How to Tackle the Challenges of Threat Hunting
In the SANS 2018 Cyber Threat Intelligence Survey, 81% of cybersecurity professionals affirm that threat intelligence is providing value and helping them do their jobs better. But are they capturing all the value to truly strengthen defenses and accelerate detection and response?
At ThreatQuotient we believe you cannot defend against and respond to what you do not understand. To be effective security operations must start with the threat. Perhaps no use case illustrates this better than threat hunting – the practice of proactively and iteratively looking for abnormal indications within networks and systems of potential signs of compromise. But threat hunting is not as simple as the definition makes it sound.
When considering the prospect of engaging in threat hunting, many security operations teams scratch their heads wondering:
- Where do we begin?
- Do we have the specific knowledge and expertise?
- How do we get visibility to conduct a thorough search across the environment?
- Do we have the resources and time to proactively look for threats when we can’t keep up with all the alerts we’re already receiving?
When analysts do forge ahead, they can waste huge amounts of time chasing ghosts if they don’t have the right tools.
Get off to a good start
In general, there are two approaches to threat hunting: 1) An outside-in approach where you learn of a threat from an external report and you hunt for it within your environment, and 2) An inside-out approach where you observe suspicious behavior in your environment, pivot to the adversary and external sources to learn more about associated indicators, and then hunt for and find additional indicators in your environment.
Whichever threat hunting approach you’re using, you need to start with the threat. And that means you need the ability to aggregate external and internal threat and event data in a central repository to gain context. Next, you need to be able to prioritize this data for relevance based on parameters you set so you can ensure your hunting efforts are focused on high-risk threats.
Time is critical because you believe something malicious may be happening. To work efficiently and effectively, analysts must be able to conduct investigations collaboratively, exploring every corner of the organization to pinpoint adversary tactics, techniques and procedures (TTPs). With the ability to find the malicious activity within the environment, IR teams can ensure total remediation. When a threat is confirmed you need to be able to export indicators to proactively block similar attacks in the future and adjust policies to strengthen defenses.
It’s also important to remember that threat hunting must be a continuous process. As new data and learnings are added to the central repository, intelligence is reprioritized to support ongoing hunts.
ThreatQ and ThreatQ Investigations help you meet the threat hunting challenge. I encourage you to learn more here, where you can also watch a brief demo showing how to conduct a threat hunting investigation using the ThreatQ platform.