Threat hunting: the secret weapon of cyber security
Blog

Hunting rather than being hunted: Threat hunting as a secret weapon of cyber security

Some CISOs and CEOs do not yet have threat hunting on their radar. But they should, because the results of hunting and research are the cornerstones for relying on defense software such as EDR, XDR or SIEM. Only the permanent hunt for anomalies in the network, vulnerabilities in software and gaps in the defense can detect current and future attack vectors. Threat hunting strengthens a company's defense in a meaningful and fundamental way.
4 minutes
March 27, 2024

When it comes to threat hunting in cyber security, conversations often slide into a wave of technical terms such as IoA – Indicator of Attack, IoC – Indicators of Compromise or TTP – Tactics, Techniques and Procedures. The terms are of course important, but they say little about the concept behind threat hunting and what this technique is all about.

Who are the Threat Hunters?

Not all threat hunters have the same tasks when searching for new waves of attacks or evaluating codes, scripts and classic data and database analyses. Roughly speaking, there are four groups, with the first three providing more data that threat hunters in companies also use as thread intelligence:

  • Evangelists: Although these experts are not direct threat hunters, some of them have an excellent overview of the current IT threat landscape for decades and know how to interpret data that has already been analyzed. They provide important data material that becomes thread intelligence data. One example of this is computer security expert and threat hunter Mikko Hyppönen. He was already hunting down attackers online and analyzing their data when all these terms had not yet been defined. It is worth following his talks and presentations. His predictions, even for many years into the future, unfortunately come true all too often, such as his early quote on IoT: “if it’s smart, it’s vulnerable”.
  • Researchers: At many universities, teams of experts are conducting research and threat hunting by investigating what is possible with new technologies and which methods attackers are currently using and will use in the future. The American MIT CSAIL and the Fraunhofer Institute SIT are at the forefront here.
  • Heads: Some specialists do not want to be officially known, but are only in contact with each other and exchange information. The Check Point Research team is somewhat better known, describing in its blog how it first conducts threat hunting and then analyzes the exact sequence of a malware attack in all its steps. For example, how an attack on a mobile device management system – MDM – took place. The team first presented the tactics and then tracked the attack step by step. The documentation shows the scripts, codes, ports and tools used. However, institutes such as the AV-TEST Institute also engage in active threat hunting. AV-TEST uses its own analysis engines for this and produces a lot of information as “Threat Intelligence” (TI) through its data stream and preliminary analyses – the basis for threat hunting.
  • SecOps experts: This largest group is the real pillar of daily threat hunting. They benefit from the analyses of the evangelists, researchers and heads. These experts work in many SecOps departments of security vendors and service providers that offer managed SOC as a service. Many detection systems produce data streams with anomalies that are first analyzed using machine learning (ML) or AI. The important remainder, the actual threat intelligence, is then used for investigation and threat hunting. Through continuous evaluation, the specialist teams identify vulnerabilities and pass them on as detection data. This ensures the appropriate defense against exploits, classifies vulnerabilities or initiates countermeasures to attack campaigns.

Threat Intelligence - TI - the source of threat hunters

Simply explained, threat intelligence is the collection of all information that threat hunters use to investigate anomalies. Asking the CTO and threat hunter Maik Morgenstern from AV-TEST, it is clear that “threat hunting cannot work without good threat intelligence from various sources and IT security tools”.

Such a data stream can be assembled from many parts. If threat hunters work in a company’s SecOps, for example, they use all the data provided by the local security tools. In addition to network protocols and structural data on the IT infrastructure, this includes data from an EDR, XDR (with NDR) or SIEM solution. The tools know the IT structure and record all data transfers in the network, recognize software dependencies and their communication in the network, from the client PC to the cloud application.

Threat hunters usually check conspicuous processes, anomalies or research vulnerabilities based on indications or previously published vulnerabilities. At best, these are already described as CVE (Common Vulnerabilities and Exposures) in a published database. Expert Maik Morgenstern from AV-TEST knows a practical example to illustrate this: “If, for example, it is known that a current malware campaign uses port 777 for communication after an infection, a threat hunter can also carry out checks to see whether his company may be affected and thus track the attack. However, they can also prevent damage by monitoring the port more intensively or even blocking it preventively.”

First threat hunter, then forensic expert

Threat hunters are constantly checking their own network for anomalies or other suspicious activities. To do this, they use threat intelligence, the knowledge gained from current incidents that have occurred elsewhere. If they find the processes, executed files and accesses they are looking for, they usually pass this important information on to the incident response team, which stops the attack. EDR, XDR (with NDR) or SIEM solutions help here again, as they can be used to quickly roll out comprehensive network rules and other actions and ensure further monitoring. Only once the attack and all access has been contained do forensic experts come into play, as they are the better analysts for dangerous scripts, codes or malware used for the attack.

Why threat hunting is important for CISOs and CTOs

  • Threat Hunting gives you a better overview of the current threat landscape in the company’s own network. If a threat or attack is identified, the incident response team and final forensics continue.
  • Threat hunters not only use existing IT security analysis systems, such as EDR, XDR (with NDR) or SIEM solutions that work together with endpoint security. They can also train systems, implement rules and thus reduce attack vectors.
  • Threat hunters are usually well networked and therefore have deep insights into forums that potential attackers use to exchange information. Threat hunters search the darknet, where criminals often trade stolen credentials or other company data. Such research can also uncover a data loss or cyber intrusion that no one has yet noticed.
  • Every CISO and CTO should spend ten minutes threat hunting themselves, for example by taking a look at Shodan.io, a search engine for Internet-connected devices with IP addresses. If you search there for “VMware vCenter” servers that are vulnerable without a patch via port 443, Shodan presents over 1,700 vulnerable servers in the test. Is your company on the list?
The Cyber Chronicle Newsroom
We keep you posted with the latest news, data & trend topics
Cloud Platform Security
Microsoft Entra: Porträt einer vielseitigen Produktfamilie
Learn more
Identity & Access Management
Identity meets Resilience
Learn more
NIS2
NIS2 & Penetration Tests: Getting Grip on NIS2-compliant Technology
Learn more
Identity & Access Management
Resilience by Identity
Learn more
Identity & Access Management
Identity & Access Management
Getting a Grip on Cryptography
Learn more
Microsoft Sentinel as Azure SIEM - Benefits & Costs
Learn more
AI
Fighting AI attacks: How to protect data and systems
Learn more
Assessment & Advisory
ISO 27001 Certification without delay
Learn more
Assessment & Advisory
Managed Services to counter the shortage of manpower
Learn more
Security & IT Solutions
Workload Security with SASE, this is how it works
Learn more
Cloud Platform Security
DevOps security: Stress test for culture and technology
Learn more
Identity & Access Management
Biometrics - better security without passwords?
Learn more
Cyber Defense
Threat Intelligence - Knowledge is power & security
Learn more
NIS2
NIS2 & ISO/IEC 27001:2022: New controls to fulfill both standards
Learn more
Identity & Access Management
How Privileged Access Management increases security
Learn more
Assessment & Advisory
vCISO - more IT Security through customizable support
Learn more
We’re here for you
Fill in the form and our experts will get in touch.

You are currently viewing a placeholder content from HubSpot. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information