For those just getting started with threat hunting, there are four points one must understand from the outset:
- Threat hunting is proactive, not reactive. Hunters construct hypotheses to test possible conditions under which an adversary might infiltrate the network. These hypotheses can either be lead-driven (i.e. prompted by abnormal network activity) or leadless (i.e. prompted by hypothetical intrusion scenarios).
- Threat hunting assumes the worst has happened. Threat hunters carry out their hunts under the assumption that adversaries have already evaded existing defenses. Therefore, a hunt begins with the hypothesis that an attack was successful, then searches for evidence of conditions that would permit said hypothesis to come true.
- Threat hunting is a human-led activity but can benefit from appropriate technologies. Organizations require trained human specialists to lead threat hunts. Hunters apply critical thinking, scripting knowledge, and manual search methods to identify threats that evade standard detection technologies. Emerging technologies like AI and machine learning can help hunters sift through massive volumes of data and make more informed search queries based on existing threat data.
- Threat hunting improves an organization’s security posture, regardless of hunt outcomes. Hunts may reveal proof of a vulnerability, or they may reveal network activity that is completely unrelated to the target of the investigation. Regardless of what is found, hunting exercises expand the organization’s security awareness and visibility of the network.
For more on the subject, see the SCMedia eBook “Threat Hunting Essentials: How to Craft an Effective Process.”