“Threat hunting” is a buzzword in cybersecurity today. While it creates images of clandestine agents hiding in the shadows, ready to spring into action to neutralize a threat, that’s not exactly what cyber threat hunting is. It’s also not necessarily what many of today’s vendors of cybersecurity products make it out to be – a totally automated process using artificial intelligence to root out cyber criminals before they can act on their objective.
Understanding threat hunting means understanding incident response and digital forensics, because essentially threat hunting is just incident response on a yet unknown incident.
Table of Contents
Cyber threat hunting vs incident response
When you think about responding to an incident, you know something is going on and you use forensic techniques to investigate, contain, and eradicate it. With threat hunting, you are looking to uncover the unknown incident by employing forensic techniques such as packet capture, memory dumps, server and workstation images, and reviewing the data for something that your end point protection, or your network protection may not have alerted on. It’s really needle in a haystack and involves many hours of searching to find a potential threat.
Cyber Threat Hunting - Basic Tools Needed
To be successful in your hunt you will need to have tools in place to hunt. Often a major flaw of incident response plans are the failing to put the proper tools in place. We need logs and event alerts from a SIEM tool, we need to be able to capture packets on demand, we need to be able to dump memory and images of .exe and DLLs. Then we need the ability to analyze all these things. So have you prepared your organization with these tools? Have you trained people to use them and given them the time to practice with the tools? These things will lead to a successful hunt, and/or response.
Where are threats hiding?
Not all areas of your organization are equally susceptible to threats. Do you know the critical areas to look? This goes back to understanding your company or organization’s valuables, who would have interest in those valuables, and the adversary’s usual modus operandi.
Where should we look? Well usually you will want to understand your network and where the “crown jewels” reside, this way you are narrowing your focus area. For example, if you wanted to duck hunt you wouldn’t go to the desert. If you have credit card numbers or health records, or DOD information, the places where that data lives is where you should focus. If you have DOD data you are more likely to be targeted by nation states, so learn their tactics, if credit card data then organized crime is more likely to be your adversary what has been documented about their approach?
Will AI replace human cyber threat hunters?
While machine learning has made threat hunting a lot better, the idea of using only AI to perform this is overblown. The reason is that the nature of analyzing the collected information is still very human. Rob Lee at SANS Institute used the analogy of spell check in a 2018 report — no one allows spellcheck to just make corrections without review because their document would be a mess. It’s even more complex to determine for example a good DLL versus a malicious DLL. While machine learning will help us to need less hunters, and therefore leave us with only the best threat hunters, it’s hard to imagine a time when we would get to a fully-AI threat hunting capability.
If we prepare well, get the right tools and processes in place, train our people and give them practice, we can have very effective, threat hunting and incident response. Remember threat hunting, incident response and digital forensics are all teeth of the same gear. All need to work together for each part to be effective.
Foresite cyber threat hunting
At Foresite Cybersecurity, our Security Operations Center is staff by trained and certified threat hunting specialists. Using our proprietary ProVision SIEM and other tools of the trade, we help customers find, identify, and eradicate threats in their environments. Contact us today to learn more about our threat hunting capabilities and request a quote.