Threat hunting can be defined in a few different ways. Most would define threat hunting as the proactive approach of utilizing threat intelligence, alerts and log data—or even technical experience—to create and define hypotheses that can be tested to find unknown threats, security gaps and potential zero-days.
I like to think of threat hunting as a science experiment with theories and data that require testing. It joins both human and data analytics in an effort to read between the lines. More often than not, threat hunting is a proactive approach to cybersecurity and is a strong addition to any security strategy.
The Evolution of Threat Hunting
As we’ve seen threat actors work around the clock to cause trouble, we’ve also seen threat hunting become a more popular practice in recent years. If you think about it, attackers have the first-move advantage in most scenarios—their victims aren’t even aware of their presence until it’s too late. Threat hunting aims to solve that problem. Threat hunting is all about being proactive—it combines technical and behavioral analysis to help businesses stay ahead of the latest threats and catch them before they can do greater damage.
Dwell times have always been a point of issue. Threat actors have the ability to sneak into an environment unnoticed and maintain their persistence for over 200 days. Over the years, we've brought that number down to ~70 days thanks to the wider adoption of detection and response technology. But 70 days is still too much—it’s in this gap between detection technology and adversary dwell time that we conduct our threat hunting operations.
Who Are Threat Hunters?
At a general level, a threat hunter's job is to proactively seek out threats before they’re able to do exponential damage to an organization. They analyze data for discrepancies and outliers, read and interpret threat intel feeds, build and test hypotheses, look for patterns of suspicious activity and seek to improve an organization’s security posture by identifying what’s benign vs. what’s malicious. And because threat hunters are trying to find the needle in the haystack, they’re often intrinsically curious, persistent and they like to solve problems and think outside the box.
Just as threat hunting hasn't changed much since its inception, the "mindset" of a threat hunter hasn't really changed. We still look for things out of the norm and chase down leads which almost always end up being red herrings... but still, we love the hunt and we love our job.
If anything has changed, it's been the growing community of hunters and researchers helping each other and the concept of "purple teaming." But that's a topic for another blog. 😉
Threat hunting today consists of tons of research, finding intel and testing theories and ideas. And the community is always tossing out intel and ideas that other researchers are able to use, test and refine themselves and end up sharing the refinement or new leads with the community.
Types of Threat Hunting
Everyone has their own approach or way of thinking about things, and that goes for researchers too. For myself, I like to think there are four types of hunts: intelligence-driven, data-driven, knowledge-driven and of course, hybrid hunts.
Intelligence-driven hunts consist of collecting and analyzing intel from various sources in order to execute the hunt mission. Intel can consist of file names, hashes, IPs, campaigns, IOCs, email addresses, domains, etc. Using the collected intelligence, we can create hypotheses that we can test against our data sources.
Data-driven hunts rely on internal data that could potentially indicate malicious behavior. The types of data we could use for data-driven hunts are low-priority alerts and detections and aggregated analytical data. This data does not give us our “smoking gun,” nor does it mean anything bad is happening at all, but it gives us a good starting point to create hypotheses on what we are seeing.
Knowledge-driven hunts rely on our knowledge of available data sets, client networks, and adversary tactics, techniques and procedures (TTPs). Knowing adversary TTPs lets us know how to look for malicious behavior. Using frameworks like MITRE ATT&CK, we can create hypotheses based on threat actor TTPs that have been seen in the wild.
Hybrid hunts combine two or more types of hunts that could help us create hypotheses with a more narrow scope. For example, if data shows certain events happening on endpoints and intel suggests that these events could be part of a campaign that adversaries are conducting, we can create a hypothesis that combines data-driven and intelligence-driven hunt methods.
The phases of any type of hunt are typically the same:
- First, we plan by determining the type of hunt we’re going to conduct. During this phase, we develop the hypothesis and determine which data sources we’ll need to be successful.
- We then move on to the execution phase where we analyze the data from the appropriate sources and refine it. It’s important to constantly evaluate and refine the data during this process.
- Lastly, we have the reporting phase, which is possibly the most important phase of the three. This phase looks different depending on the results returned. If there is something that we have determined is malicious, it’s here where we report it to the proper channels and initiate an incident response. Regardless if our hunt returned anything, it is important to determine the lessons learned and potentially share valuable information or create detections that could better protect our network.
Why We Need Threat Hunting
At the end of the day, software can’t match human intelligence. Machine learning and automation have their place, but they still require humans to make the last-minute decision to contain and respond accurately. Plus, modern threat actors are intelligent and know how to exploit those blind spots. They’ve got entire teams that spend their days identifying ways to abuse, exploit or slip past IT security tools. How can you expect to beat that with automation alone?
We need hunters at the forefront. A threat hunter with a well-trained eye is more likely to pick up on TTPs and suspicious activity and can actually help software-based tools be more accurate. Overall, threat hunting enables security teams to identify unknown threats and catch them before they cause major damage and disruption. It’s this proactive protection against the unknown that makes threat hunting unique and incredibly important to cybersecurity today.
Want to dive deeper into what threat hunting looks like? Check out our video series, Behind the Hunt, to explore the world of threat hunting and security research from the defender's point of view.