Threat Hunting: Proactively Look at Threats

Threat hunting purpose the process of proactively looking for threats on selected, critical systems or applications – and to find potential attacks before they are exploited by attackers; external as well as internal. Remember, IBM estimates that  60% of cyberattacks come from inside your company. Malicious or not, the question is:

Threat Hunting is Protecting Your Crown Jewels

At Seculyze, we want to help protect your business-critical systems and solutions. This could be ERP systems like SAP, CRM systems like Microsoft Dynamics or Salesforce, CMS systems like SharePoint, Service Management systems like ServiceNow or any homegrown application. The items that have severe business impact if unavailable. “Your crown jewels”.

Threat Hunting Procedure

Threat Hunting

1. Baseline

Find the system/application baseline by asset identification, analyzing network traffic, telemetry, passive listening and anomaly detection.

2. Model

Modelling the potential adversary by attack modelling, goal-based analysis and trimming.

3. Hunt

Looking for IoC/IoA i.e., Indicators of Compromise or Indicators of Attack, as well as performing reputational check. Based on the requirements, we can proceed with user behavior analysis, privileged account monitoring and setting up decoys. The hunt is a major part of the Threat Hunting procedure.

4. Analyze

The TTPs – Tactics, Techniques and Procedures – are analyzed especially in relation to binary and dynamic analysis. If the setup permits, depending on the nature of the “hunt” we can even perform malware sandboxing.

5. Develop

The findings are briefed. From this, rulesets and IoCs are developed.

6. Deploy

The final stage is the dissemination of the solution; deploying to SIEM and ensuring security orchestration and automation.

Threat Hunting Models

We use one of three models. Normally, the Threat Hunting model is based on
knowledge. It can either be intelligence or assumptions. Or it can be based on ad-hoc investigations.

Threat Hunting

One time or recurring

Threat hunting is a proactive measure. Seculyze can perform this on a one-time basis or a periodic basis. It is also possible to build the knowledge gathered in the hunt into playbooks, so the inhouse cybersecurity team can conduct the specific hunt continuously.

Want to know more about Threat Hunting?

Contact

Kristian Jacobsen

CTO

+45 61792740

kristian@seculyze.com

Other Consultancy Services

Looking For Something Else?

Azure Design & Review >

SIEM Design & Review >