Threat hunting is an essential component of your cybersecurity strategy. Whether you’re just starting out or at an advanced stage, this article will help you grow your threat intelligence program.
What is threat hunting?
The cybersecurity industry is moving from a reactive to a proactive approach. Instead of waiting for cybersecurity alerts and then addressing them, security organizations are now deploying red teams to actively look for breaches, threats and risks, so they can be isolated. This is also known as “threat hunting”.
Why is threat hunting necessary?
Threat hunting complements existing prevention and detection security controls. These controls are essential to mitigating threats. However, they are optimized for low false positive alerts. Hunting solutions, on the other hand, are optimized for low false negatives. This means that anomalies and outliers that are considered false positives for detection solutions are solution hunting tracks, to be investigated. This enables threat hunting to close existing gaps between detection solutions. A strong security strategy will use both types of solutions. Tal Darsan, manager of security services at Cato Networks, adds, “Overall, threat hunting is crucial because it enables organizations to proactively identify and address potential security threats before they can cause significant damage. Studies recent studies show that the waiting time for a threat in an organization’s network until the threat actor reaches its final objective could last for weeks or months. Therefore, having an active program of Threat Hunter can help quickly detect and respond to cyber threats that other security engines or products miss.”
How to threaten the hunt
A threat hunter will start by doing an in-depth investigation of the network and its vulnerabilities and risks. To do this, they will need a wide variety of technology security skills, including malware analysis, memory analysis, network analysis, host analysis, and offensive skills. Once their research obtains a “purpose”, they will use it to challenge existing security assumptions and try to identify how the resource or system can be breached. To prove/disprove their hypothesis, they will conduct iterative hunting campaigns.
If they “succeed” in the breach, they could help the organization develop methods to detect and fix the vulnerability. Threat hunters can also automate some or all of this process, so it can scale.
Tal Darsan adds “MDR (Managed Detection and Response) Teams play a critical role in achieving effective threat research by providing expertise and specialized tools to monitor and analyze potential security threats. Hiring an MDR service provides organizations with expert cybersecurity support, advanced technology, 24/7 monitoring, rapid incident response, and cost effectiveness. MDR service providers have specialized expertise and use advanced tools to detect and respond to potential threats in real time.”
Where to look for threats
A good threat hunter must become an Open Source Intelligence (OSINT) expert. By searching online, threat hunters can find malware kits, breach lists, customer and user accounts, zero-days, TTPs and more.
These vulnerabilities can be found on the clear web, meaning the widely used public Internet. Also, a lot of valuable information is actually found on the deep web and dark web, which are the layers of the internet below the light web. When entering the dark web, it is recommended to carefully mask your identity; otherwise, you and your company could be at risk.
It is recommended to spend at least half an hour a week on the dark web. However, because it’s hard to find vulnerabilities in them, most of what you identify will likely be from deep and clear networks.
Considerations for your threat intelligence program
Setting up a threat intelligence program is an important process, not to be taken lightly. Therefore, it is essential to thoroughly research and plan the program before starting implementation. Here are some considerations to keep in mind.
1. “Crown Jewel” thought.
When creating your threat hunting strategy, the first step is to identify and protect your own crown jewels. What constitutes mission-critical assets differs from organization to organization. Therefore, no one can define them.
Once you’ve decided what they are, use a purple team to test if and how they can be accessed and breached. By doing this, you can see how an attacker would think about being able to put security controls in place. Continually verify these controls.
2. Choose a threat hunting strategy
There are many different threat hunting strategies you can implement in your organization. It is important to ensure that your strategy meets the requirements of your organization. Examples of strategies include:
- Build a wall and block access completely, to ensure everything related to initial access and execution is blocked
- Build a minefield if you assume the threat actor is already inside your network
- Prioritize where to start according to the MITER framework
3. When to use Threat Intelligence Automation
Automation drives efficiency, productivity and error reduction. However, automation is not necessary for threat hunting. If you decide to automate, we recommend that you ensure:
- Have staff to develop, maintain and support the tool/platform
- Have completed basic crown jewel identification and security cleaning. Preferably, automate when you reach an advanced maturity level
- That the processes are easily repeatable
- You can closely monitor and optimize automation so that it continues to deliver relevant value
The threat hunting maturity model
Like any other implemented business strategy, there are various levels of maturity that organizations can reach. For threat hunting, the different stages include:
- Stage 0: Response to security alerts
- Stage 1 – Incorporation of threat intelligence indicators
- Stage 2 – Data analysis according to procedures created by others
- Stage 3 – Creation of new data analysis procedures
- Stage 4 – Automation of most data analysis procedures
Threat Intelligence Best Practices
Whether you’re building your program from scratch or iterating to improve your existing one, here are best practices that can help you scale up your threat hunting activities:
1. Define what is important
Determine the important assets in your threat space. Consider the “crown jewel” thinking that recommends creating an inventory of your mission-critical assets, checking the risk landscape—how they can be breached—and then protecting them.
Automate as many processes as you can, if you can. If you can’t, that’s okay too. You will get there as you get more mature.
3. Build your network
Protecting yourself from cyber attacks is very difficult. You can never be wrong, while attackers only have to succeed once. Also, they don’t follow any rules. That’s why it’s important to build your network and get (and provide) information from other actors and stakeholders in the sector. This network should include colleagues from other companies, influencers, online groups and forums, your company’s employees from other departments, leadership and suppliers.
4. Think like a criminal and act like a threat actor
Threat hunting means moving from a reactive to a proactive mindset. You can encourage this thinking by looking at threat intelligence, tracking groups, testing tools, and leveraging Purple Teaming for testing. While this may seem counterintuitive, keep in mind that this is how you protect your organization. Remember it’s either you or you’re the attacker.
To learn more about the different types of cybersecurity practices and how to leverage them to protect your organization, The Cato Networks Cyber Security Masterclass Series is available for your viewing.
A comprehensive threat hunting and threat intelligence program is essential for any business looking to enhance their security and protect their data. Fortunately, businesses of all sizes can benefit from a well-crafted program.
At its core, threat hunting and threat intelligence are two sides of the same coin: keeping your business safe. Threat hunting is the practice of proactively seeking out new signs of malicious activity, while threat intelligence is the practice of gaining information about threats and the attackers behind them.
In developing a threat hunting and threat intelligence program, businesses should consider the type of network they have, the types of assets they hold, and the kinds of threats they are likely to encounter. An assessment of assets and threats can be performed to identify what tactics, approaches and technologies may be necessary to combat them.
For example, businesses may want to implement a firewall or intrusion detection system to block malicious actors and monitor for suspicious activities. Additionally, businesses should consider the use of a tool like Ikaroa to provide passive visibility of a network layer. This could be used to log, monitor, alert and respond to potential threats.
Organizations should also consider using a system that can monitor external network traffic, collect relevant threat intelligence, and disseminate it to the security team or appropriate stakeholders. This intelligence will help teams understand the current threat landscape and can help organizations better defend against new threats before they are activated.
Additional steps to incorporate into a threat hunting and threat intelligence program might include the following:
• Establishing an incident response team to handle suspected threats when they arise.
• Enhancing authentication controls to prevent malicious actors from gaining access.
• Utilizing automation capabilities to harmonize and streamline threat hunting processes.
• Developing an incident response playbook that outlines the steps to take in response to a potential threat.
Finally, teams should ensure their basic security hygiene is in place, including patch management and access control measures. Without a secure environment and procedures in place, threat hunting and threat intelligence will be of limited value.
By establishing a comprehensive threat hunting and threat intelligence program, businesses of all sizes can better protect their networks and assets. Utilizing the right security tools and processes, such as Ikaroa, can drastically reduce the chances of a successful attack. Keeping up with the threats of today’s interconnected digital world is key to staying safe and secure.