What is Threat Hunting?
Threat hunting is the practice of an organization’s security operations center (SOC) to proactively search for cyber threats that are lurking undetected in an organization’s network. Also known as “cyberthreat” hunting, a SOC process proactively searches for malicious actors, previously unknown or ongoing non-remediated threats, in an enterprise’s environment that might have slipped past its initial endpoint security defenses.
What are the benefits of Threat Hunting?
- Effective threat hunting reduces the time an attacker spends in an organization’s network (i.e., weeks, or even months) and the amount of damage done by the attacker.
- Threat hunters may use network detection and response (NDR) tools with artificial intelligence (AI) and/ or machine learning (ML) to correlate multiple actions and recognizes various indicators of compromise (IOC). Hunters can receive automated alerts that are risk-scored and MITRE ATT&CK labeled for easy categorization of suspicious activity.
- Threat hunters comb through security data and search for hidden malware or attackers. They search for patterns of suspicious activity that a computer might have missed or judged to be resolved but isn’t. They also help patch an enterprise’s security system to prevent that type of cyberattack from recurring.
What is an example of a threat hunting exercise?
One example is an unstructured hunt. It is initiated based on a trigger, one of many indicators of compromise. This trigger often causes a hunter to look for pre- and post-detection patterns. For example, a hunter observes a user accessing a domain in the network that is not commonly used. Guiding their approach, the hunter can research as far back as the data retention, and previously associated offenses allow.