The term threat hunting spawns different ideas and has different meanings for seemingly everyone you talk to. Understanding what threat hunting is will help you better equip your security teams to respond to alerts and mitigate risk. But is it basic triage of known indicators of compromise (IOC) in a proactive manner or some magical Jedi skill that only masters can summon and execute?
What is threat hunting?
Threat hunting can be all of the above. At a basic level, it is the process of researching the information generated by security systems, networks, endpoints, and applications in response to abnormal activity detected by alerting systems. It can be done to proactively mitigate risk or reactively respond to known indicators of compromise (IoCs).
The iterative process focuses on determining whether the suspicious activity maps to known attacker tactics, techniques, and procedures (TTPs). The goal of threat hunting is to identify and ideally stop attackers before accessing and stealing private data.
What are threat hunting techniques, processes, and models?
Because the threat hunting techniques, processes, and models overlap quite a bit, it helps to understand all of them. In fact, very often, security teams will use a combination of them to get to an answer.
A structured approach to threat hunting follows a standardized set of processes. The security analysts take a task-driven, focused approach that relies on a set of documented standards. They also take a risk-based approach to prioritizing activities. Using a structured process means that you have a repeatable approach taken for all activities.
In an unstructured approach, the researcher's curiosity drives the process, often because the team lacks standardized, documented processes. While using an unstructured approach can lead to some "big wins," the lack of documented processes means that the team will have a hard time repeating what they did, leading to inconsistent outcomes.
Fundamentally, all threat hunting is some form of search. However, this technique focuses on writing data queries for specific information, such as artifacts. To do a meaningful search, you need to strike a balance between searching too broadly for general artifacts from too many locations and too specifically on too few.
Teams with more sophisticated tools, like artificial intelligence (AI) and machine learning (ML) may be able to aggregate or "cluster" data based on similar data types. For example, they might have clusters for different networks or application categories. Clustering is useful when you want insights from correlated data sets but have no specific criteria in mind.
Grouping is often used when researchers are trying to follow a set of activities, like those associated with a specific TTP. Unlike clustering, which identifies correlations within the data, grouping focuses on looking for specific actions. Grouping is useful when you have a specific suspicious activity you're looking for.
Stack Counting Technique
This process, also called "stacking," focuses on counting how many times an activity occurs, then looking for outliers. Although when the data set is too large or too diverse, stacking can be less effective. For this process to be effective, you need to have well-organized data, a clearly defined query, and the ability to filter the information.
Used when a Security Incident and Event Management (SIEM), intel-based threat hunting focuses on using threat intelligence to follow the path an attacker would take. Since it relies on threat data and intelligence feeds, you need to make sure that you're using the best information possible.
Similar to the intel-based model, the hypothesis model uses threat intelligence as the foundation for the research. Unlike the intel-based model, the hypothesis approach is proactive. Threat hunters actively look for suspicious activity. They combine information about the environment, domain, and attack behaviors outlined in the MITRE ATT&CK framework to try to mitigate risk.
Situational Awareness Model
Another proactive approach, the situational awareness model, focuses on applying threat intelligence around a specific industry or geographic location. For example, attackers may be targeting the financial industry differently than they target the healthcare industry. From a geopolitical perspective, they may target North American and European organizations differently.
Query.AI: Security Investigations Control Plane
Query.AI provides the market's only security investigations control plane for modern enterprises. Our patented browser-based platform delivers real-time access and centralized insights to data across your on-premises, multi-cloud, and SaaS applications without duplicating it from its native locations.
Query.AI gives you access to all your data, where and when you need it, providing a simple and effective way to meet your security investigation, threat hunting, and response goals while simultaneously reducing costs.