Cyber Threat Hunting Explained

Tags:

Top Emerging Cybersecurity Threats

What is cyber threat hunting?

Cyber threat hunting is the proactive complement to cyber threat detection. In general, cybersecurity strategies focused on threat detection attempt to identify an incoming or ongoing attack and then prevent or quickly remediate it. However, this approach has its issues as it assumes that all attacks can be detected and mitigated before any damage is done.

Typical activities involve proactively searching for unknown vulnerabilities and undetected attacks within an organization’s environment. Based on cyber threat intelligence, known attack techniques, and other information, threat hunters develop and test hypotheses about potential threats by collecting and analyzing data from various sources inside and outside of the organization.

Threat hunting is designed to allow an organization to detect and respond to potential threats that it does not know exist and has not detected via other means. This provides the organization with more comprehensive protection against cyber threats and the ability to detect and mitigate attacks and security gaps that its existing security architecture has missed.

5-Step threat hunting framework

A threat hunting program should be designed to maximize the efficiency of the threat hunt and the value of the exercise to the organization. Accomplishing this requires using a threat hunting framework, such as this five-step process.

Step 1: Hypothesis

Without a known attack or a particular threat to investigate, threat hunters need a starting point for their investigations. Threat hunting begins with a hypothesis about a potential risk to an organization. This could be a potential vulnerability in the company’s systems or the tactics, techniques, and procedures (TTPs) of a known threat actor. Based on this hypothesis, the threat hunter can then develop a strategy for identifying whether the suspected threat is present on the company’s systems.

Step 2: Collect and process intelligence and data

Identifying potential threats on an organization’s systems requires access to high-quality data and threat intelligence. Based on knowledge of the potential threat, security teams can identify data sources that could help prove or disprove the hypothesis and a strategy for collecting and analyzing that data. With a plan in place, the threat hunter will collect and process the data required to prove or disprove their hypothesis. Collecting and analyzing data from internal and external sources often requires specialized tools, such as security information and event management (SIEM) and dark web monitoring solutions.

Step 3: Trigger

After collecting and analyzing the required data, the threat hunter should be able to determine whether or not the hypothesis is correct. After proving the existence of the threat, the hunter is ‘triggered’ to perform an in-depth investigation to determine the scope and details of the incident required for remediation.

Step 4: Investigation

The next step is to simulate an attack and perform an in-depth investigation into the potential incident. By identifying infected systems and determining details about how the attack was performed and its impact, the threat hunter can determine what remediation steps are necessary.

Step 5: Resolution

By the end of their investigation, the threat hunter should have a complete picture of how the attack was carried out, its objectives, and the impacts on the organization and its system. This information should inform the actions that the organization takes to remediate the incident. After infected systems have been remediated and restored to normal operation, the entire process should start over again looking for new threats to the organization.

What threat are you hunting for?

Threat hunters can focus their search on the following:

  • Indicators of Compromise (IOCs): IOCs are data regarding a past security incident. This includes log files, forensic data, and similar information.
  • Indicators of Attack (IOAs): IOAs are information about an ongoing attack. These are similar to IOAs but require real-time or near real-time access.
  • Network Artifacts: Monitoring network traffic can help detect cyberattacks by looking for malware command and control (C2) traffic, attempted exploits of vulnerabilities, etc.
  • Host Artifacts: Malware infections and other cybersecurity incidents can create artifacts on endpoints such as files, processes, registry entries, and more.
  • Adversaries: Based on knowledge of threat actors’ motivations and TTPs, threat hunters can look for signs of their presence within an organization’s environment.

Threat hunting methodologies

Threat hunters looking to perform manual or automated activities need to start by selecting a target for the hunt. Several threat hunting methodologies exist for selecting the initial hypothesis to be proved or disproved by the hunt, including the following:

Adversary hunting

Adversary hunting involves searching for indications that a particular threat exists on an organization’s systems. Various organized crime groups and advanced persistent threats (APTs) are known to target organizations in different industries, geographic areas, etc. Based on this information and an organization’s threat intelligence, a threat hunter can determine which threat groups pose the greatest risk to an organization. Security teams can then look for signs of that particular actor’s presence on corporate systems.

Different threat actors have known TTPs that they use across different attack campaigns. For example, a particular APT may be known for exploiting VPN vulnerabilities, so a threat hunt may be focused on identifying if VPNs are vulnerable or if unusual activity has been detected on VPN endpoints.

Threat hunters can develop a hypothesis that a particular threat actor is using one of their known TTPs within an enterprise environment. After performing this hunt, the exercise can be repeated for other known TTPs for the threat actor or for other potential threats.

Hypothesis-based hunting

All threat hunting is based on developing a hypothesis and testing it. This focuses on using certain methods to create these hypotheses, including:

  • Data Analytics: Machine learning (ML) algorithms can analyze large volumes of security data and extract trends and anomalies from them.
  • Threat Intelligence: Companies can collect threat intelligence from a variety of internal and external sources such as malware analysis, dark web monitoring, and vulnerability scans.
  • Risk Assessment: A corporate risk management program should identify an organization’s most valuable assets and the greatest threats to them.

Investigation using indicators of attack

Various types of security incidents can be detected in various ways. Some resources, such as MITRE’s ATT&CK framework, provide in-depth information about the ways that an attacker can achieve a particular objective and how these techniques can be detected and mitigated. Tools like MITRE ATT&CK can be used as a framework for developing a threat hunting strategy. By searching for the different indicators of attack and compromise outlined within the ATT&CK frameworks, threat hunters can determine if their organization has been targeted by attackers using these techniques. This form of threat hunting is one of the most proactive because it allows threat hunters to systematically investigate potential attack vectors. Ideally, this helps to improve detection and prevention capabilities and might allow the organization to detect and terminate attacks using these techniques in the future.

Hybrid hunting

Adversary, hypotheses-based, and IOA-based threat hunting use varying methods to define a hypothesis to test. All three of these are valid means of developing a basis for a valuable threat hunt. However, these three methods for selecting and triaging different hunt targets are not mutually exclusive. Hybrid hunting involves combining several threat hunting methodologies to maximize the value and impact of the threat hunt.

Why is threat hunting important?

Most organizations have a detection-focused security strategy; however, this is a reactive approach to managing cyber risk. Threat hunting is a proactive activity that complements threat detection and that enables security teams to accomplish critical goals, including:

  • Detecting Intrusions: Proactive threat hunting is invaluable because it enables organizations to identify threats that were performed without being caught by existing defenses. By looking for undetected intrusions, a threat hunter can identify and remediate security incidents that place the company at risk.
  • Identifying Vulnerabilities: Vulnerability management is a challenge for any organization due to the complexity of corporate IT environments and the sheer number of vulnerabilities detected in production software. Threat hunting can help with detecting and remediating previously unknown vulnerabilities within an organization’s systems.
  • Quantify Risks: Risk management lies at the core of cybersecurity, and an effective risk management program requires good data on the effectiveness of the organization’s cyber defenses. Threat hunting can help to inform risk analysis by determining the company’s vulnerability to various cyber threats.
  • Improving Defenses: No cybersecurity is perfect, and a company may not be collecting or analyzing the data required to detect various cyber threats. Threat hunting can help to identify detection gaps and develop strategies for building visibility into additional cyber threats.
  • Streamline Threat Detection: Most security teams are overwhelmed with data, and data overload can slow threat detection and response. Threat hunters may identify more efficient ways to collect and analyze data to detect various threats, enabling them to streamline threat detection and eliminate the collection of unnecessary data.

By collecting and analyzing data from various sources, threat hunters can identify critical visibility gaps and uncover unknown threats within corporate environments.

Threat hunting best practices

Threat hunting can be a valuable tool for corporate cybersecurity but is only effective if the threat hunting program is designed and implemented properly. Some best practices include:

Define a dedicated threat hunting team

Security teams have several responsibilities. Standalone teams are responsible for securing the infrastructure, investigating alerts, and other activities. If the security and IT teams are the same team, then even more responsibilities are assigned to them. Threat hunting may seem less important because it focuses on hypotheticals rather than responding to known threats to the organization. However, these proactive investigations are vital to detecting more sophisticated and unknown threats. Defining a dedicated role or a minimum number of hours to spend each week is essential to ensuring that threat hunting is actually performed.

Develop the right skill sets

Threat hunting requires different skill sets. Threat hunters need to know how to develop and test hypotheses about potential threats to the organization. They also need in-depth knowledge and experience with the various platforms within an organization’s environment to perform these tests. The effectiveness of a threat hunting team depends heavily on the expertise available to it. Whenever possible, take steps to attract or train employees with the necessary skill sets to perform in-depth investigations of the corporate environment.

Acquire specialized hunting tools

Efficient and effective threat hunting requires the ability to rapidly prove or disprove hypotheses about threats to the organization. This involves the ability to quickly gather and analyze data from a variety of sources both inside and outside of the organization.

While threat hunters can collect this information manually, it is time-consuming and requires significant knowledge and expertise. Investing in certain security solutions – such as a SIEM and dark web monitoring solution – can help to dramatically expedite the process.

Prioritize based on risk

There are always more potential hypotheses to test than an organization has time and resources to investigate. When planning investigations, it is important to prioritize them based on the potential risk to the organization. Different risks have different levels of probability and potential impact on the organization. Focusing on probable and high-risk threats helps to maximize the benefit of the threat hunt to the organization.

Automate when possible

The vast amount of data that threat hunters need to collect, aggregate, and process makes automation an invaluable tool. They can use an assortment of specialized threat hunting platforms and tools to expedite and streamline the process. In addition to data collection, automation can also help with developing hypotheses and focusing the attention of threat hunters. For example, the use of artificial intelligence (AI) and user and entity behavior analytics (UEBA) can help with identifying abnormal events that deserve investigation.

Which tools can help?

An effective threat hunting team requires access to the right tools. Threat hunters need to be able to search through large amounts of data to identify trends and determine whether or not certain events have occurred. In many cases, the sheer volume of data involved makes doing so manually infeasible or impossible.

Teams can use a variety of different tools as part of their duties. However, three of the most important types of threat hunting platforms include:

  • Security Monitoring Tools: Threat hunters need security data to investigate and evaluate their hypotheses. Security monitoring tools like firewalls, antivirus, and similar solutions generate and collect this data.
  • SIEM Solutions: Collecting and aggregating data across an organization’s entire security infrastructure can be overwhelming and unscalable. SIEMs automatically collect and aggregate this data into a single platform, making it easy to view and analyze.
  • Analytics Tools: Access to security data is useless without the ability to extract insights from it. Data analytics tools help threat hunters to extract trends and outliers from their datasets.

Threat hunting prep: Dark web personas

On the dark web, threat actors actively plan nefarious crimes, discussing targets and tactics and pooling resources to carry out attacks. To understand and prepare an organization for these actions, threat hunters must also show up in these underground environments. The idea of engaging with threat hunters in the cybercriminal underground can raise stress and anxiety levels for any white hat defender. Questions arise, such as ‘How can I safely access the deep and dark web?’ and ‘How can I gain a threat actor’s trust?’ 

Navigating the underground requires dedication to creating and managing a dark web persona – or multiple personas – and setting up a safe and secure environment to ensure one does not expose oneself to malicious actors. Below we’ve outlined the necessary steps, including how to set up a secure environment (i.e., dirty machine) using Tails, how to find sources in the dark web, best practices when creating your first persona, how to communicate with threat actors, and of course, how to seek out threats once you gain access to the sources where threat actors plan, play, and profit. 

What is the underground?

People most often associate the cybercriminal underground with the dark web, defined as any site not indexed by search engines and that requires specific software, like Tor or Onion, to access it. But threat actors aren’t just hiding out in the dark web - they’re on clear websites like Reddit and X (formerly Twitter), leveraging messaging channels like Telegram and Discord, and are also engaging on deep websites, like invite-only forums and open and closed markets. In essence, cybercriminals are everywhere. Anyone approaching this type of investigative work must do so with caution, particularly when clicking on links. There are 2 important points to remember:

  1. Don’t become a perpetrator – take precautions (outlined below) when engaging with a threat actor 
  2. You can easily click on a nefarious link and become a victim - and if you’re doing this work on a corporate computer, you can risk infecting the entire organization

How to create your dark web persona

1. Set up the environment

You can set up a secure environment, isolated from all of your corporate and personal devices and data, using Tails, a lightweight OS that wipes itself clean after every use. (NOTE: Tails gives you the option to set up persistent storage, which we DO NOT recommend.) You can also set up virtual machines to create an isolated environment — however, Tails is a super simple option. You can also use Tor or Onion to browse anonymously and access dark websites.

2. Finding sources

This is a challenging step because of the magnitude of underground sources. You want to find the clear, deep, and dark web sources where threat actors are the most active. For example, Crax Pro Forum is a clear web forum where a lot of cybercriminal activity takes place. Credit card markets are another place to look, as are marketplaces for narcotics and other illegitimate products, initial access broker markets, and messaging forums like Telegram. When it comes to dark websites, you can’t do a simple Google search to find them - you actually need the exact URL to reach them via Onion or Tor. 

Some sites require you to participate or you’ll be kicked off. Of course, you want to limit your activity so you don’t stand out, and you must also be careful about engaging with any threat actors and potentially perpetrating a crime. One way around this is to occasionally post links to relevant news articles about the latest threats. Another hurdle you’ll need to overcome is language barriers, for example, when visiting Russian or Chinese language sources. You can use translation apps here, but this can delay your threat hunting.

3. Create your persona(s)

To do this properly and to keep your identity protected, we recommend a few steps:

  • Use a protonmail email account or a burner phone so that no activity associated with your persona can be tied back to you
  • Use a password manager to keep track of all passwords associated with your different personas for different underground sites. You can also take screenshots or print the pages showing your login credentials.
  • Be sure your personas are completely isolated from any personal information (Tails comes in handy here)

4. Set up modes of communication through one or more of the following*:

  • Private messages (PM) - can be a reliable way to communicate with threat actors, although it depends on the site or forum you’re in.
  • Jabber (XMPP) - instant messaging service used by threat actors for its encrypted connection. Also, messages are not logged.
  • Telegram - instant messaging platform.
  • PGP key (Pretty Good Privacy) – a cryptographic method of communication that requires the exchange of public keys. While this method can be more time-consuming to set up and use, it may also be the most secure way to communicate with threat actors without compromising your identity. 

5. Start threat hunting

Threat hunting is a constant game of cat and mouse, finding threats before they find you or exploit you. The common threats you’ll find in the underground include:

When executing a hunt, be sure your scope isn’t too broad - you want to focus on a specific topic or type of issue. Also, make sure you document all of your steps. Take screenshots of your findings and keep records of what you’ve done. Sites go up and down, and threat actors enact countermeasures that can throw you off and force you to start from scratch. If you don’t keep a record, all your investigative data can be lost.

The steps outlined above lay out a few problems with manual threat hunting:

  • You must search each source individually and manually – which is very time-consuming
  • You expose yourself to risk - creating personas helps
  • You add more risk by searching for specific threats within malicious sources

The combination of persona management, well-honed threat-hunting skills, and premium cybersecurity tools like Bitsight streamlines this process by automating intelligence gathering from malicious sources. Bitsight helps you access data from these sources, automatically downloads files that will be of interest, and helps you identify the threats you should be hunting for that pose the greatest risk to your organization and attack surface.

Bitsight's threat hunting capabilities

Bitsight provides a range of fully automated threat intelligence solutions that help organizations fight cybercrime, detect phishing, prevent data leaks and stop fraud. Our solutions enable teams to hunt down threats, analyze malware and prioritize vulnerabilities for remediation more effectively. As the only fully automated underground threat intelligence solution, we empower threat hunting teams with the largest collection of data and insight into threat actors’ capabilities, behavior, goals and methods.

Bitsight's Investigative Portal provides exclusive access to closed underground sources and the most comprehensive, automated collection of threat intelligence from the deep and dark web. This intel enables faster, more comprehensive threat hunts while relieving your teams from the need to maintain and curate their own dark web sources.

With the Investigative Portal, security teams can:

  • Receive alerts about emerging threats, TTPs and IOCs as they surface on the clear, deep and dark web.
  • Prioritize, enrich and score data according to the organization’s unique assets and attack surface.
  • Access threat actor profiles and identify behavioral patterns to apply timely, practical and proactive solutions to areas of risk exposure.
  • Detect interactions between threat actors in real time, earlier in the cyber killchain.
  • Research the profile, motives and history of any of the 7 million threat actors in Bitsight's database.
  • Identify relevant intelligence faster with automatic mapping of organizational assets and use cases.

Additional threat hunting technologies

As well as the Investigative Portal, Bitsight offers additional solutions to aid threat hunting.

API Integration

Bitsight's vast collection of cyber threat intelligence data can also be consumed, via an application programming interface (API) that integrates directly into existing workflows and system architectures to address multiple use cases & functionalities. The API offering supports database queries and query-based notifications, actionable alerts tailored to your organizational assets, automated feed of malicious IOCs, detection of leaked user credentials, real-time feed of CVE-related events and developments, multi-tenant (MSSP) configurations and more. A new integration per customer request can be created within a week.

DVE Intelligence

Bitsight's Dynamic Vulnerability Exploit (DVE) Intelligence is an end-to-end solution that spans the entire Common Vulnerabilities and Exposures (CVE) lifecycle. DVE Intelligence combines automation, advanced analytics and vulnerability exploit intelligence to alert security teams to high-risk CVEs, often long before the NVD has assigned a CVSS score. Powered by threat intelligence from the deep, dark and clear web, DVE Intelligence enriches each CVE with critical context and insight to help security teams generate the most accurate assessment of exploitation probability, urgency and impact.

Stay Ahead with Proactive Threat Hunting

Free Guide: Stay Ahead with Proactive Threat Hunting

Arm your security team with the tools, techniques, and insights to uncover hidden threats. Learn to identify risks early and strengthen your defenses with actionable intelligence.

Download guide