Threat Hunting = Use humans to find stuff

Organizations realize that cyber security investments are not avoidable in digital economy and has leading security technologies to identify, protect, detect, respond and recover from various attack vectors.

But, Can they sit and relax for tools and technologies to alert them? If yes, why companies waiting an average of 220 days between the intrusion and the first time to hear about it. Here comes the need for ‘Threat Hunters’.

Threat Hunting is not any of the following

  • Acquiring or analyzing threat intelligence
  • Installing tools and waiting for alerts
  • Reporting on incidents or intrusions
  • Incident Forensics

The overall practice of Threat Hunters is indeed continuous, but it’s broken up into individual missions called hunts. A hunt can last a few hours to several days — it depends on the objectives of the particular hunt. A hunt should have one or more objectives — narrowly focused at times, but not too broad either (or it might not ever really get completed). Some example hunt objectives include the following:

  • Hunting for specific exploits: A threat hunter may have read about some specific new exploits, such as Locky, and will look broadly in the environment for signs of it.
  • Hunting for attacks against specific vulnerabilities: A threat hunter dives into high‐value systems with one or more known unpatched vulnerabilities to see whether attackers are attempting to exploit them.
  • Hunting for attacks against specific high‐value targets (HVTs): Here, the threat hunter dives deeply into the operation of a specific asset (or a small number of them), learning more about how it operates and looking for signs of reconnaissance or intrusion

The necessary skills for any Threat Hunting team are

  • Endpoint operating systems
  • Application behavior
  • How to use the threat hunting tools
  • Incident Response procedures
  • Baseline – What’s normal and ‘abnormal’
  • Know ‘High value targets’
  • Develop ‘sixth sense’ – How attacker will execute?
  • Develop ‘own tools’ and ‘integrations’
  • Deploy ‘Landmines’

Organizations to start up-skill or train their existing security team and adopt the Threat Hunting Maturity Model

threat hunting maturity model