What is Cyber Threat Hunting?
Find threats before they do you harm
Cyber Threat Hunting is the process by which infrastructure in an organization is proactively ‘hunted’ for evidence of ‘threats’ which have gone undetected by other means – indicating that an organization has already been compromised. Data Analyzers tailors threat hunts to each organization depending on their infrastructure, existing policies and procedures, and priorities with regards to Cyber Security. Within an organization’s Cyber Security portfolio, Cyber Threat Hunting would most appropriately fit in between Penetration Testing and Risk and Compliance.
Why proactively hunt for threats?
Every organization is subject to cyber-attacks. Defense in depth is part of the answer to reducing exposure and mitigating impact. However, identifying threats and responding to them in a timely manner is continuing to prove challenging. Cyber Threat Hunting is a proactive alternative to relying on traditional rule or signature-based alerting security solutions (like anti-virus and intrusion detection systems) or human-based monitoring.
We provide front line consultancy combined with expert knowledge transfer to teach your team the practical steps needed to plan and conduct threat hunting operations throughout the enterprise.
What benefits will Cyber Threat Hunting deliver?
There are several benefits that a Threat Hunt will bring to an organization of any size. These benefits are unique to a Cyber Threat Hunt since they detect threats in areas which might be considered outside the scope of existing Cyber Security controls or appliances, using skilled Threat Hunters deploying a mix of automatic tools and manual examination techniques. Existing controls or appliances might include policies and procedures or automated security tools like Network Intrusion Detection Systems or Firewalls.
Specifically, Cyber Threat Hunting delivers:
Assurance that existing Cyber Security controls are effective at protecting an organization from breach or attack
Recommendations for improvements to existing Cyber Security controls or the introduction of new ones based on clear facts which help to support any investment from Cyber Security budgets
Protection against adversaries in all shapes and forms be it malware, insider threats, specific malicious actors, improper configuration or insecure design. Cyber Threat Hunting is particularly useful in its ability to protect against insider threats and data leakage by identifying non-conformance to soft Cyber Security Policies supposedly adhered to by employees.
“Without expert help, no organization regardless of size can be confident that malware is not present in its systems. It is unusual for us not to find evidence of malware when we carry out our standard checks on OS, apps, and network and cloud services. When you know what you are looking for and have the right methodology and tools for threat hunting, you can mitigate risks of this kind by isolating and removing the threat. After digital forensic analysis, we can report accurately on the damage, helping our clients to properly risk assess the situation with all the facts.”
What will a Cyber Threat Hunt uncover?
The findings of a Cyber Threat Hunt will depend on the scope of the Hunt which will be agreed at the start. Organization will be asked what they wish the priorities of the Hunt to be such as active external threats, suspicious user activity, insecure software, data leakage or a whole host of other options.
Some of the insight that Data Analyzers might deliver with a Threat Hunt includes:
- • Personal data being stored in insecure locations
- • Data being filtrated from an organization using third party file sharing applications
- • Out-of-date or unpatched software running on critical systems
- • Administrator rights being abused
- • Sensitive data being regularly copied to removable media devices beyond the scope of security control
- • Unknown or unauthorized programs being run on user systems
- • Unusual file access activity being recorded by file shares
- • Privilege escalation within normal user accounts indicating malware or rogue insider activity
- • Detection of unusual network traffic from core systems
How is a Cyber Threat Hunt conducted?
The Threat Hunting process begins with a workshop to understand an organization’s infrastructure in order to be effective in identifying the most appropriate data to examine. Following this initial consultation, experienced Threat Hunters are deployed to the organization’s premises to collect the appropriate data and detect any threats. A threat report tailored to the organization details all findings in an easy-to-understand manner, for easy digestion and sharing among appropriate Cyber Security staff. Deep technical findings can also be delivered as appendices to aid in the implementation of remedial action.