Threat hunting for today’s enterprises

In today’s rapidly evolving cybersecurity landscape, it seems that barely a day goes by without news of a new threat notification, from minor to major incidents, affecting organisations across the board. Cybersecurity is an important concern for many enterprises today. In fact, according to the latest survey by PwC in the Middle East, 74 per cent of surveyed CEOs regard cyberattacks and leaks as an obstacle to growth in 2021.

Cybersecurity often feels like a game of cat and mouse. As our solutions get better at stopping an attack, adversaries have often already developed and started utilising new tactics and techniques. According to Verizon Data Breach Investigations Report, advanced threats lurk in our environment undetected, often for months, while they stealthily look to gather valuable information to steal our data to compromise. If we wait until these threats become visible or an alert is generated by traditional SOC monitoring tools, it can be too late. Threat hunting can help combat these challenges. Rather than waiting for an alert, threat hunters proactively assume that an advanced adversary operates inside the network and manages to find its existence.

Defining threat hunting
Threat Hunting is the process of searching across networks and endpoints to identify threats that evade security controls before they can execute an attack or fulfil their goals. Rather than simply relying on security solutions to detect threats, threat hunting is a proactive approach to finding threats hidden in your network.

Unlike the security operations centre (SOC) and incident response (IR) teams, threat hunters not only respond to threats; they actively search for them. This process involves making hypotheses on the existence of potential threats, which are then either confirmed or disproven based on collected data and analysis.

Threat hunting also reduces your reliance on external vendors that may not know your network or normal employee behaviour as well as your threat hunting team might. Finally, threat hunting will force you to learn your networks, systems, applications, and users. Understanding all these components is a critical element of a robust security framework.

Creating an effective threat hunting program
The successful threat hunting program is an iterative combination of processes, tools, and techniques continually evolving and adaptive to suit your organisation. Firstly, you must ensure that you have the right data. You need to ensure you have telemetry that captures a wide range of activity and behaviours across multiple operating systems, and which can serve as a base for all your threat hunting efforts. Device telemetry should include data like network traffic patterns, file hashes, processes, user activity, network activity, file operations, persistence activity, system and event logs, denied connections, and peripheral device activity.

Secondly, a critical component of threat hunting is having the data to baseline ‘normal’ and find outliers (outlier analysis). Attackers will often want to blend in with ordinary users to acquire user credentials from phishing campaigns, so understanding a user’s typical behaviour is a useful baseline for investigating anomalous file access or login events.

Next, threat hunters develop a hypothesis. Hypotheses are typically formulated by hunters based on tools and frameworks, social intelligence, threat intelligence, and past experiences.
Generalised questions could include, “If I were to attack this environment, how would I do it? What would I attempt to gain access to? What would be my targets?”. Other examples could include questions like “Why do I see encrypted HTTPS, FTP traffic to countries in the East, in my environment?” or “Why do I see an abnormal volume of DNS queries from a single machine?”

After generating the hypothesis, the next step is to follow up on it by investigating various tools and techniques to discover new malicious patterns in the data and uncover the attacker’s tactics. If the hypothesis is correct and evidence of malicious activity is found, then the threat hunter should immediately validate the nature, extent, impact, and scope of the finding.

Once you uncover a new threat, you need to make sure you can effectively respond and remediate the threat. The response should distinctively define both short-term and long-term response measures that will be used to neutralise the attack. The main goal of the response is to immediately put an end to the ongoing attack to prevent the system from damage by a perceived threat and to understand the cause of the threat to improve security and prevent attacks of a similar manner in the future.

Finally, successful hunts form the basis for informing and enriching automated analytics. The final step in the threat hunting practice is to use the knowledge generated during the threat hunting process to enrich and improve endpoint detection and response (EDR) systems. This way, the organisation’s global security is enhanced thanks to the discoveries made during the investigation.

The importance of incorporating threat hunting
On average, cybercriminals spend 191 days inside a network before being discovered, and that’s more than enough time to cause some damage. Simply stated, if you aren’t looking for threat actors inside your network, you may never know they are there.

Threat hunting is human-driven, iterative, adaptive, and systematic. Hence, it effectively reduces damage and overall risk to an organisation, as its proactive nature enables security professionals to respond to incidents more rapidly than would otherwise be possible, significantly reducing the probability of an attacker being able to cause damage to an organisation, its systems, and its data.

Meriam ElOuazzani is the regional channel manager META at SentinelOne