What is threat hunting?

Threat hunting is the deliberate process of defining cyber threats and proactively seeking them out within a contextualised data environment. The term threat hunting has become a bit of a buzzword in the industry, but it means proactively searching for cyber threats prowling unnoticed in a network.

Understanding your adversaries

Even though cyber security is becoming more sophisticated, breeched continue to climb. Simply waiting for breaches to happen is not enough. You need to be actively searching to maintain a secure network. As a result, this will help you gain a securer position against your adversaries, but it is crucial to understand them better.

Adversaries are skilled at obtaining access and going unnoticed for months. Adversaries techniques are similar, but their motivations might be different. That is why you need to

• Determine who would want to harm your business. Do you have anything valuable?
• Decide what looks normal so you can determine when something looks amiss. For example, look at the physical connectivity, network utilisation, protocol usage, peak network utilisation and average throughput of the network.
• Find out the tricks and techniques of human hackers. Although there is no one method, it is still helpful to understand how a typical attach is undertaken.

Below is a summary of a typical way a hacker might infiltrate your network and attack your system.

The steps in a cyber attack

Research

First, they gather public information about your organisation and network, for example, network ranges, IP addresses, domain hostname, email address of key players by launching phishing attacks.

Penetrate

Next, they will penetrate the network, usually getting through perimeter defence through phishing attacks or malware, domain shadowing, malvertising, denial-of-service and drive-by downloads. Adversaries also can utilise other tools to gain entry for example vulnerability exploitation, traffic monitoring, port scanners, encryption tools and password crackers.

Expand

Adversaries expand through your network using a technique called pivoting, an act of using a compromised device to access other company devices. Lateral movement enhances transparency into available network assets to obtain high-value sensitive information, for example, the procedures to escalate privileges or administrative credentials.

Exploit

The exploit stage is when the attacker gets administrative access, opening command and control communications, achieving persistence, exfiltrating data, destroying data, denying access to systems and covering their tracks.

How does threat hunting help?

Threat hunting focuses on the expand and exploit phase, and the pivoting location determines where they are. You have to imitate what they might do to find weaknesses, for example, where they entered. The deeper you investigate, you will be able to find security areas in which you can improve.

Of course, you never want a hacker to exploit your system. However, if they do, you can use this information to make your network more secure.

What do you need to start threat hunting?

To be ready to threat hunt, you need to have a mature security setup. As a result, you can investigate multiple sources of information and store it so you can use it later. Use automated blocking and monitoring tools such as firewalls, antivirus, endpoint management, network packet capture, and security information and event management (SIEM).

Furthermore, you will need a tool that enables you to bring together your disparate data sets and slice and dice them in a way that exposes insights with the least possible effort. Threat hunting can involve an enormous amount of information, so while it is a human-led effort, you’ll need some computer assistance to make the task more manageable.

What is managed threat detection?

Because 100% detection is impossible to achieve, and existing security measures and solutions like IDS and SIEM are not enough, there is a growing need to establish security teams who will proactively “hunt” for threats targeting organisations. However, having a separate threat hunting team is not viable for small to medium-sized businesses. In these cases, investing in a managed threat detection service is a time-efficient and cost-efficient option.

Here at Northstar, you have access to a team that can already manage, detect and respond. We benefit from looking after many industry verticles, who are at risk to every type of attack. As a result, this provides us with a more comprehensive threat hunting operation. Northstar monitoring and threat hunting 24/7/365, and we can provide managed responses to help you keep your data secure.

The threat landscape is not static, it evolves every day, and security teams must keep up. It is a complex and resources heavy endeavour, but we are validating our operations every day.

For more information about threat hunting and how your business can benefit, contact Northstar today.