How to Initiate a Threat Hunting Program (Part 1)?

20.02.2019 Read
How to Initiate a Threat Hunting Program (Part 1)?

Over the past many years, cyber threats have become greater in frequency and more sophisticated than ever. Current security mechanisms are based on traditional reactive approaches such as antivirus programs and firewalls who react once the incident has occurred. Under such circumstances, intruders have a chance to compromise your network either partially or entirely. In order to prevent this situation from happening, security practitioners initiate a threat hunting program as a vital part of their Security Operation Center (SOC). In fact, threat hunting is a process of iteratively and proactively searching through the networks in order to detect and then isolate Advance Persistent Threats (APTs) that exploit your existing security solutions. Unlike reactive approaches, threat hunting acts even before the occurrence of an incident, instead of acting after the incident. In this article, you will learn how to initiate a threat hunting program.

1. Choosing Between Internal or Outsourced Threat Hunting

Internal threat hunting is an internally-managed function within an enterprise. The company uses its own resources such as technology required and manpower to perform internal threat hunting. On the other hand, outsourced threat hunting involves the services of an external threat hunting service provider. Instead of spending a large budget on internal threat hunting program, organizations can outsource this feature from an external third-party. Once you have decided between internal or outsourced threat hunting, you would proceed on for the next step.

2. Planning: The Core of Threat Hunting

Planning is one of the significant factors of threat hunting campaign. Planning involves the following critical questions that must be answered:

  • What processes will be executed during the threat hunting program?
  • What are the available resources?
  • What infrastructure is going to be protected?
  • What is the budget?

You cannot protect what you do not have. You cannot hire more manpower or deploy more technology than your budget allows you to do so. Proper planning enables you to remain within your scope and helps you avoid future complications.

3. Developing and Testing Hypothesis

Developing hypothesis assists analysts to identify outcomes they expect from a threat hunting program. For instance, if a hunting campaign is against fileless malware, the analysts would find out adversaries who carry out attacks using PowerShell and WMI tools. Fileless malware involves malicious coding that attacks a RAM, rather than a hard drive. Moreover, testing every PowerShell process is not a wise approach. Instead, it is a time-consuming and daunting task. Analysts should only extract the information that is related to a real attack.

4. Collecting Information

Reviewing the results of the hypothesis requires you to collect some additional information. This information can be collected through:

  • Network logs (e.g., Firewall, VPN, Router)
  • Host-based logs (e.g., OS logs, Endpoint detection Response)
  • Virtual Machine Hypervisor
  • Active Directory
  • DNS
  • Proxy
  • Service/application logs

5. Organizing Data

Once you properly collect all required information and data, the next step is to organize and analyze that data in order to gain meaningful results. For this purpose, hunters use various tools including reporting tools in a SIEM, as well as analytical tools or using Excel to sort out data or generate pivot tables. The organized form of data helps analysts to identify potential threats that are expected to occur in the near future. Using this data, hunters can fix security loopholes in their network and enhance their security posture.