Threat hunting purpose the process of proactively looking for threats on selected, critical systems or applications – and to find potential attacks before they are exploited by attackers; external as well as internal. Remember, IBM estimates that 60% of cyberattacks come from inside your company. Malicious or not, the question is:
At Seculyze, we want to help protect your business-critical systems and solutions. This could be ERP systems like SAP, CRM systems like Microsoft Dynamics or Salesforce, CMS systems like SharePoint, Service Management systems like ServiceNow or any homegrown application. The items that have severe business impact if unavailable. “Your crown jewels”.
Find the system/application baseline by asset identification, analyzing network traffic, telemetry, passive listening and anomaly detection.
Modelling the potential adversary by attack modelling, goal-based analysis and trimming.
Looking for IoC/IoA i.e., Indicators of Compromise or Indicators of Attack, as well as performing reputational check. Based on the requirements, we can proceed with user behavior analysis, privileged account monitoring and setting up decoys. The hunt is a major part of the Threat Hunting procedure.
The TTPs – Tactics, Techniques and Procedures – are analyzed especially in relation to binary and dynamic analysis. If the setup permits, depending on the nature of the “hunt” we can even perform malware sandboxing.
The findings are briefed. From this, rulesets and IoCs are developed.
The final stage is the dissemination of the solution; deploying to SIEM and ensuring security orchestration and automation.
We use one of three models. Normally, the Threat Hunting model is based on
knowledge. It can either be intelligence or assumptions. Or it can be based on ad-hoc investigations.
Structured threat hunting based on an assumption or hypothesis. This is the most normal setup
Custom hunting based on known IoC/IoA, situation or event from the environment or the current threat landscape
Ad-hoc, periodic threat hunting based on experience, knowledge of the industry and current events
Threat hunting is a proactive measure. Seculyze can perform this on a one-time basis or a periodic basis. It is also possible to build the knowledge gathered in the hunt into playbooks, so the inhouse cybersecurity team can conduct the specific hunt continuously.
Want to know more about Threat Hunting?
