According to the IBM Security Report -Cost of a Data Breach Report- “in 2021 it took an average of 212 days to identify a breach and an average 75 days to contain a breach, for a total lifecycle of 287 days. If a breach occurred on January 1st and it took 287 days to identify and contain, the breach would not be contained until October 14th”.
Usually, most companies make big efforts to enforce their boundaries -which is excellent-, but it is also necessary to work on the detection of an attacker who might already be behind your barriers.
Threat Hunting assumes that you have already breached and that the enemy is inside of your organization or corporate network and focuses on how to fight against them in order to get rid of them as soon as possible.
Threat hunting is a proactive and iterative process aimed to detect and isolate different threats with the capability of avoiding our existent defense systems. These defense systems mostly work in a reactive way; they work during or after something has happened. A Threat Hunting system approach, on the contrary, is to prevent something from happening and it might ingest the SIEM information in order to learn and create new hypotheses anticipating new potential attacks. This is not an incident response system but prevention.
This technique is performed by using manually or tool supported techniques. It is iterative because it is cyclic, assuming the attacker is inside the network, makes hypotheses and tries to prove if it is real or not.
The most important benefit we have is that in this way we work to reduce the time an attacker stays in the network. We put in place perimeter defenses systems and implement defense-in-depth schemes to prevent attackers from compromising our assets. Additionally, we perform Threat Hunting to detect and minimize the attacker's dwell time in case they were able to overcome our defenses.
Threat Hunting Models
There are various types of Threat Hunting models and using one or another will primarily depend on the organization maturity to implement it. We will mention the most common.
Unstructured threat hunting is based on internal data and logs which are reviewed by analysts using various techniques and tools in search of anomalies in the recorded data. While it is a valid way to Threat Hunt, it is not the most proactive way. In many cases it ends up depending on how lucky the analyst is, since usually the most common and general tactics do not reach this point to be detected in a Threat Hunting.
Unlike unstructured hunting, structured hunting bases each hunt on a specific hypothesis about the possible attackers and the techniques they might perform, hypotheses that will then be confirmed or refuted.
Broadly speaking, the hypotheses are elaborated using Threat Intelligence and potential threats or attackers are established that could affect the organization in some way. Based on this, a priority order is assigned, and the hypothesis test is started.
This type of Threat Hunting determines high-value assets and creates attack hypotheses around them. It could include anything from a single device or application to a wide range of assets, such as servers, applications, network resources, and so on. This addresses two fronts: the first, which works on the early prevention of attacks on high-risk assets; second, that an attacker will go for those high-risk assets and that will be the focus of the hypothesis.
This addresses two fronts: the first, which works on the early prevention of attacks on high-risk assets; second, that an attacker will go for those high-risk assets and that will be the focus of the hypothesis.
As we can see through this article, it is not enough just to put defense systems at our perimeters. We need to think about what could happen if an attacker breaks in, and we need to work on reducing the average detection time. Threat Hunting pursues that goal, as part of a "whole" called security.