Threat Hunters uncover security risks before they are detected by the system.
Source: Own illustration
After sneaking into a network, attackers can remain undetected for months, collecting data, searching for sensitive material, or acquiring credentials. They can then use this information to roam around the IT infrastructure, to observe it and to snatch even more data. The more data is tapped, the more severe the consequences of the attack may be. To identify such attacks as early as possible, a good defence strategy is essential. An important part of such a strategy is so-called Threat Hunting.
What is Threat Hunting?
Threat Hunting is a proactive method of strengthening IT security. It involves scanning the network and IT infrastructure for potential threats. This method is designed to find deeply hidden threats in an IT environment.
How does Threat Hunting Work?
Threat Hunting differs from traditional approaches in that it is on the one hand designed to be preventive, and on the other hand is characterized by manual activities. These can be complemented by automated techniques and security tools as well. Threat Hunting initially assumes that the system has already been infected by intruders. Based on this assumption, the Threat Hunter then looks for suspicious behaviour. Threat Hunters use three different approaches.
First, the hypothesis-based investigation evaluates information about recent cyberattacks and techniques from the Internet. Using this information, the Threat Hunter then checks whether the behaviours described there can also be found in their IT environment.
Another method is to investigate based on known indicators of compromise (IOC) and indicators of attack (IOA). IOC and IOA are characteristics and data that indicate that a system has been compromised or that an attack is in progress. Threat Hunters can also use these characteristics and data to find potentially stealthy attacks or malicious activity already underway.
In a third approach, threat hunting is supported by Big Data technologies and machine learning. During Threat Hunting, large volumes of data are systematically examined for anomalies and deviant behaviours. These anomalies can then be examined in more detail by the Threat Hunter.
What are the Benefits of Threat Hunting?
Most security incidents and attacks are discovered far too late. It is not uncommon for cyber criminals to penetrate systems completely unnoticed. They initially behave discreetly, observe, and make only small changes in order to avoid triggering an alarm and to remain undetected for as long as possible. They can then prepare their attack in complete tranquillity, for example by making changes to user profiles and their access authorizations. The attacker then becomes an insider threat. Since she/he uses legitimate credentials and access rights, the security mechanisms usually still do not trigger an alarm.
Threat Hunters bring a human element to IT security to complement the automated systems. Ideally, the Threat Hunter is a security analyst who is intimately familiar with internal operations. Thanks to their knowledge of internal processes, users and your behaviour, this Threat Hunter may be able to spot certain inconsistencies faster than an automated security system. They do so by looking for hidden malware and unusual changes, and by looking for suspicious patterns of activity that might be missed by an automated security system. This can significantly reduce the time required for threat detection, investigation, and remediation in certain cases.
In some cases, attacks can be identified through Threat Hunting before they could actually take place and cause any damage. Some threats can be detected without specific security events being present. As a result, problems can be resolved more quickly, and the consequences of security events can be significantly minimized. Afterwards, the knowledge gained from Threat Hunting can be used to optimize automated detection systems to detect similar events even earlier in the future.
Want to learn more about IT security, cyberattacks and security strategies? You can find all our blog posts about cybersecurity under the tag IT Security.
Responsible for the content of this article is Stéphanie Bauens.
