When it comes to threat hunting in cyber security, conversations often slide into a wave of technical terms such as IoA – Indicator of Attack, IoC – Indicators of Compromise or TTP – Tactics, Techniques and Procedures. The terms are of course important, but they say little about the concept behind threat hunting and what this technique is all about.
Who are the Threat Hunters?
Not all threat hunters have the same tasks when searching for new waves of attacks or evaluating codes, scripts and classic data and database analyses. Roughly speaking, there are four groups, with the first three providing more data that threat hunters in companies also use as thread intelligence:
- Evangelists: Although these experts are not direct threat hunters, some of them have an excellent overview of the current IT threat landscape for decades and know how to interpret data that has already been analyzed. They provide important data material that becomes thread intelligence data. One example of this is computer security expert and threat hunter Mikko Hyppönen. He was already hunting down attackers online and analyzing their data when all these terms had not yet been defined. It is worth following his talks and presentations. His predictions, even for many years into the future, unfortunately come true all too often, such as his early quote on IoT: “if it’s smart, it’s vulnerable”.
- Researchers: At many universities, teams of experts are conducting research and threat hunting by investigating what is possible with new technologies and which methods attackers are currently using and will use in the future. The American MIT CSAIL and the Fraunhofer Institute SIT are at the forefront here.
- Heads: Some specialists do not want to be officially known, but are only in contact with each other and exchange information. The Check Point Research team is somewhat better known, describing in its blog how it first conducts threat hunting and then analyzes the exact sequence of a malware attack in all its steps. For example, how an attack on a mobile device management system – MDM – took place. The team first presented the tactics and then tracked the attack step by step. The documentation shows the scripts, codes, ports and tools used. However, institutes such as the AV-TEST Institute also engage in active threat hunting. AV-TEST uses its own analysis engines for this and produces a lot of information as “Threat Intelligence” (TI) through its data stream and preliminary analyses – the basis for threat hunting.
- SecOps experts: This largest group is the real pillar of daily threat hunting. They benefit from the analyses of the evangelists, researchers and heads. These experts work in many SecOps departments of security vendors and service providers that offer managed SOC as a service. Many detection systems produce data streams with anomalies that are first analyzed using machine learning (ML) or AI. The important remainder, the actual threat intelligence, is then used for investigation and threat hunting. Through continuous evaluation, the specialist teams identify vulnerabilities and pass them on as detection data. This ensures the appropriate defense against exploits, classifies vulnerabilities or initiates countermeasures to attack campaigns.
Threat Intelligence - TI - the source of threat hunters
Simply explained, threat intelligence is the collection of all information that threat hunters use to investigate anomalies. Asking the CTO and threat hunter Maik Morgenstern from AV-TEST, it is clear that “threat hunting cannot work without good threat intelligence from various sources and IT security tools”.
Such a data stream can be assembled from many parts. If threat hunters work in a company’s SecOps, for example, they use all the data provided by the local security tools. In addition to network protocols and structural data on the IT infrastructure, this includes data from an EDR, XDR (with NDR) or SIEM solution. The tools know the IT structure and record all data transfers in the network, recognize software dependencies and their communication in the network, from the client PC to the cloud application.
Threat hunters usually check conspicuous processes, anomalies or research vulnerabilities based on indications or previously published vulnerabilities. At best, these are already described as CVE (Common Vulnerabilities and Exposures) in a published database. Expert Maik Morgenstern from AV-TEST knows a practical example to illustrate this: “If, for example, it is known that a current malware campaign uses port 777 for communication after an infection, a threat hunter can also carry out checks to see whether his company may be affected and thus track the attack. However, they can also prevent damage by monitoring the port more intensively or even blocking it preventively.”
First threat hunter, then forensic expert
Threat hunters are constantly checking their own network for anomalies or other suspicious activities. To do this, they use threat intelligence, the knowledge gained from current incidents that have occurred elsewhere. If they find the processes, executed files and accesses they are looking for, they usually pass this important information on to the incident response team, which stops the attack. EDR, XDR (with NDR) or SIEM solutions help here again, as they can be used to quickly roll out comprehensive network rules and other actions and ensure further monitoring. Only once the attack and all access has been contained do forensic experts come into play, as they are the better analysts for dangerous scripts, codes or malware used for the attack.
Why threat hunting is important for CISOs and CTOs
- Threat Hunting gives you a better overview of the current threat landscape in the company’s own network. If a threat or attack is identified, the incident response team and final forensics continue.
- Threat hunters not only use existing IT security analysis systems, such as EDR, XDR (with NDR) or SIEM solutions that work together with endpoint security. They can also train systems, implement rules and thus reduce attack vectors.
- Threat hunters are usually well networked and therefore have deep insights into forums that potential attackers use to exchange information. Threat hunters search the darknet, where criminals often trade stolen credentials or other company data. Such research can also uncover a data loss or cyber intrusion that no one has yet noticed.
- Every CISO and CTO should spend ten minutes threat hunting themselves, for example by taking a look at Shodan.io, a search engine for Internet-connected devices with IP addresses. If you search there for “VMware vCenter” servers that are vulnerable without a patch via port 443, Shodan presents over 1,700 vulnerable servers in the test. Is your company on the list?