What is threat hunting?

Threat hunting is a fairly nebulous topic in many ways, it spurs a lot of deep conversation and even sometimes debate on what strategies actually work and what is the best way to perform. The truth is that there's no right or wrong way to perform threat hunting. It's a creative process for finding attackers, bound by the data, skills, institutional knowledge, and threat intelligence available to the teams who are performing hunting missions.

Now you might be thinking, “If it’s a creative exercise, why does it belong in security operations?” 

A threat hunt mission will look for post compromise behavior in an environment before the impact can occur. Threat actors that gain initial compromise still have a lot of work to do. They need to identify where they are in the environment, what credentials are available, and the level of access they have. The time from initial compromise to the completion of the threat actor mission offers detection and threat hunting opportunities. 

Benefits and business justification

The primary goal of threat hunting is the prevention or minimization of impact through the reduction of dwell time but there are other benefits.

The creative process of hunting often has defenders identifying new data or segments of the infrastructure that are not covered by standard monitoring. This exploration often leads to the identification of visibility gaps that can be addressed by adding additional log source to a SIEM platform or the extension of existing tools.

Over time, hunting detection strategies evolve in their efficacy.  At the onset, most hunt missions will yield vastly more false positives than true findings.  Once a hunting technique has been honed to be accurate and reliable, it can be passed on to the SOC as an input to their triage processes. This automates the process and moves the detections closer to real-time and allows the hunt team to continue innovation.

As incidents are discovered and additional avenues of exploration and analysis occur, threat hunters will identify opportunities for the remediation of vulnerabilities in architecture, configuration, and process. These should be raised by the team, along with recommendations for the mitigation of the risks discovered.

The earlier a breach is discovered, the faster your team can respond and contain it. Threat hunting enables rapid detection, helping you minimize dwell time. Shorter dwell time means reduced damage, potential loss of intellectual property, and reputational issues. All of those things have tangible or intangible costs associated with them.

• Loss of Productivity or Revenue: Cyber events often result in costly prolonged outages both during the attack and the remediation process

• Avoiding Remediation Costs: The cost of cleaning up after a significant breach can be astronomical. Early detection through threat hunting reduces these costly scenarios.

• Lowering Cyber Insurance Premiums: A robust threat hunting program can demonstrate strong security posture to insurers, potentially lowering premiums.

• Protecting from Regulatory Penalties: Proactive threat hunting demonstrates compliance with regulations like GDPR and HIPAA, potentially helping avoid fines related to a cyber incident.

Mature organizations have robust risk management and analysis programs.  These functions perform actuarial analysis of risks to understand the probability and potential impact of a given risk.  Many organizations perform extensive analysis on their business and track the dollar cost for any interruption of organizational execution by function, location, and system down to the dollar per minute. Based on the results, they make investments in mitigation strategies to avoid the negative outcomes.

Threat hunting is a mitigation strategy for the risk of operational impact posed by cyber threats.  If you evaluate the potential cost of a serious incident that involves loss of revenue, remediation costs, regulatory penalties, and the intangibles of reputation and intellectual property loss, a threat hunting function within your organization may make sense.

People, data, process, and methodologies

At the core of a threat hunting program is the team or individual tasked with the role.  The ethos of the program should be nurtured as analytical, methodical, and creative, with permission to be entrepreneurial in their experimentation with different hunting tactics.

There are a few essential components of a successful threat hunting program.

• Program: First, it should be a formally established team or function that is resourced and empowered. Processes and procedures should be documented and repeatable.  The program should have tight interlock with the intel team, SOC, and IR functions, among others.

• Expertise: Hunting requires constant research and learning but members of the team should have solid knowledge across a broad spectrum of enterprise technologies, security tooling, and attacker methodologies.  It also helps to have deep institutional knowledge that allows team members to see the organization as an attacker might, from both a technology and business standpoint. 

• Data: Data is the field in which threat hunters play.  Sources utilized often include logs from security tools and other technologies in your environment.  Custom application logs, uploaded files, memory images, or code repositories could also be targeted.  Access to the various data sources must be provided in a safe and traceable way.

• Intelligence: Threat intelligence is an essential element for hunting.  It defines what you should hunt for - actors who are likely to specifically target you, along with those that are opportunistic threats. Intelligence about the TTPs used by a threat actor, often in the form of MITRE ATT&CK, help direct hunting efforts and provide an organizational framework for missions.  Incident details provide examples of specific attacker behaviors and their manifestations in data. IOCs, yara rules, and other detective content can also be leveraged. 

• Tools & automation: Threat hunting requires the ability to query and analyze data of many types and in different ways.  Collection and analysis should be automated as much as possible. SIEMs, EDRs, and other data analysis/ML platforms are often used but some methodologies may require custom tools or coding. The advent of AI now opens up new avenues for both the production of missions and data analysis.

There are four broad categories for the types of hunting that are often performed.  

• Hypothesis-driven threat hunting is grounded in a combination of threat intelligence, attacker empathy, and organizational knowledge. “Knowing my organization, if I were an attacker, what would I target and how?”. It can involve the use of various tools and data, depending on the hypothesis.
• Example: At one organization, several previous attacks involved the implantation of keyloggers on the systems of executive assistants to monitor the writing of memos, emails, and other activities.  So, we routinely performed hypothesis-driven threat hunts that focused on scouring services, autoruns, running processes, memory, and other artifacts on secretary-owned machines to identify potential keyloggers.  We used IOCs, yara rules, other signatures, and also looked for anomalies.

• TTP-based threat hunting is one of the most-effective methodologies but also the hardest to implement as it requires a detailed understanding of a given attack technique, how it would manifest in data, and the possible permutations that could occur in variations of the attack.  They are most-often implemented in SIEM or analytics platforms that provide broad access to data and the ability to write complex analysis and logic rules.
• Example: Attackers are using various 3rd-party remote access software for command and control while evading detection - T1219. After researching all of the process hallmarks and permutations of such activity, a SIEM query was written to look for artifacts generated by many types of remote access software, even those that had not been seen used in attacks. 

• Anomaly-based threat hunting involves the identification of potentially malicious activity through the statistical analysis of data to identify outlying behavior.  They are most-often implemented in a SIEM or analytics platforms.  This works best in an environment that is largely homogeneous and reasonably predictable.  User and Entity Behavior Analytics (UEBA) findings are a type of anomaly-based hunting.
• Example:  In a mission to try and find backdoors and other malicious software resident on systems within the organization, we set up a process to acquire a list of all defined services, service DLLs and the hashes of associated binaries from each system.  Then we performed frequency analysis and investigated services that existed on less than 1% of systems.

• IOC driven threat hunting is most often the application of tactical intelligence against data stores that contain process execution and network activity logs.  I would potentially include the use of yara rules against binaries in this category, as well.  This is most often done in a SIEM but can be done in other tools.
• Example: Taking the latest IOCs from a recent CISA report and hunting over historic data in the SIEM for the identification of potential compromise.

If you want to hear the in-depth discussion, catch the on-demand session. Beyond Detection: The art and science of proactive threat hunting

How Google Cloud Security can help

Google Cloud Security can help customers in many ways depending on your organization's threat hunting goals. From educating your skilled staff to managing the program for you.