{"id":796,"date":"2024-11-07T06:03:31","date_gmt":"2024-11-07T06:03:31","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=796"},"modified":"2024-11-07T06:03:31","modified_gmt":"2024-11-07T06:03:31","slug":"threat-hunting-strategic-approaches-and-capabilities-to-uncover-hidden-threats","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=796","title":{"rendered":"Threat Hunting: Strategic Approaches and Capabilities to Uncover Hidden Threats"},"content":{"rendered":"
\n
\n
\n
\n
\n

What is Threat Hunting?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Threat hunting is the discovery of malicious artifacts, activity or detection methods not accounted for in passive monitoring capabilities. Essentially, threat hunting is the process of identifying unknown threats that otherwise would be hiding in your network and on your endpoints, lying in wait to further expand access and\/or steal sensitive data.<\/span>\u00a0<\/span><\/p>\n

Successful threat hunting usually involves creating hypotheses based on attacker TTPs and using these to find unusual patterns or indicators that traditional security measures might miss. This proactive method also helps create special markers and behavioral signs, improving the ability to detect threats in real-time.<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n

Quick Stats<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Here are some industry stats to illustrate the urgency and effectiveness of cyber threat hunting<\/span>:<\/span><\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t<\/span>\n\t\t\t<\/div>\n
\n

\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t21 days\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/h3>\n

\n\t\t\t\t\t\tis the average dwell time of cyber threats\t\t\t\t\t<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t<\/span>\n\t\t\t<\/div>\n
\n

\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t57%\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/h3>\n

\n\t\t\t\t\t\tof breaches involving undetected TTPs\t\t\t\t\t<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t<\/span>\n\t\t\t<\/div>\n
\n

\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t3.5 million\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/h3>\n

\n\t\t\t\t\t\tis the Projected global cybersecurity talent gap\t\t\t\t\t<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t<\/span>\n\t\t\t<\/div>\n
\n

\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t45%\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/h3>\n

\n\t\t\t\t\t\tincrease in ROI for organizations investing in dedicated threat hunting capabilities\t\t\t\t\t<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n
\n

Recommended Reading<\/h3>\n

For a deeper guide about Threat Hunting and best practices, explore our comprehensive whitepaper:<\/p>\n

\n
\n
\n
\n
\n
\n
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n

Mastering Threat Hunting: Your Edge Against Hidden Cyber Threats<\/a><\/h3>\n<\/div>\n<\/div>\n
\n
\n
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\tRead More<\/span>
\n\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/a>\n\t\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
\n

Three Strategic Approaches for Threat Hunt<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Retrospective Discovery<\/h3>\n<\/div>\n<\/div>\n
\n
\n

This approach <\/span>leverages<\/span> new internal or external intelligence (<\/span>i.e.<\/span> new IOC) to look back across the environment to see if a threat exists that was not previously detected.<\/span><\/span>\u00a0<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

Artifact Discovery<\/h3>\n<\/div>\n<\/div>\n
\n
\n

Statistical analysis approach, using machine learning to collate, aggregate and crunch the data to find abnormalities (<\/span>i.e.<\/span> identify<\/span> the least used user agent string over the last <\/span>30 days<\/span> and analyze why that is)<\/span><\/span>\u00a0<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

Activity Discovery<\/h3>\n<\/div>\n<\/div>\n
\n
\n

This type of threat hunting is where analysts <\/span>identify<\/span> patterns of behaviors (TTPs) that could be malicious.<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

Why is Threat Hunting Important?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Threat hunting is derived from a shift in the approach by security professionals on how to address risks within the organization. Previously, the focus was on building defense-in-depth and quickly reacting to suspicious activity \u2013 a \u201cVulnerability-Centric\u201d approach.<\/span><\/p>\n

More organizations are beginning to shift their approach to ensure greater visibility within the environment and proactively look for anomalous activity<\/a> based on various profiles and behaviors of attacks, attackers, and their tools. This detection-based paradigm shift is considered a \u201cThreat-Centric\u201d approach of which threat hunting is a core component.<\/span><\/p>\n

Threat hunting provides organizations with a method for taking a proactive approach to the identification of sophisticated, unknown threats\u2026 threats that have evaded preventative and signature-based detection methods. As research has shown, the average dwell time (where an attacker is hunkered down inside a network before being discovered) is measured in months.<\/span><\/p>\n

Threat hunting is a way to find attackers inside the network before they have had the opportunity to cause real damage \u2013 either by disrupting operations or stealing sensitive data. Additionally, threat hunting can be used to create new behavioral tactics, techniques, and procedures (TTPs) that can be added to existing detection methods\/rules\/tools\/and intelligence. A threat hunting endeavor will help identify activity that may have gone unnoticed over time or across the infrastructure.<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

Threat Hunting vs. Threat Intelligence<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Threat hunting and threat intelligence<\/a> are usually seen as related but separate activities in cybersecurity. Both help improve security by being proactive, but they have different goals:<\/span><\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n
\n
\n
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t<\/span>\n\t\t\t<\/div>\n
\n

\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\tThreat hunting\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/h3>\n

\n\t\t\t\t\t\tinvolves actively looking for unknown threats in your system, using hypotheses to find specific behaviors or artifacts indicative of malicious activity. Cyber threat hunting is a proactive, hands-on activity usually done by specialized teams.\t\t\t\t\t<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t<\/span>\n\t\t\t<\/div>\n
\n

\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\tThreat intelligence\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/h3>\n

\n\t\t\t\t\t\tinvolves gathering, processing, and analyzing data about existing threats, like IOCs, TTPs, and attack trends. This information helps the threat-hunting process by giving details on the latest methods used by attackers.\t\t\t\t\t<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n

While t<\/span>hreat intelligence provides information about known threats, threat hunting uses t<\/span>hat <\/span>information<\/span>\/data<\/span> to find unknown or undetected <\/span>elements <\/span>within a company\u2019s systems.<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

Where to Start Threat Hunting?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Before threat hunting can begin, a prioritized set of questions must be <\/span>determined<\/span> as these will drive the hunt. You also must understand your infrastructure and your data as that will <\/span>impact<\/span> what types of threat hunting activities you can conduct. Also important is understanding the <\/span>expertise<\/span> on hand as that will <\/span>impact<\/span> threat hunting as well. Threat hunting is an advanced, but highly beneficial capability that requires the right people, <\/span>technology<\/span> and data to help answer the critical hypotheses that are created.<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
Catch the Threats that Other Tools Miss<\/div>\n<\/div>\n<\/div>\n
\n
\n

Explore Fidelis Security\u2019s Active Threat Detection Using proprietary algorithms developed by Fidelis Security\u2019s expert threat hunters! <\/span><\/span>What This Datasheet Covers:<\/span><\/span>\u00a0<\/span><\/em><\/strong><\/p>\n<\/div>\n<\/div>\n

\n
\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tIntroduction to Active Threat Detection<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tCapabilities<\/span><\/p>\n

\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>
\n\t\t\t\t\t\t\t\t\t\tAdvantages<\/span><\/p><\/div>\n<\/div>\n

\n
\n
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\tDownload Datasheet<\/span>
\n\t\t\t\t\t<\/span>
\n\t\t\t\t\t<\/a>\n\t\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
\n

Effective Threat-Hunting Tools<\/h2>\n<\/div>\n<\/div>\n
\n
\n

In 2024, using the right tools for <\/span>threat-hunting<\/span> is <\/span>very important<\/span> for <\/span>proactive<\/span> and <\/span>efficient defense<\/span>. Here are four key tools to <\/span>consider<\/span>:<\/span><\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

1. Extended Detection and Response (XDR)<\/h3>\n<\/div>\n<\/div>\n
\n
\n

XDR is not a singular threat-hunting tool; it\u2019s an integrated security platform that gathers information from various places like endpoints, networks, and cloud environments, and puts it all together in one place.\u00a0<\/span>\u00a0<\/span><\/p>\n

Fidelis Elevate<\/span><\/a>\u00ae is an example of an XDR solution that helps find threats by correlating data from these different areas, making it easier to understand and quicker to investigate. XDR supports threat hunters by making detection centralized, speeding up responses, and giving a comprehensive context that allows for more accurate and efficient threat-hunting.<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

2. Managed Detection and Response (MDR)<\/h3>\n<\/div>\n<\/div>\n
\n
\n

MDR services <\/span>offers expert-led threat monitoring, detection, and incident response, providing continuous protection and support. It<\/span> is especially useful for companies <\/span>facing cybersecurity talent <\/span>gaps or<\/span> those needing robust threat-hunting capabilities<\/a> around the clock<\/span>.<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

3. Security Information and Event Management (SIEM)<\/h3>\n<\/div>\n<\/div>\n
\n
\n\t\t\t\t\t\t\tSIEM solutions collect log data from across the network, allowing for better detection and understanding of advanced threats and complex attack patterns. By <\/span>integrating <\/span>with SIEM platforms, <\/span><\/span>Fidelis Network<\/span><\/span><\/a>\u00ae improves threat detection and response by providing more comprehensive visibility and useful information about <\/span>what\u2019s<\/span> happening on the network.<\/span><\/span>\t\t\t\t\t\t<\/div>\n<\/div>\n
\n
\n

4. Security Analytics<\/h3>\n<\/div>\n<\/div>\n
\n
\n

Security analytics tools use machine learning and behavioral analysis<\/a> to find unusual activities and give useful information about potential threats. These tools are important for discovering sophisticated, <\/span>low-and-slow attacks<\/span> that traditional security might overlook.<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

5. Endpoint Detection and Response (EDR)<\/h3>\n<\/div>\n<\/div>\n
\n
\n

EDR tools <\/span>focus <\/span>on <\/span>endpoint visibility<\/span>, helping teams<\/span> to<\/span> detect<\/span>, <\/span>investigate<\/span>, and <\/span>respond to <\/span>threats fast. <\/span><\/span>Fidelis Endpoint<\/span><\/span><\/a>\u00ae provides real-time <\/span>monitoring<\/span>, automatic <\/span>response<\/span>, and <\/span>forensic <\/span>analysis, letting security teams <\/span>identify<\/span> lateral movement<\/span> and protect devices from complex attacks.<\/span><\/span><\/p>\n

These tools provide <\/span>a strong base<\/span> for successful threat hunting, improving visibility and strengthening an organization\u2019s capability to find and respond to complex threats.<\/span><\/span>\u00a0<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

What are Key Capabilities to Look for in a Threat Hunting Capability?<\/h2>\n<\/div>\n<\/div>\n
\n
\n

Threat hunting requires the right expertise, along with the tools and data, so the first thing to determine is if that expertise is on staff, to be hired, or to be outsourced. Often times organizations will look to outsource their threat hunting capability through a Managed Detection and Response provider.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

Important capabilities and data to effectively conduct threat hunting activities include the following:\u00a0<\/strong><\/em><\/p>\n<\/div>\n<\/div>\n

\n
\n

People Skills<\/h3>\n<\/div>\n<\/div>\n
\n
\n

Threat hunting requires a unique skillset that combines multiple disciplines of security infrastructure, threat intelligence, malware analysis, data analytics and forensics, and creativity.<\/span>\u00a0<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

Threat hunters should have:<\/strong><\/p>\n

An understanding of both networks and how operating systems (OS) work in an infrastructure.<\/span>\u00a0<\/span>A background or understanding of analytic tradecraft, including the ability to create hypotheses and test those against assumptions (including biases).<\/span>\u00a0<\/span>An understanding of how attacker TTPs from both a process and\/or tool perspective.<\/span>\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n
\n

Threat Hunting Process<\/h3>\n<\/div>\n<\/div>\n
\n
\n

A threat hunting process should begin by defining the level of importance that cyber risk has upon the business, what potential threats could occur and how those threats would create risk. Existing tools and teams should be used to profile the infrastructure and ensure that the profile stays up-to-date. Part of the threat hunting process also includes determining what information you need to collect and for how long, as well as what must be analyzed to ensure proactive threat analysis. By focusing on the areas within the Pyramid of Pain, you can gain the greatest impact, while minimizing alert fatigue.<\/span><\/p>\n

Once your threat hunting process is defined, create a set of rules to identify the risk or threat and metrics to address efficiency (i.e. how many alerts are generated by a new rule versus how many tickets are closed by analysts).<\/span><\/p>\n

Use the profile of the environment and the information collected to address the following questions:<\/span>\u00a0<\/span><\/p>\n

What can be automated versus what should be analyzed?<\/span>\u00a0<\/span>What should be the focus in terms of intel sources?<\/span>\u00a0<\/span>How are you incorporating the analysis process and cross-verifying with the information, such as the MITRE ATTACK framework?<\/span>\u00a0<\/span>\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n

\n
\n

By having a strong documentation and feedback process for the threat hunting activity, you can <\/span>leverage<\/span> the postmortem of the activity and results to further refine the process and the Cyber Threat Intelligence (CTI) IOCs.<\/span><\/p>\n<\/div>\n<\/div>\n

\n
\n

Technology<\/h3>\n<\/div>\n<\/div>\n
\n
\n

The third pillar of being ready to conduct threat hunting exercises is having the right technology in place. If possible, ensure security solutions can collect metadata from multiple layers in real-time. Oftentimes a SIEM will provide a repository of raw logs but may lack the capabilities or will be over-subscribed to allow for hunting activities to occur within a specific timeframe.<\/span><\/p>\n

Key capabilities to look for in a solution that will enable threat hunting include the ability to:<\/span><\/p>\n

Ingest and store metadata from network and cloud traffic, as well as endpoint activity for real-time threat detection<\/a> and retrospective analysis.<\/span>\u00a0<\/span><\/p>\n

Overlay that rich metadata with threat intelligence and run scripts to capture specific data for visibility and context.<\/span>\u00a0<\/span><\/p>\n

Import live data from various sources (i.e. network traffic and endpoint activity) into a solution where correlation of real-time and historical activity can occur to enhance visibility and validate the activity.<\/span>\u00a0<\/span><\/p>\n

Provide visibility across the cyber terrain to validate against the current environment.<\/span>\u00a0<\/span><\/p>\n

Leverage a deception layer that can be used to provide context or validation of activity.<\/span>\u00a0<\/span><\/p>\n

Foster the analyst\u2019s creativity to help identify anomalous activity with an extensible query solution for hosts.<\/span>\u00a0<\/span><\/p>\n

Quickly pull forensic images of memory or the hard drive for further analysis.<\/span>\u00a0<\/span>\n\t\t\t\t\t\t<\/p><\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n
\n
\n
\n

Frequently Ask Questions<\/h2>\n<\/div>\n<\/div>\n
\n
\n
\n
\n
\n

What frameworks support threat hunting?<\/h3>\n<\/div>\n
\n

The MITRE ATT&CK and Pyramid of Pain frameworks are commonly used to help recognize tactics, techniques, and procedures (TTPs) and <\/span>prioritize threat-hunting efforts<\/span>. Both frameworks offer a systematic way to understand and tackle the actions of adversaries and the most <\/span>important areas<\/span> of risk.<\/span><\/p>\n<\/div><\/div>\n

\n
\n

What are common challenges in threat hunting?<\/h3>\n<\/div>\n
\n

Threat hunting has <\/span>challenges <\/span>like limited resources, alert <\/span>fatigue<\/span>, and a need for highly skilled professionals. As more threats use AI, it becomes harder to tell <\/span>legitimate<\/span> activities from <\/span>malicious <\/span>ones, <\/span>underscoring <\/span>the importance of advanced tools and well-trained analysts.<\/span><\/p>\n<\/div><\/div>\n

\n
\n

How often should threat hunting be conducted?<\/h3>\n<\/div>\n
\n

The frequency of threat hunting depends on an organization\u2019s risk tolerance, available resources, and the threat landscape. Many organizations conduct continuous threat hunting, while others do so on a periodic basis, such as monthly or quarterly, based on their specific needs.<\/span><\/p>\n<\/div><\/div>\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

The post Threat Hunting: Strategic Approaches and Capabilities to Uncover Hidden Threats<\/a> appeared first on Fidelis Security<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"

What is Threat Hunting? Threat hunting is the discovery of malicious artifacts, activity or detection methods not accounted for in passive monitoring capabilities. Essentially, threat hunting is the process of identifying unknown threats that otherwise would be hiding in your network and on your endpoints, lying in wait to further expand access and\/or steal sensitive […]<\/p>\n","protected":false},"author":0,"featured_media":797,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-796","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/796"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=796"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/796\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/797"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=796"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}