When it comes to threat detection, you need to understand that it is only a fraction of your security strategy—the part of your strategy that makes you confident (and a little complacent, even) with the knowledge that your security controls, detection mechanisms, and point solutions have given your organization an impenetrable defense against cyberattacks. The truth is that all organizations will experience some version of a breach, and they need to be prepared for the "when" of it rather than the "if."

Threat hunting is something I'd like to describe as a pessimistic approach to network security. Yes, you have your EDR, or even a fancy XDR, tuned and ready to detect any threat that is trying to penetrate your network, but no matter how airtight you think your security is, chances are that some threat actor has managed to slip past these defenses and is silently lurking in your network. This is where taking a pessimistic and suspicious approach helps. You work by already assuming that the hacker has breached your network and then you investigate if there are any indicators that this might have happened. This is what threat hunting is all about and why it improves your overall security posture.

How does threat hunting work?

Being the more proactive sibling in the security structure, threat hunting is powered by human intervention (along with some automation) to constantly assume that the existing defenses have been breached and to operate not just on analytics and IOCs or IOAs but also on hypotheses.

While relying on IOCs is no doubt effective for the most part, we still operate on the assumption that IOCs and IOAs are visible, relatively easy to spot with current detection mechanisms, quantifiable in terms of how harmful they are, and static (a dangerous assumption to make). While attack patterns do have some elements we can trace with signature-based detections and correlation mechanisms, attackers' defense evasion tactics are getting highly creative.

So threat hunters don't wait for the detection tools to point out a threat, but look for threats that have successfully gotten past the initial exploitation phase. The goal of this is to purge the network of the malicious entity before the "persistence" phase of the attack.

The cornerstones of threat hunting

Analytics-oriented style of hunting: Behavioral analytics has made its mark on the security domain by offering SOC teams creative ways of spotting anomalous user behavior that might pose a threat. The leads from these anomalies allow threat hunting teams to sniff out any threat actor who might stealthily be trying to gain a foothold in the network.

IOC-driven style of hunting: This form of threat hunting works in conjunction with threat detection tools that use known IOCs to look for similar IOCs or IOAs in the network.

Hypothesis-based style of hunting: A human-powered style of hunting that solidifies the goal of cleansing the network of threats that managed to get past detection mechanisms. The first step of a hypotheses-driven threat hunt is to assume that the malicious entity has evaded detection and is already within your network.

  • Assessing a hypothesized threat: Based on a threat intel feed, threat hunters identify potential threats that could target the organization's network. The MITRE ATT&CK® framework can be used to study attack patterns and add background to known threats so security teams can understand the attacker's MO.
  • Threat hunting supplemented by attack simulation: While threat hunting does depend heavily on some brainwork, it can definitely use some automation in the form of threat simulations. Based on the hypothesized threat's TTPs, non-malicious threat simulations are conducted against the existing security policies and controls to see if they hold up against these threats. These simulation-based assessments allow security teams to identify loopholes in the network that need to be patched. Based on these assessments, threat hunters can also look for related IOCs that might already be in the network.

If by the end of this article you think threat detection isn't useful, you might need to think again. A coalition style of security that relies on threat detection and follows it up with threat hunting (especially a hypothesis-driven method) can enhance your overall security strategy.

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks


© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.