Threat hunting is a proactive protection practice against advanced threats that is essential to maintain the integrity and security of an organisation’s systems and data. Below we explain in more detail what threat hunting is and the relevance of implementing it in organisations.

What is Threat hunting?

Threat hunting is a proactive process of searching for and detecting cyber threats capable of evading traditional security defences. Unlike reactive methods that rely on automated alerts, threat hunting involves actively searching for suspicious or malicious activity within the system or network, both internally and externally. The primary goal of threat hunting is to identify, mitigate or nullify advanced threats before they can cause significant damage. This includes the detection of advanced persistent attacks (APTs), malware, exposed vulnerabilities and other risk factors that may not be detected by conventional security tools.

 

Threat hunting

Threat hunting methodology

Now that you know exactly what Threat hunting is, it is essential that you discover its methodology. This process generally follows an iterative cycle that includes the following phases:

  1. Hypothesis. Threat hunting starts with the formulation of threat hypotheses based on threat intelligence, behavioural analysis and knowledge of the environment.
  2. Data collection. Data is collected from a variety of sources, such as event logs, network monitoring, and endpoint data.
  3. Analysis. The collected data is analysed for unusual patterns or indicators of compromise (IoCs).
  4. Research. If suspicious activity is identified, further investigation is carried out to determine the nature and extent of the threat.
  5. Response. If a threat is confirmed, measures are taken to contain, nullify or mitigate the impact.

Threat hunting uses a variety of tools and techniques including:

  • Intrusion detection systems (IDS): to monitor and analyse network traffic for suspicious activity.
  • Log and behavioural analysis: to review and correlate events recorded in different systems and identify deviations in the normal behaviour of users and systems.
  • Threat intelligence: to obtain information on open breaches and exposed vulnerabilities on the web, dark web, deep web and social networks.

How to do Threat hunting: steps to follow

To carry out threat hunting effectively, the following key steps are necessary:

  1. Define objectives and strategy. Determine what you want to achieve, identify advanced threats or improve incident detection and develop a strategy containing the necessary resources, tools to be used and procedures to be followed.
  2. Form a Threat hunting team. The team must have experience in cyber security and data analysis, and it is essential that they are constantly updated on the latest threats and techniques.
  3. Collect and analyse data. Compilation through event logs, network traffic and Intrusion Detection Systems (IDS), automated Cyber Intelligence platforms…
  4. Formulate the hypotheses. Based on threat intelligence and behavioural analysis, hypotheses about possible threats are formulated and steps are defined to investigate each hypothesis.
  5. Execute the hunt. Active searches of collected data are conducted to identify suspicious activity. If indications of a threat are found, further investigation is conducted to confirm the nature and extent.
  6. Respond and mitigate. When a threat is confirmed, measures are taken to contain, nullify or mitigate its impact.
  7. Documentation and reporting. All findings and actions taken are documented and reports are provided to senior management and cyber security managers to improve defences and security strategies.

What is needed to start threat hunting?

To implement an effective Threat Hunting programme, it is necessary to prepare and organise several key components that will ensure its success. These fundamental elements include proper team selection, collection and analysis of relevant data, and integration of threat intelligence.

Human capital

Selecting the right threat hunting team is crucial to the success of the strategy. A threat hunting team should bring together a combination of technical skills, practical experience and the ability to work as a team. The threat hunting team should be composed of professionals with backgrounds in cyber security, data analysis, attacker techniques and procedures, with official certifications such as Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) or GIAC Certified Incident Handler (GCIH) and, if possible, extensive hands-on experience. The team must be able to work collaboratively and communicate their findings effectively to other departments and senior management. They should be continuously updated on cybersecurity and threats.

Data

To initiate threat hunting, it is essential to collect and analyse a variety of data that can provide indications of suspicious or malicious activity. This data should be extracted from event logs, such as system or security logs; network traffic, such as packet captures or network flows; endpoint data, such as activity logs or sensor data; threat intelligence, such as indicators of compromise or information gathered from monitoring external sources; user data, such as authentication logs or behavioural analysis; and data on exposed vulnerabilities and open breaches extracted from scans of the organisation’s internal and external attack surfaces.

Threat Intelligence

Threat Intelligence focuses on the collection, analysis and utilisation of information about potential and current threats that may affect the security of an organisation. It provides detailed insight into malicious actors, their tactics, techniques and procedures (TTPs), as well as exposed vulnerabilities and open security holes that can be exploited to execute an attack. For threat hunting, threat intelligence acts as a solid foundation that guides the team in identifying and mitigating risks. By having access to up-to-date and accurate threat information, threat hunting professionals can anticipate and detect suspicious activity before it becomes a security incident. In addition, Threat Intelligence allows prioritisation of countermeasure efforts, focusing on the most relevant and immediate threats to the organisation.
Translated with DeepL.com (free version)

 

how to do Threat hunting

 

Outstanding features and benefits of Threat hunting

Threat hunting offers a number of key features and advantages that distinguish it from traditional security practices. The most relevant of these are highlighted below:

Proactive and immediate approach

Unlike traditional security methods that tend to be reactive, threat hunting empowers organisations to anticipate threats before they materialise. This proactive approach involves actively looking for signs of malicious activity rather than waiting for incidents to occur. By taking an immediate approach, threat hunting professionals can identify and neutralise threats in real time, minimising the potential impact on the organisation. This not only reduces incident response time, but also improves the organisation’s ability to prevent future attacks. In addition, the proactive approach allows organisations to stay one step ahead of attackers by quickly adapting to new tactics and techniques used by malicious actors. You may be interested in→ Proactive security: what is it and why use it to prevent and detect threats and cyberattacks?

Continuous improvement

Threat hunting enables organisations to constantly evolve and adapt to new threats and tactics employed by malicious actors. Through threat hunting, security teams can identify patterns and trends in threats, allowing them to continuously adjust and improve their defence strategies. Continuous improvement involves a constant feedback loop, where threat hunting findings are used to refine security policies, update detection tools and techniques, and train staff on new defence tactics. This process not only strengthens the organisation’s security posture, but also increases resilience to future attacks.

High adaptability

Through threat hunting, organisations can quickly adjust their defence strategies in response to emerging threats and the changing tactics of cyber attackers. Adaptability in threat hunting involves the ability to continuously modify and update the tools, techniques and procedures used to detect and mitigate threats. Thanks to this adaptability, security teams can respond more effectively to new challenges and vulnerabilities that emerge in the cyber security landscape. In addition, adaptability enables organisations to integrate new technologies and methodologies into their defence processes, thereby improving their ability to protect their critical assets.

Types of threat hunting according to need

To effectively address Threat Hunting, organisations can adopt a variety of models depending on their specific needs and the context in which they operate. Each Threat Hunting model offers a different approach to identifying and mitigating threats, adapting to different aspects of the security environment and protection objectives.

Intelligence models

These models focus on identifying cyber threats using Cyber Threat Intelligence. They enable organisations to identify suspicious activities and patterns of behaviour that could indicate the presence of malicious actors, as well as exposed vulnerabilities and open gaps in the network using indicators of compromise obtained from threat intelligence sources. They respond to the organisation’s need to detect, monitor and understand threats at its external perimeter in order to neutralise them or respond effectively to their use by cyber criminals.

Hypothesis models

These models focus on the formulation of hypotheses about possible cyber threats. They rely on the knowledge and experience of security analysts to develop feasible assumptions about possible attacks and how they could be executed, as well as the vulnerabilities that could be exploited. They respond to the organisation’s need to anticipate any type of threat and to proactively adapt to new threats as they emerge.

Personal models

These are advanced models that are tailored to the specific needs of an organisation. They are based on in-depth knowledge of the corporate environment, weaknesses and particular requirements, and use the organisation’s own data and patterns to identify potential threats. They respond to the needs to detect specific threats, to adapt the strategy to its infrastructure and operations, and to optimise organisational resources. These models can be run through human teams, advanced Cyber Intelligence platforms that allow customisation of searches, or a combination of both.

Find out how Kartos by Enthec helps you in your Threat hunting strategy.

Kartos is the Cyber Intelligence platform developed by Enthec that allows you to develop a Threat hunting strategy in your organisation thanks to its capacity for continuous, automated and customisable monitoring of the internet, the deep web, the dark web and social networks in search of exposed vulnerabilities and open corporate breaches. Thanks to its self-developed AI, Kartos XTI is the only cyber intelligence platform that eliminates false positives in search results, thus ensuring the usefulness of the information provided to disable latent threats and vulnerabilities. In addition, Kartos by Enthec issues real-time alerts, sends constantly updated data and develops reports on its findings. Contact us to learn more about our Threat Intelligence solutions and licenses and how Kartos by Enthec can help your organisation implement an effective threat hunting strategy.