Threat Hunting: Proactively Look at Threats
Threat hunting purpose the process of proactively looking for threats on selected, critical systems or applications – and to find potential attacks before they are exploited by attackers; external as well as internal. Remember, IBM estimates that 60% of cyberattacks come from inside your company. Malicious or not, the question is:
Threat Hunting is Protecting Your Crown Jewels
At Seculyze, we want to help protect your business-critical systems and solutions. This could be ERP systems like SAP, CRM systems like Microsoft Dynamics or Salesforce, CMS systems like SharePoint, Service Management systems like ServiceNow or any homegrown application. The items that have severe business impact if unavailable. “Your crown jewels”.
Threat Hunting Procedure
1. Baseline
Find the system/application baseline by asset identification, analyzing network traffic, telemetry, passive listening and anomaly detection.
2. Model
Modelling the potential adversary by attack modelling, goal-based analysis and trimming.
3. Hunt
Looking for IoC/IoA i.e., Indicators of Compromise or Indicators of Attack, as well as performing reputational check. Based on the requirements, we can proceed with user behavior analysis, privileged account monitoring and setting up decoys. The hunt is a major part of the Threat Hunting procedure.
4. Analyze
The TTPs – Tactics, Techniques and Procedures – are analyzed especially in relation to binary and dynamic analysis. If the setup permits, depending on the nature of the “hunt” we can even perform malware sandboxing.
5. Develop
The findings are briefed. From this, rulesets and IoCs are developed.
6. Deploy
The final stage is the dissemination of the solution; deploying to SIEM and ensuring security orchestration and automation.
Threat Hunting Models
We use one of three models. Normally, the Threat Hunting model is based on
knowledge. It can either be intelligence or assumptions. Or it can be based on ad-hoc investigations.
Hypothesis-based
Structured threat hunting based on an assumption or hypothesis. This is the most normal setup
Intel-based
Custom hunting based on known IoC/IoA, situation or event from the environment or the current threat landscape
Unstructured hunting
Ad-hoc, periodic threat hunting based on experience, knowledge of the industry and current events
Threat Hunting
One time or recurring
Threat hunting is a proactive measure. Seculyze can perform this on a one-time basis or a periodic basis. It is also possible to build the knowledge gathered in the hunt into playbooks, so the inhouse cybersecurity team can conduct the specific hunt continuously.
Want to know more about Threat Hunting?
