What is Cyber Threat Hunting?
Cyber Threat Hunting is the practice of proactively searching through computer networks for advanced threats and malicious factors that may have slipped past an SMEs traditional security endpoint. Fortunately, IT support companies like EC-MSP can provide new security paradigm solutions to detect possible threats that have gone undetected.
This article will discuss the Cyber Threat Hunting Process, the Hunting Maturity Model and briefly conclude on why SMEs should outsource their threat hunting program if they don’t have cyber security experts.
The Cyber Hunting Process
1. Hypothesis Creation and Testing Stage
Hypothesis creation or generation is the first step when it comes to establishing the basis for an investigation. This first step is necessary because Cyber Threat Hunting isn’t alert based, but rather a proactive process. For example, if you’re conducting a hunt against fileless malware in a computer network, the aim of the hunt will be to find attack vectors such as .NET, Malicious Macros, Windows Management Instrumentation (WMI) and other PowerShell tools.
However, without an executable file there’s no signature for an anti-virus to detect. This is what makes fileless malware very difficult to find. A fileless malware is a type of software that uses legitimate programs to infect a computer. In essence, it makes a Windows operating system turn against itself. Fileless malware can remain undetected because it’s memory-based, not file-based. Testing every fileless attack vector for malware is a time-consuming, frustrating and daunting task.
2. Data Gathering Stage
This is a key process that involves the collection, normalisation and analysis of sensitive data. Even though collecting all logs is a time-consuming approach, the following categories of data are recommended. A cyber analyst requires adequate data in order to perform a successful cyber hunt. Generally, data can be classified into two sections:
A. EndPoint data
Endpoint data comes from endpoint devices. These devices include laptops, desktops, tablets and mobile phones. The types of data that can be sourced from endpoint devices include registry access data and file data.
B. Network data
Network data comes from network devices such as session control borders for VoIP, firewalls, switches and routers. The type of data that can be sourced from network devices are proxy logs, DNS logs, monitoring logs and router logs.
This is where solutions like privileged session management become relevant as they deal specifically with the issue of controlling sessions.
3. Data Organization Stage
Once hypotheses have been created, tested, and data has been gathered, hunters need to identify which hunting tools are appropriate for organising and analysing the information gained. For effective data organisation and analysis, automated detection systems such as Security Information and Event Management (SIEM) and Intrusion Detection System (IDS) are employed.
4. Stage of Responding to Threat or Containing It
At this final stage, cyber security analysts will have enough data from stage 3 to answer the hypotheses created in stage 1 of the Cyber Threat Hunting process. The response to a threat may be in two folds: either the vulnerability is found, or the actual threat is detected. In either case, an immediate action is required. The cyber analyst works with the incident response team and other existing security teams to create the best response. The goal here is to immediately stop the attack and put in measures to ensure the same threat isn’t successfully carried out again.
The Hunting Maturity Model (HMM)
There are some factors to consider when assessing an organisation’s ability to hunt for cyber threats.
- The quality and quantity of data being collected by the organisation for hunting.
- The tools provided by the organisation to access and analyse the data.
- The skills of the analysts who use the data and techniques to find the breaches that have slipped through.
The maturity level of a cyber threat can be determined by the quantity and quality of the data that the organisation regularly collects from its computer network. The higher the volume of collected threats and the greater the variety of data provided to cyber threat analysts, the more results they will find, and the more effective they will be as threat analysts. The Threat Hunting Maturity Model (HMM) consists of the following five levels.
Initial – HMM Level 0
Organizations at this level rely primarily on automated alerts from anti-virus, SIEM or IDS which detect malicious activities within the corporate network. At this level, the only human involvement is directed towards the resolution of alerts.
Minimal – HMM Level 1
At this level, organisations still rely on automated alerting to drive the incident response process. However, they extract key indicators from threats and look for historical data to find out if they have been identified in the short run.
Procedural – HMM Level 2
Organizations at this level can learn and apply different data analysis procedures developed by others on a regular basis. The procedures developed by others help HMM Level 2 organisations in identifying a particular type of malware activity. A general example can be gathering data about malware that shuts down a computer 10 minutes after booting. At this level, though, HMM Level 2 organisations aren’t yet capable of creating new procedures for themselves.
Innovate – HMM Level 3
Organisations at this level are capable of creating and publishing their own data analysis procedures instead of using only those developed by others. HMM3 organisations have at least a few cyber threat hunters who completely understand data analysis techniques and can apply them to detect malicious activities.
Leading – HMM Level 4
Level 4 organisations can fully automate. At this level, any threat detection process that proves to be successful is turned into automated detection, freeing analysts from repeating the same process over and over.
Outsourcing Security Analysts
While this article has explained the process of Cyber Threat Hunting, the true challenge lies in sourcing security analysts who can conduct the detection of malware processes efficiently. If you’re going to use in-house talent pool for threat hunting, you must ensure they have the prerequisite skills to manage Advanced Persistent Threats (APTs) carried out by hackers. Otherwise, you should outsource the threat hunting program if you don’t have enough security analysts to conduct a cyber threat hunt effectively and efficiently.