Threat hunting is important because sophisticated threats can get past automated cybersecurity. Although automated security tools and tier 1 and 2 security operations center (SOC) analysts should be able to deal with roughly 80% of threats, you still need to worry about the remaining 20%. The remaining 20% of threats are more likely to include sophisticated threats that can cause significant damage. Given enough time and resources, they will break into any network and avoid detection for up to 280 days on average. Effective threat hunting helps reduce the time from intrusion to discovery, reducing the amount of damage done by attackers.
Attackers often lurk for weeks, or even months, before discovery. They wait patiently to siphon off data and uncover enough confidential information or credentials to unlock further access, setting the stage for a significant data breach. How much damage can potential threats cause? According to the Cost of a Data Breach report, a data breach costs a company almost USD 4 million on average. And the harmful effects of a breach can linger for years. The longer the time between system failure and response deployed, the more it can cost an organization.
A successful threat hunting program is based on an environment's data fertility. In other words, an organization must first have an enterprise security system in place, collecting data. The information gathered from it provides valuable clues for threat hunters.
Cyber threat hunters bring a human element to enterprise security, complementing automated systems. They are skilled IT security professionals who search, log, monitor and neutralize threats before they can cause serious problems. Ideally, they're security analysts from within a company's IT department who knows its operations well, but sometimes they're an outside analyst.
The art of threat hunting finds the environment's unknowns. It goes beyond traditional detection technologies, such as security information and event management (SIEM), endpoint detection and response (EDR) and others. Threat hunters comb through security data. They search for hidden malware or attackers and look for patterns of suspicious activity that a computer might have missed or judged to be resolved but isn't. They also help patch an enterprise's security system to prevent that type of cyberattack from recurring.
Hunters begin with a hypothesis based on security data or a trigger. The hypothesis or trigger serve as springboards for a more in-depth investigation into potential risks. And these deeper investigations are structured, unstructured and situational hunting.
A structured hunt is based on an indicator of attack (IoA) and tactics, techniques and procedures (TTPs) of an attacker. All hunts are aligned and based on the TTPs of the threat actors. Therefore, the hunter can usually identify a threat actor even before the attacker can cause damage to the environment. This hunting type uses the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK) framework (link resides outside of ibm.com), using both PRE-ATT&CK and enterprise frameworks.
An unstructured hunt is initiated based on a trigger, one of many indicators of compromise (IoC). This trigger often cues a hunter to look for pre- and post-detection patterns. Guiding their approach, the hunter can research as far back as the data retention, and previously associated offenses allow.
A situational hypothesis comes from an enterprise's internal risk assessment or a trends and vulnerabilities analysis unique to its IT environment. Entity-oriented leads come from crowd-sourced attack data that, when reviewed, reveal the latest TTPs of current cyberthreats. A threat hunter can then search for these specific behaviors within the environment.
Intel-based hunting is a reactive hunting model (link resides outside of ibm.com) that uses IoCs from threat intelligence sources. From there, the hunt follows predefined rules established by the SIEM and threat intelligence.
Intel-based hunts can use IoCs, hash values, IP addresses, domain names, networks, or host artifacts provided by intelligence sharing platforms such as computer emergency response teams (CERT). An automated alert can be exported from these platforms and input into the SIEM as structured threat information expression (STIX) (link resides outside of ibm.com) and trusted automated exchange of intelligence information (TAXII) (link resides outside of ibm.com). Once the SIEM has the alert based on an IoC, the threat hunter can investigate the malicious activity before and after the alert to identify any compromise in the environment.
Hypothesis hunting is a proactive hunting model that uses a threat hunting library. It's aligned with the MITRE ATT&CK framework and uses global detection playbooks to identify advanced persistent threat groups and malware attacks.
Hypothesis-based hunts use the IoAs and TTPs of attackers. The hunter identifies the threat actors based on the environment, domain and attack behaviors employed to create a hypothesis aligned with the MITRE framework. Once a behavior is identified, the threat hunter monitors activity patterns to detect, identify and isolate the threat. This way, the hunter can proactively detect threat actors before they can do damage to an environment.
Custom hunting is based on situational awareness and industry-based hunting methodologies. It identifies anomalies in the SIEM and EDR tools and is customizable based on customer requirements.
Custom or situational hunts are based on customers' requirements, or they're proactively executed based on situations, such as geopolitical issues and targeted attacks. These hunting activities can draw on both intel- and hypothesis-based hunting models using IoA and IoC information
Hunters use data from MDR, SIEM and security analytics tools as a foundation for a hunt. They can also use other tools, like packer analyzers, to execute network-based hunts. However, using SIEM and MDR tools require that all essential sources and tools in an environment are integrated. This integration ensures IoA and IoC clues can provide adequate hunting direction.
Threat intelligence is a data set about attempted or successful intrusions, usually collected and analyzed by automated security systems with machine learning and AI.
Threat hunting uses this intelligence to carry out a thorough, system-wide search for bad actors. In other words, threat hunting begins where threat intelligence ends. Even more, a successful threat hunt can identify threats that have not yet been spotted in the wild.
Also, threat hunting uses threat indicators as a lead or hypothesis for a hunt. Threat indicators are virtual fingerprints left by malware or an attacker, a strange IP address, phishing emails or other unusual network traffic.
Significantly improve detection rates and accelerate time to detect, investigate and remediate threats. Learn how to start your own cyber threat hunting program.
IBM Security Managed Detection and Response (MDR) delivers a turnkey, 24x7 threat prevention, detection, and response capability. IBM's proactive threat hunters work with organizations to help identify their crown jewel assets and critical concerns.
Identify serious threats and vulnerabilities and prevent disruptions to business operations.
How can you better identify and disrupt cyber threats against your organization? Rapidly uncover time-sensitive insights about cyber threat actors and their motivations so you can disrupt current threats and enhance security measures against future ones.