{"id":13433,"date":"2022-12-19T12:00:43","date_gmt":"2022-12-19T11:00:43","guid":{"rendered":"https:\/\/blog.rwth-aachen.de\/itc\/?p=13433"},"modified":"2022-12-15T09:35:34","modified_gmt":"2022-12-15T08:35:34","slug":"threat-hunting","status":"publish","type":"post","link":"https:\/\/blog.rwth-aachen.de\/itc\/en\/2022\/12\/19\/threat-hunting\/","title":{"rendered":"Threat Hunting &#8211; Tracking Down Threats"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_13433 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_13433')){$('.twoclick_social_bookmarks_post_13433').socialSharePrivacy({\"txt_help\":\"Wenn Sie diese Felder durch einen Klick aktivieren, werden Informationen an Facebook, Twitter, Flattr, Xing, t3n, LinkedIn, Pinterest oder Google eventuell ins Ausland \\u00fcbertragen und unter Umst\\u00e4nden auch dort gespeichert. N\\u00e4heres erfahren Sie durch einen Klick auf das <em>i<\\\/em>.\",\"settings_perma\":\"Dauerhaft aktivieren und Daten\\u00fcber-tragung zustimmen:\",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/blog.rwth-aachen.de\\\/itc\\\/en\\\/2022\\\/12\\\/19\\\/threat-hunting\\\/\",\"post_id\":13433,\"post_title_referrer_track\":\"Threat+Hunting+%26%238211%3B+Tracking+Down+Threats\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p><div id=\"attachment_13435\" style=\"width: 310px\" class=\"wp-caption alignright\"><a href=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/12\/IT-Center-Blog-Threat-Hunting.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-13435\" class=\"wp-image-13435 size-medium\" src=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/12\/IT-Center-Blog-Threat-Hunting-300x169.png\" alt=\"Illustration of a laptop with a magnifying glass. The magnifying glass makes security incidents visible.\" width=\"300\" height=\"169\" srcset=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/12\/IT-Center-Blog-Threat-Hunting-300x169.png 300w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/12\/IT-Center-Blog-Threat-Hunting-1024x576.png 1024w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/12\/IT-Center-Blog-Threat-Hunting-768x432.png 768w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/12\/IT-Center-Blog-Threat-Hunting-1536x864.png 1536w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2022\/12\/IT-Center-Blog-Threat-Hunting.png 1920w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-13435\" class=\"wp-caption-text\">Threat Hunters uncover security risks before they are detected by the system.<\/p>\n<p>Source: Own illustration<\/p><\/div><\/p>\n<p>After sneaking into a network, attackers can remain undetected for months, collecting data, searching for sensitive material, or acquiring credentials. They can then use this information to roam around the IT infrastructure, to observe it and to snatch even more data. The more data is tapped, the more severe the consequences of the attack may be. To identify such attacks as early as possible, a good defence strategy is essential. An important part of such a strategy is so-called Threat Hunting.<!--more--><\/p>\n<h3><span style=\"color: #00549f;\">What is Threat Hunting?<\/span><\/h3>\n<p>Threat Hunting is a proactive method of strengthening IT security. It involves scanning the network and IT infrastructure for potential threats. This method is designed to find deeply hidden threats in an IT environment.<\/p>\n<h3><span style=\"color: #00549f;\">How does Threat Hunting Work?<\/span><\/h3>\n<p>Threat Hunting differs from traditional approaches in that it is on the one hand designed to be preventive, and on the other hand is characterized by manual activities. These can be complemented by automated techniques and security tools as well. Threat Hunting initially assumes that the system has already been infected by intruders. Based on this assumption, the Threat Hunter then looks for suspicious behaviour. Threat Hunters use three different approaches.<\/p>\n<p>First, the hypothesis-based investigation evaluates information about recent cyberattacks and techniques from the Internet. Using this information, the Threat Hunter then checks whether the behaviours described there can also be found in their IT environment.<\/p>\n<p>Another method is to investigate based on known indicators of compromise (IOC) and indicators of attack (IOA). IOC and IOA are characteristics and data that indicate that a system has been compromised or that an attack is in progress. Threat Hunters can also use these characteristics and data to find potentially stealthy attacks or malicious activity already underway.<\/p>\n<p>In a third approach, threat hunting is supported by Big Data technologies and <a href=\"https:\/\/blog.rwth-aachen.de\/itc\/en\/2022\/08\/29\/kuenstliche-intelligenz\/\">machine learning<\/a>. During Threat Hunting, large volumes of data are systematically examined for anomalies and deviant behaviours. These anomalies can then be examined in more detail by the Threat Hunter.<\/p>\n<h3><span style=\"color: #00549f;\">What are the Benefits of Threat Hunting?<\/span><\/h3>\n<p>Most security incidents and attacks are discovered far too late. It is not uncommon for cyber criminals to penetrate systems completely unnoticed. They initially behave discreetly, observe, and make only small changes in order to avoid triggering an alarm and to remain undetected for as long as possible. They can then prepare their attack in complete tranquillity, for example by making changes to user profiles and their access authorizations. The attacker then becomes an <a href=\"https:\/\/blog.rwth-aachen.de\/itc\/en\/2022\/08\/29\/kuenstliche-intelligenz\/\">insider threat<\/a>. Since she\/he uses legitimate credentials and access rights, the security mechanisms usually still do not trigger an alarm.<\/p>\n<p>Threat Hunters bring a human element to IT security to complement the automated systems. Ideally, the Threat Hunter is a security analyst who is intimately familiar with internal operations. Thanks to their knowledge of internal processes, users and your behaviour, this Threat Hunter may be able to spot certain inconsistencies faster than an automated security system. They do so by looking for hidden malware and unusual changes, and by looking for suspicious patterns of activity that might be missed by an automated security system. This can significantly reduce the time required for threat detection, investigation, and remediation in certain cases.<\/p>\n<p>In some cases, attacks can be identified through Threat Hunting before they could actually take place and cause any damage. Some threats can be detected without specific security events being present. As a result, problems can be resolved more quickly, and the consequences of security events can be significantly minimized. Afterwards, the knowledge gained from Threat Hunting can be used to optimize automated detection systems to detect similar events even earlier in the future.<\/p>\n<p>Want to learn more about IT security, cyberattacks and security strategies? You can find all our blog posts about cybersecurity under the tag <a href=\"https:\/\/blog.rwth-aachen.de\/itc\/en\/tag\/it-sicherheit\/\">IT Security<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<p>Responsible for the content of this article is <a href=\"https:\/\/www.itc.rwth-aachen.de\/cms\/it-center\/IT-Center\/Profil\/Team\/~epvp\/Mitarbeiter-CAMPUS-\/?gguid=0x2C5E1B0A3DA32A45AB293A42E93EEC07&amp;allou=1&amp;lidx=1\">St\u00e9phanie Bauens<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Sorry, this entry is only available in Deutsch.<\/p>\n","protected":false},"author":1859,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"c2c_always_allow_admin_comments":false,"footnotes":""},"categories":[305],"tags":[609,61,149,727],"class_list":["post-13433","post","type-post","status-publish","format-standard","hentry","category-themen","tag-cyber-security","tag-it-sicherheit","tag-safetyfirst","tag-threat-hunting"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/posts\/13433","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/users\/1859"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/comments?post=13433"}],"version-history":[{"count":2,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/posts\/13433\/revisions"}],"predecessor-version":[{"id":13437,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/posts\/13433\/revisions\/13437"}],"wp:attachment":[{"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/media?parent=13433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/categories?post=13433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/tags?post=13433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}