Threat Hunting Playbook

02.10.2019 Read
Threat Hunting Playbook

Threat hunting is an indispensable component of cyber security operations. In this article, we provide you with a guideline that will help you come up with a methodology and a plan of action for your threat hunting practices.

What is threat hunting?

The practice of threat hunting refers to the proactive search for malicious actors and contents in your system. At any given time, there might be malware or even cyber attackers sneaking around in your network. They can go unnoticed for an extended period of time, meanwhile stealing valuable and sensitive information, tapping into your confidential communications, or even worse, stealthily making their way to acquiring credentials that will allow them to seize the control of your whole network. Performing malware analysis might help cyber security teams to prevent damages to your system caused by cyber criminals. With threat hunting practices, you specifically focus on the undetected threats in your network. When doing the ‘hunt, your cyber security professionals dig deep into your organization’s network in order to find any malicious actor that might have slipped through your initial defences and concealed itself in the darkness.

What are the components of threat hunting?

Threat hunting has three essential components:

  • Awareness
  • Preventive measures
  • Incident response

In order to conduct a successful hunt, you must pay attention to these components. Firstly, you must be aware of what goes on in your systems and on your network. You must know the baseline and what the normal activity is. Thus, you can easily identify suspicious activities. Secondly, you must take appropriate preventive measures because the best way to fight with security incidents is not letting them happen in the first place. Work on the vulnerabilities of your systems and fortify the façade of your network. You can take control of security incidents by using Incident management tools. The third component is the incident response. Taking precautions does not mean that you will not be attacked. That is why you must always be ready to respond to an intrusion. Create a protocol, inform your team, know what to do in case of an emergency. What is the threat hunting loop? Threat hunting is not a one-time gig. It must continue at regular intervals and it must follow the predestined steps. In a sense, threat hunting follows a circle. It is a never-ending loop that keeps your systems and networks safe. Below you can find a simplified model of threat hunting loop.

  1. First step of threat hunting loop is creating hypotheses. A threat hunt commences with a hypothesis on suspicious activity that might be occurring in your network.
  2. Then comes the second step: investigation. With the tools and techniques that are available to your cyber security team, the hypothesis must be tested. Is there an ongoing threat? If so, you must follow with alleviation. Otherwise, you must jump to the verification step.
  3. If there is an ongoing attack, the next step must be alleviation. If there is a threat, an attack or an issue to be addressed, your security team must take immediate action to remediate before it does any harm.
  4. If you couldn’t identify any threats, you must verify that finding. If you have found an ongoing attack and remediated that, again, you must verify that the threat is eliminated for good.
  5. The final step of this cycle is analytics. You must learn from the hunt and calibrate, reconfigure your systems accordingly. The data you gathered during your hunt is invaluable for your security posture. You should update your data processor and logging system, and feed your machine learning systems with the new data.
  6. Now the only thing you need to do is go back to step one. Good luck!