Top Business Tech discusses hunting cyber threats and the importance of early detection and response.
McAfee has stated that cyber threat hunting is a proactive security search through networks, endpoints, and datasets to hunt malicious, suspicious, or risky activities that have evaded detection by existing tools. Thus, there is a distinction between cyber threat detection versus cyber threat hunting. Threat detection is a somewhat passive approach to monitoring data and systems for potential security issues, but it’s still a necessity and can aid a threat hunter. Proactive cyber threat hunting tactics have evolved to use new threat intelligence on previously collected data to identify and categorize potential threats in advance of an attack.
Cybercriminals don’t always attack as soon as they access your system; they can sometimes remain in your system for months, searching through your information and obtaining all valuable data. Once the cybercriminals are in, they will be able to move across your systems, freely accessing the information they need while also remaining poised to implement an attack. The current defence strategy a company has in place can often lack the capabilities to track and stop these threats that remain in the network.
Every company needs to bring in information security professionals to become threat hunters. These threat hunters will monitor everyday activities and traffic across the company’s systems and investigate possible threats. The Threat Hunters will need to access various threats and categorize them into two groups:
Group one will consist of straightforward threats, and can an organization can remove them through regular updates and system cleaning sessions.
Group two will be for more advanced threats. Often, organizations can tackle these threats through the use of various prevention techniques. However, the remaining threats that the company’s systems cannot detect must be found and resolved by threat hunters. The threat hunter’s job is to search through systems for threats that are hiding amongst the data and users and eliminate them before they can implement their attack. Once a threat has been detected, Threat Hunters will gather as much information as possible on that threat and analyze what can be done to protect the companies’ systems in the future.
The phases of threat detection
Scott Taschler recently published an article on CrowdStrike, where he went through the three phases a Threat Hunter usually goes through when detecting threats.
The first step that Scott goes through is The Trigger. A trigger points threat hunters to a specific system or area of the network for further investigation when advanced detection tools identify unusual actions that may indicate malicious activity. Often, a hypothesis about a new threat can be the trigger for proactive hunting. For example, a security team may search for advanced threats that use tools like file-less malware to evade existing defences.
The second step that Scott goes through is the investigation. During the investigation phase, the threat hunter uses EDR (Endpoint Detection and Response) to take a deep dive into the potential malicious compromise of a system. The investigation continues until the activity is deemed benign or a complete picture of the malicious behaviour has been established.
The final step that a threat hunter will need to go through is the Resolution. The resolution phase involves communicating relevant malicious activity intelligence to operations and security teams to respond to the incident and mitigate threats. The data hunters gather malicious and benign activity and feed it into automated technology to improve its effectiveness without further human intervention.
Cyber threat hunters gather as much information as possible about an attacker’s actions, methods, and goals throughout this process. They also analyze collected data to determine trends in an organization’s security environment, eliminate current vulnerabilities and make predictions to enhance security in the future.
When a threat hunter is searching for various threats, they have access to various software and tools that help them identify irregular activities and potential threats. Chris Brook wrote an article on Digital Guardian, which included some of the most common tools and techniques that Threat Hunters would use.
Brook first mentions the use of Security Monitoring Tools. Cyber threat hunters work with all kinds of security monitoring solutions such as firewalls, antivirus software, network security monitoring, data loss prevention, network intrusion detection, insider threat detection, and other security tools. Besides monitoring the network at the organizational level, they also examine endpoint data. Additionally, they gather event logs from as many places as possible, as their work requires sufficient security data.
Next, Brook mentioned the use of Security Information and Event Management Solutions. These tools gather internal structured data within the environment and provide real-time analysis of security alerts from within the network. Essentially, they turn raw security data into meaningful analysis. As a result, SIEM tools help manage the huge amount of data logs hunter work with and make it possible to find correlations that can reveal hidden security threats.
Lastly, Brook mentions the use of Analytics Tools. Cyber threat hunters work with two kinds of analytics tools: statistical and intelligence analysis software. Statistical analysis tools, such as SAS programs, use mathematical patterns instead of pre-defined rules to find odd behaviour and anomalies in the data. Intelligence analytics software visualizes relational data and provides security professionals with interactive graphs, charts, and other data illustrations. They make it possible to discover hidden connections and correlations between different entities and properties in the environment.
Implementing an effective response plan
When a threat hunter has all of the steps mentioned earlier, tools and techniques in place, they will detect threats early on successfully. Then, they can implement an effective response plan to eliminate the threat and any other threats that may occur in the same way.
Not every company has access to threat hunters due to a talent gap within the cybersecurity industry. Unfortunately, there aren’t enough security specialists with the qualifications and experience to become threat hunters. When there is no specialist available, companies should bring an external company on board to assist with threat hunting.
- Can we really ask long-term home workers to stay vigilant to cyber threats?
- Proofpoint: why email is the top cybersecurity threat in 2021
- Netacea: Cybersecurity Threat Predictions for 2020
- Tackling the threat of cybercrime in the healthcare sector
If you or someone you know is in the cybersecurity business, I recommend becoming a threat hunter as there is a growing need in the market. To become a Threat Hunter, you need the following skills: Experience in cybersecurity, an understanding of the cybersecurity landscape, knowledge of operating systems and network protocols, coding skills, technical writing and reporting skills and soft skills.