Updated: Dec 14, 2022
What is threat hunting? Wikipedia defines it as “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions”, and one thing is certain, it’s earning its stripes.
It involves threat analysts trawling iteratively through networks to root out any indicators of compromise, anomalous behaviours, attacker tactics, techniques, and procedures (TTPs), as well as targeted, advanced persistent threats (APTs) that have a nasty way of evading even the most sophisticated security measures.
Threat hunting also covers a variety of activities such as hunting for insider threats, as well as malefactors on the outside. When it comes to insiders, these include careless insiders as well as disgruntled or malicious insiders who deliberately want to steal from, or damage the organisation. When it comes to outsiders, the list is endless - from cyber criminal groups to advanced threat actors, and nation states - and threat hunters have them in their crosshairs.
Threat hunting adopts a proactive approach, by looking for known adversaries. A known threat actor is one who is already on the radar of threat intelligence services and has been listed as a bad actor, or one whose code is on the list of known malicious programs.
The idea behind this approach, is that looking for hidden threats can prevent a security event from happening. Threat hunters scrutinise and analyse the environment using ongoing monitoring, then, through behavioural analysis, can rot out any anomalous behaviours and other red flags that might indicate a threat is present.
Should a threat be identified, the hunter collects as much information as he or she can before executing the incident response plan that aims to contain or neutralise the threat. Using the information learned in the incident, the incident response plan is then updated, and the knowledge used to prevent any further attacks of a similar nature.
There are three stages in the threat hunting process, starting with a trigger, then moving on to an investigation, and ending with a resolution. Initially, the threat hunter gathers information about the environment he or she is in, and then speculates about what possible threats could lurk there, and chooses a trigger for additional scrutiny.
Once the trigger is selected, the threat hunter focuses their attention on proactively rooting out any anomalies that might either prove or disprove his hypothesis. A wide range of technologies are employed to investigate anything out of the ordinary or anomalous during this stage the investigation.
Finally, comes resolution. All the critical information that was collected during the investigation is shared with other teams, as well as solutions that have the ability to analyse, respond to, prioritise or simply store the data away in case it is needed in the future, for new investigations and analyses. It doesn’t matter if the incident was malicious or harmless, it can rule it in or out, one way or another.
However, threat hunting cannot happen without the requisite knowledge, and the tactics and procedures used are constantly evolving. The methods of yesterday, aren’t going to work in today’s complex threat landscape, and no business can afford to use the anachronistic tools of the past. Key to success is continually looking for attacks that slip through security nets, and catching intrusions before, or while they are happening. Proper training will equip your security team with the advanced skills needed to hunt, identify, counter, and recover from a wide range of threats and adversaries.
Threat Intelligence has its roots in traditional intelligence analysis. It is one of the best tools for understanding and dealing with the ever-growing complexity of the threat landscape; unfortunately, it is usually poorly used or understood.
This elite training by industry experts shows in a realistic and applied way how to get the most from threat intelligence. Attendees will learn how to collect, analyze and use threat intelligence-related data, tools and frameworks. They will gain unique experience from our trainers, with real-life and very hands-on scenarios showing how to effectively conduct threat hunting and incident response, as well as how to apply the insights to protect a particular network.