Cyber threat hunting explained

Cyber threat hunting is a proactive cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions."[1] This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox (computer security) and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.[2] [3]

Methodologies

Overview

In recent years, the world has seen an alarming rise in the number and severity of cyber attacks, data breaches, malware infections, and online fraud incidents. According to cyber security and ai company SonicWall, the number of ransomware attacks grew by 105% globally. Major corporations around the world have fallen victim to high-profile data breaches, with the average cost of a data breach now estimated at $4.24 million, according to IBM.[4]

Cyber threat hunting Methodologies

Threat hunting has traditionally been a manual process, in which a security analyst sifts through various data information using their own knowledge and familiarity with the network to create hypotheses about potential threats, such as, but not limited to, lateral movement by threat actors.[5] To be even more effective and efficient, however, threat hunting can be partially automated, or machine-assisted, as well. In this case, the analyst uses software that leverages machine learning and user and entity behavior analytics (UEBA) to inform the analyst of potential risks. The analyst then investigates these potential risks, tracking suspicious behavior in the network. Thus, hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis.

The analysts research their hypothesis by going through vast amounts of data about the network. The results are then stored so that they can be used to improve the automated portion of the detection system and to serve as a foundation for future hypotheses.

The Detection Maturity Level (DML) model [6] expresses threat indicators can be detected at different semantic levels. High semantic indicators such as goal and strategy or tactics, techniques and procedures (TTPs) are more valuable to identify than low semantic indicators such as network artifacts and atomic indicators such as IP addresses.[7] [8] SIEM tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.[9]

Indicators

There are two types of indicators:

  1. Indicator of compromise - An indicator of compromise (IOC) tells you that an action has happened and you are in a reactive mode. This type of IOC is done by looking inward at your own data from transaction logs and or SIEM data. Examples of IOC include unusual network traffic, unusual privileged user account activity, login anomalies, increases in database read volumes, suspicious registry or system file changes, unusual DNS requests and Web traffic showing non-human behavior. These types of unusual activities allow security administration teams to spot malicious actors earlier in the cyberattack process.
  2. Indicator of Concern - Using Open-source intelligence (OSINT), data can be collected from publicly available sources to be used for cyberattack detection and threat hunting.

Tactics, Techniques and Procedures (TTPs)

The SANS Institute identifies a threat hunting maturity model as follows:[10]

Dwell Time

The dwell time either indicates the entire span of a security incident (initial compromise until detection and full cleanup) or the 'mean time to detect' (from initial compromise until detection). According to the 2022 Mandiant M-Trends Report, cyberattackers operate undetected for an average of 21 days (a 79% reduction, compared to 2016), but this varies greatly by region.[11] Per Mandiant, the dwell time[12] can be as low as 17 days (in the Americas) or as high as 48 days (in EMEA). The study also showed that 47% of attacks are discovered only after notification from an external party.

Example Reports

Example Threat Hunting

Threat Hunting Methodologies

Inside the Network Perimeter

Outside the Network Perimeter

See also

Notes and References

  1. Web site: Cyber threat hunting: How this vulnerability detection strategy gives analysts an edge - TechRepublic. TechRepublic. 2016-06-07.
  2. Web site: MITRE Kill Chain. 2020-08-27.
  3. Web site: Threat Intelligence Platform on War Against Cybercriminals . 2019-02-17.
  4. Web site: The Future of Cyber Security and AI: Protecting Your Digital World . October 13, 2023 . Blue Big Data.
  5. Web site: Cyber Threat Intelligence (CTI) in a Nutshell. Medium.com. 2020-07-27.
  6. Web site: The DML Model. Stillions. Ryan. 2014. Ryan Stillions security blog.
  7. Web site: The Pyramid of Pain. Bianco. David. 2014-01-17. detect-respond.blogspot.com. 2023-07-01.
  8. Web site: The Pyramid of Pain. Bianco. David. SANS Institute. 2023-07-01.
  9. Web site: Semantic Cyberthreat Modelling. Bromander. Siri. 2016. Semantic Technology for Intelligence, Defense and Security (STIDS 2016).
  10. Web site: Lee. Robert. The Who, What, Where, When and How of Effective Threat Hunting. SANS Institute. 29 May 2018.
  11. Web site: 2022-04-19 . Mandian M-Trends 2022 . live . https://web.archive.org/web/20220513065702/https://www.mandiant.com/media/15671 . 2022-05-13 . 2022-05-16 . . 7, 9, 12, 16 . PDF.
  12. In the Mandiant M-Trends report, dwell time "is calculated as the number of days an attacker is present in a victim environment before they are detected", which corresponds to the 'mean time to detect'.