Threat Hunting: A quick introduction
We live in a constant world of change: changing technologies, changing industries, changing cultures, histories, ideas, politics, workforces, end-users interests, and much more. Nothing is ever static, and with cybersecurity, that is doubly so.
To understand threat hunting, one must first ask the question: what is threat intelligence?
Threat intelligence, or cyber threat intelligence, is actionable and detailed information on threat actors and potential cybersecurity attacks. The key words here are “actionable” and “detailed” information. Threat actors and potential cybersecurity attacks are always changing, whether it’s the threat actor groups themselves or the methods by which they attack infrastructure and hack victims. With having this kind of detailed and actionable information at the ready and with more research, cybersecurity professionals and threat hunters are able to prevent and even stop potentially serious attacks.
Why is threat intelligence and therefore threat hunting important? Like in all things cybersecurity, it is about data loss prevention and financial loss prevention. Being able to not just identify what is going on in a given IT environment, but also in the industry and across the world, gives cybersecurity professionals the ability to stay up-to-date and ready for any new potential attacks, and to not be surprised.
To be clear, however, this does not mean that one kind of threat intelligence is necessarily sufficient for any one organization or professional. This kind of continuous and updated threat intelligence can range and is not necessarily uniform or one-size-fits-all. It is better to be adaptable. In effect, there are many different kinds of threat hunts. The most common ones are the following: Structured hunts, Unstructured hunts, and Situational/entity-driven hunts.
Structured hunts: Focused on using a framework like the MITRE ATT&CK Framework, and threat hunters search for Indicators of Attack or IoA’s, along with the Tactics, Techniques, and Procedures(TTPs) of threat actors.
Unstructured hunts: A more reactive kind of hunt, focused on responding to an IoC or Indicator of Compromise in a system, and figuring out what lead to that vulnerability or IoC.
Situational/entity-driven hunts: Driven by results or trends of the IT environment and from analyses of an organization’s environment.
Within all of these different kinds of hunts, there are even different ways of approaching them: from intel-based to hypothesis-based, there are a multitude of ways threat hunters can both structure and undertake a threat hunt. When it’s intel-based, it’s about the threat intelligence gathered on a specific vulnerability, threat actor, or current trend in the IT environment. When it’s hypothesis-based, it is structured around an initial hypothesis by a threat hunter and then the hunt proceeds in either proving or disproving that hypothesis.
All of these threat hunts have their uses in industry environments and the cybersecurity field. What is important to remember, however, is that just like defenders and threat hunters tools and techniques can change, so too do threat actors and attackers. What was considered normal or benign behavior yesterday could become part of a malicious attack today, and a terrible disaster tomorrow. Not even past behaviors or necessarily old threat actor and attack routines can help predict the next wave or stage of change in an attack. Just like threat intelligence and defenders practices can change, so too do the attacks and desired attack outcomes can change, too.
For example, even with ransomware and threat actors, the traditional effects and purposes of ransomware attacks have begun to change. Where once threat actors used ransomware attacks to demand large sums of payment from victims to decrypt their data and files and negotiate over a longer period of times, changes in the ransomware industry and law enforcement crackdowns have changed the focus of the attacks. Now, Ransomware attacks are almost seen as a “cost of doing business”, where attackers and threat actors repurchase code for their attacks and can immediately ramp up their attacks and negotiation periods in a matter of hours instead of weeks. This kind of insight and knowledge comes from analysis, from updated threat intelligence, and from continuous improved threat hunting.
Threat hunting, in this case, means deep diving. Being able to be proactive instead of simply reactive, and being adaptable to a changing landscape in cybersecurity and IT, is of paramount importance. With threat hunting, this becomes both an iterative and highly proactive and reactive approach to the evolving cybersecurity landscape.