What is threat hunting?
Cyber threat hunting is an active cybersecurity strategy to find patterns of unusual behaviors and vulnerabilities in your systems, software and processes. A cyber threat hunter or security analyst might look for bugs in the code base, advanced persistent threats (APT) or malicious or unusual behaviors in operating procedures. Once threats are identified, the incident response plan is executed to remediate any active threats or patch any vulnerabilities.
A method for the madness
Now that we know what threat hunting is, let’s dive into the threat hunting process. There are a few steps threat hunters take to respond to a trigger they spotted, whether that’s an anomaly detected in their security information and event management (SIEM) technology, a message from Jamf Threat Labs relating to newly discovered malware or simply instinct that something is off. The hunter then sheds their camo and puts on their lab coat to investigate these potential threats by following this process, not unlike the scientific method:
Hypothesis: Using their experience and cybersecurity knowledge, the hunter forms a belief about how the data they’ve collected could result in a threat. This hypothesis could be:
Analytical: Data found with machine learning and user and entity behavior analytics (UEBA) provide aggregated risk scores and hypotheses
Situational: Crown Jewels Analysis (CJA) and enterprise risk assessments provide metrics to determine risks and mitigation strategies
Intelligence: Reports, scans and analyses offer organizational data to assess and categorize threats
Investigation: The hunter focuses their efforts to either prove or disprove that their findings result in actual threats or vulnerabilities. They may use global detection repositories like the MITRE ATT&CK framework to compare the behaviors in their system or monitor a threat to identify malicious behavior.
Resolution: If their hypothesis isn’t proven, the hunter formulates a new one; if it is, they expand the scope of their search to ensure they understand the full coverage of the threat. From here, they initiate the incident response process to remediate and create documentation to communicate the details of the threat.
This hypothesis-based approach is an effective threat hunting methodology for responding to threats found in your system. This approach requires harvesting large amounts of data. Automation via machine learning, combined with intimate knowledge of threat intelligence, greatly assists in this endeavor.
Threat hunting, sounds good, so where do I start?
A skillful threat hunter
Becoming or hiring a threat hunter for your IT department requires a blend of the right tools, experience and skills. Some hard skills beneficial to the role are:
- Intimate knowledge of information and systems being protected
- Knowledge of internal networks and how they communicate
- Endpoint management experience
- Ability to analyze and work with data
- Experience with data forensics
- Ability to manage, collect and analyze network traffic
- Programming ability
Some soft skills common to successful security analysts are:
- Pattern recognition
- Deductive reasoning
- Effective communication
- Out-of-the-box thinking
- Overcoming cognitive bias
- Ability to think like an attacker
Threat hunting tools
A threat hunter has a few tools in their pack to prepare for their hunt, mainly:
- SIEM technology: SIEM solutions offer real-time monitoring and analysis of your operating behaviors and log security data that can be used for analysis. They can also provide UEBA via AI and machine learning.
- Security monitoring tools: Firewalls, antivirus and endpoint security automatically and consistently search for malware, adware and ransomware.
- Analytics tools: Data and intelligence analysis software provide reports containing interactive charts and graphs, making it easier to view and analyze data trends.
Building a threat hunting workflow
As complex as threat hunting is, developing a formal workflow simplifies the process and lessens the odds of missing a threat. This workflow should provide:
- A centralized repository of known adversarial behaviors and detection analytics
- A list of best practices for threat hunting
- Clear and consistent nomenclature between departments and/or organizations
- Methods for community-driven efforts to detect threats and provide better defense against existing, new and unknown attack types
- Processes and auditing mechanisms that increase the maturity level of the security and IT organizations
Your workflow can simplify the actions taken and responsibilities allocated throughout your security teams and other relevant departments. Integrating already established frameworks into your workflow can reinforce your processes. A few notable frameworks developed by industry leaders are:
- Cyber Kill Chain, developed by Lockheed Martin
- The Diamond Model, developed by senior security analysts
- MITRE ATT&CK, developed by the MITRE Corporation
Considering the complexity and resources threat hunting requires, what are the benefits that make it worth the pursuit? Threat hunting fills your arsenal with data and foresight to defend your systems from malicious attacks. A successful threat hunter can squash APTs and malicious behavior and stop future threats in their tracks, keeping your intellectual property, business information and employee information out of the hands of bad actors.
On the prowl for threat hunting solutions? Jamf Protect looks out for you.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.