Cyber Threat Hunting — What Is It, Really?

The Methodologies of Successful Cyber Threat Hunting

Cyber threat hunting has largely evolved into two streams:

  • Hypothesis-driven — Which typically involves those practicing cyber threat hunting to build a semi-scientific hypothesis that can involve new or emerging threats and their observed tactics, techniques, and procedures (TTPs). Unlike data-driven hunting, hypothesis-driven hunting is trigger-based meaning that hunters can deploy hunting content and review the results after a specific period. This makes hypothesis-driven hunting far more efficient than data-driven hunting.

The Role of Cyber Threat Hunting in a Modern SOC

One of the most common questions asked about cyber threat hunting is the role it plays in a SOC. While new and maturing hunt teams may see cyber threat hunting purely as a means of previously unidentified threat detection, the reality is that as organizations mature, they can realize significant ROI from cyber threat hunting in a variety of ways, specifically:

  • Blind Spot Identification
  • Investigative Process Building

Threat Detection Content

The first, and most significant, way that organizations recognize ROI from cyber threat hunting is the role that threat hunters play in the generation of new threat detection content. Threat hunters are often at the front lines of threat detection. This is because, by the very nature of hunting, they are looking for threats that have bypassed existing controls. When hunters identify a previously unknown threat, or a threat that was able to bypass existing defenses, they should be developing “content” that can be deployed in SIEM, EDR, NDR, and XDR platforms that ensure, in the future, that the threat can be more easily handled by traditional security resources.

Blind Spot Identification

As a by-product of the activity, research, and preparation for cyber threat hunting, one thing that hunters can be invaluable for is blind spot identification. This type of identification often occurs leading up to complex threat hunts as hunters determine what data sources will support their upcoming hunts. During this process, it is not uncommon for hunters to notice that their existing logging may be incomplete or misconfigured, or that their security controls don’t have the ability o collect the required data. This information can be invaluable for security engineers and organizations that often only discover this kind of issue during a crisis.

Investigative Process Building

Like threat detection content creation, threat hunters are uniquely positioned to help SOCs mature their security investigative and incident response processes. This is because cyber threat hunters are often intimately familiar with malware and adversary TTPs, and if this knowledge can be documented and built into dedicated processes for threats, security teams will close the gap on both investigation and remediation.

Managed Cyber Threat Hunting? Or In-House?

Another very common question organizations can face is whether to in-house their cyber threat hunting, or to look to many of the managed detection and response (MDR) or managed security service providers (MSSPs). The answer to this question is that it entirely depends on the organization.

Where to Get Started Threat Hunting?

The next question managed providers and organizations alike will typically ask when they are building out a threat hunting practice is “where do we get started?”

Threat Hunting Content Platforms

This is a common question because, for large organizations or service providers, starting this type of process can seem daunting. One of the best resources these organizations can have is a threat hunting content platform. These are affordable platforms that provide hunt teams hundreds of pre-built, updated, validated, and documented hunts. This allows hunt teams to reduce the time they need to dedicate to pre-hunt activities such as research and documentation, saves engineering efforts to test and deploy the hunts, and results in hunt teams that can get hunting faster and more reliably.

Conclusion

Cyber threat hunting enables organizations to more effectively protect their environment through proactive detection of undetected threats. While establishing a cyber threat hunting program can seem challenging, the reality is that it is wel within the reach of most security teams.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.