Security Testing Know How 3: Threat Hunting
In the previous 2 articles in this series, we wrote about the importance of vulnerability assessment and penetration testing, both of which can be considered as semi-automated processes of pro-active search for weaknesses in IT systems. Today’s article focuses on threat hunting; which is a traditionally manual process where a great deal of knowledge and experience is required.
Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected inside an organisation’s network. Cyber threat hunting digs deep to discover malicious actors or insiders in the corporate environment that have slipped past the initial endpoint security defences. These cybercriminals may linger for months undetected inside the network before executing their attack. Often we find that organizations discovered malicious threat actors too late in the day, when such hackers would have already gained unauthorised access to company data; all because they were not utilizing threat hunting in their security programme to start with.
The process of threat hunting consists of a cyber security professional (or team) analysing the various data provided by automated tools and creating a hypothesis about potential threats that might have slipped through the cracks of vulnerability assessment and penetration testing. The hypothesis can be focused on many things from the experience of the professional team and current world trends such as different threat actors, known exploits, insiders or other advanced persistent threats.
Though the process of hypothesis crafting is manual, the threat hunting cyber team is equipped with a number of automated tools that analyse big data, network behaviour and user analytics. Upon collecting the data, the team then investigates the likelihood of the risk that a threat actor is likely to have inside the corporate network and move to analyse any suspicious behaviour.
There are three types of hypothesis methodologies:
Analytics-Driven. A combination of machine learning AI and analytics to yield a large amount of information and detect possible irregularities and patterns. The anomalies found in the data serve as the spearhead of investigation to find malicious actors.
Intelligence or Hypothesis-Driven. Can be internal intelligence gathered from vulnerability scans, malware analysis or audits that uncover potential new attack vectors previously hidden. It can also be external intelligence coming from cyber reports, feeds or news where an attack has been already diagnosed and the threat hunters will check the hypothesis on their own network.
Situation-Awareness-Driven. Focuses on insider threats and risk posture where the bulk of the data is driven from risk assessment, employee trends or user data.
Upon finding the right methodology, hunters will look for trigger points, a specific system or area of the network indicated for further investigation when advanced detection tools identify unusual actions. The results of the subsequent investigation can either prove the hypothesis right or the activity or pattern in question would be determined as benign. Either way, the resolution will feed information to security teams and management to fix gaps or tweak detection systems configuration.
Threat hunting is an advanced cyber security function that requires a company-wide analytical approach and intelligence tools to work effectively. Adding threat hunting to the security program will empower any company to pro-actively discover lurking threats. With the assumption of breach, cyber hunters will create scenarios and investigate hypothesis to make sure that both vulnerability assessment and penetration testing haven’t missed a thing. According to industry data, just in 2018 the number of companies utilizing some form of threat hunting has increased by 40%.
However, threat hunting must be a continuous process that is conducted by a professional cyber security team with a great deal of experience in the field. For this reason, threat hunting is outsourced by most medium to small businesses to professional providers.
Finally, it is very important for any organisation which has been breached to perform threat hunting after having handled the attack in question, as often we find that some malware or malicious code may still be lurking in the network.
In our next segment of this series we will group together what we have spoken about so far and talk about posture assessment and how to build a successful security programme with vulnerability assessment, penetration testing and threat hunting combined.
Have you ever conducted threat hunting within your systems? Any anecdotes you would like to share with us?
At D4n6 we are teamed up with professional partners around Europe to carry out threat hunting on any aspect of an organization. Feel free to reach out to any member of our team so we can guide you on this process.