The Evolution of Threat Hunting

Suzanne Dickson
December 9, 2019 | 5 min read | Security Posture

What Is Cyber Threat Hunting?

Wikipedia defines cyber threat hunting as “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.” In practice, cyber threat hunting is a manual process where trained hunters combine expertise in attacker behavior and techniques with deep knowledge of the networks and assets they are protecting. Today, new tools using automation and AI are emerging to truly transform cyber threat hunting into a highly efficient and effective practice – quickly detecting cyber security gaps and stopping attacks BEFORE they occur.

How does Cyber Threat Hunting work?

Cyber threat hunting teams search networks, endpoints, and datasets (e.g., log files, antivirus events) to identify malicious, suspicious, or risky activities that monitoring and detection tools did not catch or properly categorize. Three key elements of threat hunting are methodology, technology, and threat intelligence.

  • Methodology can vary depending on the approach taken within the threat hunting program, but it must be consistent and continuous. Investigation-based methodologies are reactive by nature, while a more proactive threat hunting approach combines advanced analytics and machine-learning to automate the investigative process and achieve much quicker results.
  • Technology plays a crucial role in cyber threat hunting. As with threat hunting methodology, some reactive tools such as Security Incident and Event Management (SIEM) are utilized and combined with proactive tools such as Unified Asset Inventory, Risk-based Vulnerability Management and Cyber Risk Quantification that enable quicker and more prescriptive mitigation of potential threats.
  • Threat intelligence enhances and expedites threat hunting for known threats.

From Reactive to Proactive Threat Hunting

IOC Detection

Initially, hunters sought to identify Indicators of Compromise (IOCs). At its simplest, an IOC is evidence that an attack of some sort has occurred. Examples of IOCs include malware infection, unexpected outbound traffic from an internal asset, and large outbound data transfers. The goal behind IOC identification is to shrink the 21 day average dwell time before a company detects a threat. However, an IOC approach is completely reactive as damage has already been done.

IOC Detection Timeline

IOA Detection

The reactive nature of IOC detection made infosec teams realize they needed to narrow the finding between infiltration to detection focusing on “What’s happening” and not “What has happened”. Indication of Attack (IOA) detection focuses on adversaries activities and behaviors leading up to an attack, often corresponding to the reconnaissance step of the Cyber Kill Chain. While IOA detection helps to identify threats sooner in the process, its Achilles’ Heel is that detection is still only possible after an initial infiltration event has occurred.

IOA Detection Timeline

IOR Detection

Threat hunting teams require more proactive measures and are increasingly turning their attention to indicators that are observable before the adversary has infiltrated the organization – Indicators of Risk (IORs). As with the IOC and IOA models, the threat hunter starts with a hypothesis on how attacks might be conducted, and iterates through testing. The difference with IOR is that the focus is on conducting this analysis before any attack begins.

Risk-based vulnerability management with integrated asset inventory and cyber risk quantification are great solutions to provide early indicators of risk with quicker and more effective mitigation outcomes. For example, these solutions could uncover and prioritize unpatched, high-value assets currently exposed to active exploits. Risk owners can then receive detailed remediation instructions identifying the best patches to apply and in what order to prevent the vulnerabilities being exploited.

IOR Detection Timeline

Reacting to threats after they’ve happened, or even as they happen, will always be a losing proposition. As the enterprise attack surface continues to grow, proactive threat hunting is the only viable path forward.

Frequently Asked Questions

Why use cyber threat hunting?

Cybercriminals are elusive and have a good track record of evading detection systems. According to the Ponemon Institute, cybercriminals spend 191 days inside a network before being discovered, on average.

How does threat hunting work?

The success of threat hunting programs is rooted in data. Organizations need to have tools in place to collect data from systems, because this information provides valuable clues. Human threat hunters are used to complement automated systems, because they bring a different perspective and are able to see things that machines cannot.

Threat hunters go beyond automated detection systems, such as security information and event management (SIEM) and endpoint detection and response (EDR). They identify patterns of suspicious activity that a computer might have missed or judged to be resolved was not. In addition, when a threat hunter finds issues, they can handle remediation.

Four key steps in threat hunting are:

  1. Data collection—using automated systems to cull vast amounts of information and surface anomalies that could be the sign of nefarious activity
  2. Investigation—leveraging automation to reduce the threat noise by quickly categorizing which threats are high, medium, and low risk
  3. Prevention—mitigating risk by implementing systems to deter known threats
  4. Response—containing and neutralizing threats using automation where possible
What are the types of threat hunting?

There are a number of types of threat hunting that vary according to the type of organization and available resources.

  • Structured threat hunting is based on indicators of attack (IoA) and the attacker’s tactics, techniques, and procedures (TTP) which are garnered from threat intelligence sources, such as the MITRE ATT&CK Framework. It is considered proactive threat hunting, because potential threats are often identified before damage can be done.
  • Unstructured threat hunting begins with an indicator of compromise (IoC). The threat hunting team searches the network for malicious patterns before and after the trigger or IoC. Unstructured threat hunting can uncover advanced threats, new types of threats, and cyber threats that are in the environment, but have remained dormant.
  • Situational threat hunting focuses on high-risk or high-value targets, such as sensitive data, privileged users, or critical resources. It is primarily used to prioritize threat hunting activity and improve its efficacy.