Threat hunting 101: How to hunt for potentially dangerous security threats

Threat hunting is the process of proactively searching the network to spot suspicious activities, risky events, and malware. It is important to know how to hunt for threats in your network in real time.

Who can perform threat hunting?

Threat hunting can be carried out in organizations that have a mature security program. It requires highly skilled analysts who understand their network behavior to spot threats that are not detected using SIEM tools. It would be a good addition to an organization's security operations center (SOC).

Prerequisites for threat hunting

• Data: Logs, NetFlow records, and other contextual information collected and stored centrally
• Tools: Tools with advanced search capabilities to sift through large quantities of information
• Skills: Trained professionals who are part of your SOC and understand your network, and who will proactively hunt for threats based on their hypotheses

Let's start hunting

What must you look for and where?

With all the prerequisites in place, you can proceed to look for suspicious activities and indicators of compromise (IOCs) in your network.

Identifying IOCs

• Endpoints and firewalls: If there is excessive outbound traffic to an unfamiliar domain, it could be a command-and-control attack. You can tweak the firewall policies to block traffic leaving your organization and further investigate the anomaly.
• Critical servers and databases: If the servers and databases are overwhelmed with requests, and data is being constantly sent out, this could indicate a data exfiltration attempt. You may have to determine if data is being accumulated at endpoints or being sent across your network to other domains. You must investigate the users sending the requests and closely track their activities to spot anomalies.
• User behavior: If there are multiple attempts to access a specific resource, or a user accesses a resource for the first time, you need to analyze these events by investigating the user to see if they have carried out any malicious or unauthorized activities in your network.

Spotting patterns in IOCs

After individually analyzing data from various parts of your network, you must look for patterns in the identified anomalies. A privileged user account accessing a resource for the first time, adding members to a security group, then creating copies of sensitive data is a chain of events that clearly depicts an attack. You can perform threat hunting by analyzing the events and confirming that all of them were carried out by the same user and are part of the same attack.

How do you find threats associated with the detected IOCs?

You can detect threats by searching and clustering the log data.

Searching the log data

Collecting and storing logs centrally can help you sift through them to identify threats. For instance, if a normal user account accesses a critical server and requests sensitive data, it's possible that an attacker modified the permissions associated with this account to escalate their privileges.

In such a case, you need to search your log data to identify the user's recent activities. If you find suspicious activities, such as multiple failed attempts to access the critical server, followed by a successful one, followed by a download of sensitive information, it is a clear indication of a threat actor lurking in your network.

Clustering the log data

Using AI and ML pattern detection to cluster log data into groups with similarities in data points will allow threat hunters to identify outliers in each group. The outliers will depict unusual activities carried out by an attacker and it will become easier to identify threats.

You can further investigate the threats and conduct forensic analysis to mitigate the attacks.

A SIEM solution powered by user and entity behavior analytics can help you identify behavioral anomalies from users and systems as it alerts you in real time via SMS and email about suspicious activities. If you'd like to try out ManageEngine's SIEM solution, you can download the free, 30-day trial of Log360.