Malicious threats lurk around company networks around the globe, waiting to attack and potentially corrupt, delete, or hold critical data at ransom. Cyberthreat hunting aims to monitor a company network to detect and identify malicious behavior and stop it before it becomes a full-blown data breach. Threat hunting utilizes threat intelligence, security data, automated security tools, and human specialists to combat advanced persistent threats (ATPs) and strengthen company defenses.
With the evolving rate of cyberattacks, cyberthreat hunting is crucial to fight off pesky malware and protect your business processes and user data.
This article will discuss how threat hunting works and how to implement it into your cybersecurity strategy.
What is cyberthreat hunting?
Cyberthreat hunting (or "threat hunting") is a proactive threat detection and remediation approach focused on countering hidden threats on a target network. A proactive threat-hunting solution will monitor endpoint activity, collect telemetry data, search for indicators of attack (IoAs) and other malicious behavior, and analyze the gathered threat intelligence to identify and remediate malicious threats before they become a full-blown data breach.
If threat actors manage to access your systems, they can remain dormant for months, gradually collect security data and sensitive materials, or harvest login credentials to infiltrate the entire network. If advanced persistent threats manage to break company defenses, companies must employ a robust cyberthreat-hunting program to help security teams find and remediate them all.
Today's cyberthreat landscape demands proactive threat hunting to detect malicious activity, provide long-term risk assessment, and identify anomalies or security vulnerabilities within the protected network.
How does threat hunting work?
Threat hunting combines cyberthreat intelligence, security data, advanced threat detection technologies, and human threat hunters. Automated security tools gather extensive endpoint activity data to detect and identify potential threats and alert security teams of the most optimal remediation and incident response actions.
A successful threat-hunting program relies on enterprise risk assessments, historical data, machine learning, automated systems and entity behavior analytics to investigate security incidents and study the tactics, techniques, and procedures (TTPs) cyberattackers use to provide security analysts with in-depth data regarding unusual network traffic, potential risks, or ongoing attacks in a particular system or IT environment.
Automated threat hunters use machine-learning techniques to scour all attack surface components on the target networks to avoid the human-error factor when detecting threats. Nevertheless, a successful threat hunt relies on a security analyst. Responsible teams must use reliable findings and neutralize threats quickly and efficiently.
The importance of cyberthreat hunting
As mentioned, threat actors can remain and act unnoticed within a company network for months. To counter that, companies must focus on various cyber security tools and practices in addition to their threat-hunting techniques.
Basic cyber hygiene, correct firewall implementation, efficient security patches application, properly configured DNS filtering, etc., can all stop potential threats before they affect the protected network. Blocking an attack before it becomes a data breach can prevent money, time and other resource loss and ensure business continuity.
Even if an advanced persistent threat bypasses company defenses, a robust threat-hunting program can react promptly and remediate the ATP before it takes control of your network.
Advanced threats targeting an organization's network usually aim to access critical, sensitive company assets — intellectual property (IP), payment details, customer data, etc. However, cyberattackers can use different approaches to try and penetrate company defenses.
Below are the most common attack types.
Malware (or "malicious software") is a code or program created to harm devices, systems, or networks. The most common cyberattack type encompasses ransomware, spyware, trojans, viruses, keyloggers, worms, cryptojacking, bots and more to leverage software vulnerabilities and enable malicious activity.
Phishing relies on social engineering techniques to target email, phone, SMS, and social media platforms to entice victims into sharing sensitive information — account credentials, passwords, payment info — or to download malicious files that will, in turn, install additional malware on the victim's device.
Common phishing attack types include spear phishing, SMiShing, whaling, and vishing.
Denial of service (DoS) attacks
DoS attacks are malicious, targeted threats that flood a designated network with false requests to disrupt business processes and day-to-day operations.
Unlike "traditional" malware, denial of service attacks are usually resolved without lost data or ransom payments. However, they cost companies time, effort, workforce resources, and money to restore business operations.
For cyberthreat hunters, DoS attacks are outmatched by distributed denial of service (DDoS) attacks. This type of attack originates from multiple systems (while DoS only utilizes one system), making it faster and more challenging to block. A threat hunter must rely on a proactive approach to identify and neutralize multiple systems to counter the attack.
Code injection attacks
Threat actors use code injection attacks to inject malicious code into a compromised device or network to alter its anticipated course of action.
Code injection attacks can utilize different approaches to inject advanced threats into a system — SQL injection, malvertising, or cross-site scripting (XSS).
Compromised identity attacks are a primary concern for threat hunters. Identity-based attacks are incredibly challenging to detect, even via advanced threat detection technologies. When an attacker compromises a valid user's credentials, it is difficult to identify the typical behavior of threat actors and the valid user.
The most common identity-based attacks include kerberoasting, pass-the-hash attacks, man-in-the-middle (MITM) attacks, brute force attacks, credential stuffing and more.
A threat-hunting service focused only on external threats can easily fall victim to an internal vulnerability.
Internal threats can emerge due to current or former employees that pose a direct risk to the company because they have authorized access to sensitive data, IP, and the company network. They also know of business process specifics and company policies, which can help them avoid threat detection and carry out an attack.
Some internal actors are malicious, while others can cause security technology vulnerabilities via negligence. To combat both threat types, computer emergency response teams should implement a comprehensive cybersecurity program to educate stakeholders on attacks performed by an internal actor.
The cyberthreat hunting process
Cyberthreat hunting is a complex process that requires multiple stages to occur cyclically. Since threat hunting is a proactive approach, the threat hunter isn't aware of the exact threat type potentially lurking on a target network.
To start threat hunting, companies should outline a comprehensive threat-hunting plan. The plan should define the purpose, goals, analysis techniques, and remediation and response steps to eradicate cyberthreats from the protected system.
Defining the threat-hunting goal
Threat hunters should first define the primary reasons for a hunt and set clear goals. Here, it is easier to answer comprehensive questions to determine the threat-hunting plan more efficiently.
- What are the company's most valuable assets that require protection?
- Which assets can lead to further damage if attacked successfully?
- What security vulnerabilities can attackers find and exploit?
Every company must outline a unique set of questions to answer in the first planning stage. Afterward, security personnel can develop aggregated risk scores and threat-hunting steps and proceed to the second step — threat intelligence collection.
Threat intelligence collection
The best threat hunters know that threat intelligence is critical to successful threat hunting. However, gathering immense amounts of data is not enough to satisfy proactive hunting. This is due to two primary reasons:
- Collecting more data means your security teams will spend more time processing and analyzing it. Depending on the hunt guidelines, larger data amounts may only increase the required time for the hunt without improving results.
- Some threat-hunting techniques work more efficiently when combined with smaller data sets (grouping, stack counting).
To get the best out of threat intelligence and answer core hunt questions, a threat hunter must focus on the required security information in the current hunt process. Moreover, cyberthreat hunting should be a continuous task where past hunts will form the base and motivation for future ones.
Good threat hunters use global detection playbooks to put threat indicators under further investigation. Structured threat information expression allows security tools and analysts to identify lurking threats, calculate their potential impact on the network, and mitigate threats most optimally.
Sometimes, threat hunters will identify known tactics, techniques, and procedures and apply the proper security measures before a threat can become a data breach. However, some pesky threats may not be reflected in the malware analysis and can bypass endpoint security. In such cases, security teams must be prepared to apply the most efficient remediation policies following incident detection.
Reports and lessons learned
Throughout the resolution stage, threat hunters will gather extensive amounts of data regarding the attackers' behavior, operational techniques, and attack patterns to identify trends in your company's cybersecurity environment, eliminate existing vulnerabilities, and propose improvements to your detection and response strategy in the future.
Tools and techniques for cyberthreat hunting
There are three primary types of threat hunting — structured, unstructured, and situational.
Structured hunts are performed based on IoAs and tactics, techniques, and procedures (TTPs) attackers use. Unstructured hunts are conducted based on an indicator/trigger of compromise (IoC), and situational hunts follow vulnerabilities discovered during risk assessment or the latest TTPs shared in crowdsourced attack data.
As for methodologies, we again have three primary baseline approaches.
- Hypothesis-driven investigations
In the most common hunting model, threat hunters use updated IoA and TTP data from a large crowdsourced information pool to look for new threats in the target system proactively. The global attack data libraries are usually aligned with global detection playbooks, such as the MITRE ATT&CK® framework.
- IoC and IoA-driven investigations
This approach utilizes tactical threat intelligence to keep an inventory of all known indicators of compromise (IoCs) and IoAs associated with an updated threat pool.
All IoCs and IoAs in inventory can act as triggers to alert a threat hunter of potential attacks in progress or unusual network activity on the target system. However, relying on threat indicators can be deemed as a "reactive" security measure. (such an approach will also inspect IP addresses, hash values, and domain names)
- Advanced machine-learning analysis
This method utilizes hypotheses derived from situational circumstances. (e.g., targeted attacks, geopolitical issues) It can combine the hypothesis- and intel-driven models to utilize both IoAs and IoCs during detection and analysis.
Challenges for cyberthreat hunters
Often, senior leaders misdefine how threat hunting works, which can lead to several challenges for threat hunters.
For example, compliance and best practices frameworks often place threat hunting at the bottom of the event management and budgeting pile. A poorly funded threat-hunting service will often suffer from the lack of skilled specialists working full time, leading to a global threat-hunting gap in most security teams.
As a result, most teams are low in headcount. They can't complete as many hunts as they'd like, even if they have adequate threat intelligence and security data available for analysis.
Going deeper into the challenges pool, most organizations globally use staff who fulfill other roles as well, typically security operations center (SOC) and incident response (IR). This makes it challenging to define consistent processes and complete successful hunts. When SOC and IR professionals are forced to split their time between their primary function and threat hunting, they often fall behind on skill development and obtaining the necessary certifications to be deemed threat-hunting FTE.
Moreover, most companies employ a cyberthreat intelligence (CTI) team to enable efficient hunts. Nonetheless, if the CTI team members aren't seasoned specialists, the team will lack a broader skillset to procure behavioral and TTP-based threat intelligence to inform threat hunters.
Lastly, evolving IT environments house more complex behaviors. Due to the evolving architecture, even skilled threat hunters could confuse legitimate behavior with malicious activity
Best practices for an effective cyberthreat hunting program
Cyberthreat hunting relies on a comprehensive plan and the specialists to carry it out efficiently. You can follow several best practices to ease your company's cyberthreat-hunting planning.
- Defining your network's expected behavior
As mentioned, the evolving IT landscape can play tricks on threat hunters regarding what is considered "normal" behavior. Your company must define the expected behavior of business networks and only then start to identify anomalies.
- Observe, orient, decide, act (OODA)
This practice is straightforward — first, observe for anomalies, then structure identified risks to decide the proper remediation actions and execute them to eradicate malicious anomalies.
- Ensuring sufficient, appropriate resources
Companies need appropriate resources, such as trained security personnel and analytical security tools, to carry out an efficient cyberthreat-hunting program.
The role of artificial intelligence in cyberthreat hunting
Gathering extensive amounts of threat intelligence is a cumbersome task. Moreover, analyzing it manually can take ages. ML and deep learning algorithms enable security analysts to calculate cyber risk scores via context-defined predictive analysis. Such an approach provides quantitative, data-driven metrics that allow companies to prioritize remediation activities and focus on network areas posing the greatest risk.
In the near future, quantum computing is expected to bring cybersecurity to a completely new level. However, developers and security specialists must overcome fundamental challenges to enable global usage and a streamlined process.
Future trends in cyberthreat hunting
As mentioned, machine and deep learning are critical to defining accurate risk scores of all company assets and network areas. The internet of things is another growing industry, allowing physical and virtual objects to be interconnected and accessed via the internet. If quantum computing enters the threat-hunting scene, threat hunters will need another layer of specialization to pilot the approach adequately.
A robust cyberthreat-hunting service will still demand highly skilled, experienced resources. Solution vendors and MSPs will need a deeper understanding of network traffic behavior to offer threat hunting as a reliable product.
Acronis Advanced Security + EDR
Every company needs advanced security means to combat modern cyberattacks. While most EDR solutions today are too complex and costly, Acronis offers an all-in-one solution that's easy to pilot, explicitly designed for service providers.
With Acronis EDR, companies can rapidly detect, remediate, and further investigate threats while ensuring business continuity. Businesses can eliminate multiple products' complexity and added costs and unleash their security specialists with a single solution.
Acronis Advanced Security + EDR offers integrated backup and recovery features, complete cyber protection across all company networks, and optimized attack prioritization and analysis for instant response. Via MITRE ATT&CK®, organizations can grasp an attack's impact, its means of infiltration, and the harm it caused to ensure maximum visibility.
With Acronis Advanced Security + EDR, your business can detect, remediate, investigate, and ultimately prevent future attacks from a single dashboard without the need for an extended security team.
Hunting threats proactively is a must for modern organizations with complex environments. As today's cyberattackers are highly evasive and create more sophisticated threats, any company can be vulnerable to an attack.
Understanding your company's environment and natural network behavior is critical for a successful hunt. You must continuously monitor and update a comprehensive threat-hunting program to enhance your knowledge of the current threat landscape and your company's security posture.
When managed and maintained adequately, a proactive methodology to threat hunting can scale across hybrid, expansive environments and grow more impactful over time.
Acronis is a Swiss company, founded in Singapore. Celebrating two decades of innovation, Acronis has more than 1,800 employees in 45 locations. The Acronis Cyber Protect Cloud solution is available in 26 languages in over 150 countries and is used by 20,000 service providers to protect over 750,000 businesses.