat hunting, teams review data and how it is reported to create rules which suppress certain alerts and limit false positives.
Reduced risk - Proactively addressing security issues before they emerge in production prevents enterprises’ environments from being damaged by latent threats and reduces the cost to run their systems4.
Keys to effective threat hunting
To effectively implement threat hunting into your organization, it is important to create a detailed protocol to investigate threats, prioritize threats and weaknesses based on severity, and create and hide malware.
Create protocols to investigate threats - Develop a checklist when assessing hidden threats to create consistent security measures and ensure that proper steps are taken when assessing its behaviors.
Prioritize threats and weaknesses based on severity - Create comprehensive reports that enable SOC teams to understand which problems should be solved when.
Create and hide malware - Locate areas where malware is unlikely to be discovered and learn about how your organization’s systems could be exploited by malicious actors to uncover potential attack vectors.
For further insights into threat hunting and its implications, explore the following articles: