What is threat hunting? A comprehensive guide

What is threat hunting?

How does threat hunting work?

Threat hunting starts by collecting extensive amounts of data from your systems. Data monitoring and analysis tools can identify anomalies to explore and potentially correct. In some cases, IT professionals will also create and test hypotheses based on the collected threat intelligence and specific concerns.

After collecting data, the next step is to conduct an extensive investigation. If you find any threats, you’ll need to take steps to eliminate them and re-secure your systems. This process helps prevent cyberattacks from happening and potentially compromising sensitive information.

Threat hunting should be performed periodically as your business grows to prevent threats from escalating into more serious security incidents. As you implement new technology over time, you may need to reconfigure your systems, which could expose your organization to new vulnerabilities. Proactive threat hunting helps keep your data secure and is one of the most effective methods to prevent costly and disruptive cybersecurity incidents.

What are the steps of threat hunting?

Threat hunting is a multi-step process that requires a targeted strategy and access to your organization’s cybersecurity data. Here are the standard steps to follow.

1. Trigger

Combing through your entire system searching for possible threats isn’t efficient, and in many cases, it isn’t possible with the resources you have available. The threat-hunting process should begin with your team selecting a trigger to narrow things down.

A trigger is a specific point in your network or system to focus on during the threat-hunting process. Teams can choose a trigger using one of several different strategies.

The first option is to collect and analyze data from across your systems. For organizations with particularly large or complex IT setups, machine learning tools can make this process easier. If you find any anomalies or concerning data points during this process, you can use these anomalies as the basis for your trigger.

Another approach is to create a hypothesis based on your research and understanding of the current cybersecurity landscape. For example, if you’ve recently discovered that a software program you use has a known vulnerability relevant to your operations, you might use that as the basis for your trigger.

2. Investigation

The investigation phase involves taking a closer look at the trigger to determine if a threat is present. Depending on the specific aspect of the system you are looking at, this could involve a manual search for specific settings or activity levels that are out of place.

Endpoint detection and other digital tools are also very helpful during the investigation process. Using technology speeds up the investigation phase and can help you find things you may have missed while reviewing your systems manually.

It’s important to document your findings thoroughly during the investigation phase. Detailed records will make the resolution phase more straightforward and can also help you avoid these cybersecurity threats in the future.

3. Resolution

The final stage in the threat-hunting process is resolution. During this phase, you will address any problems or concerns you identified during the investigation. This step also allows you to make broader changes to your cybersecurity strategy as needed.

For example, during your investigation, you might find that your internal access control system isn’t strong enough, leaving your organization vulnerable to an insider threat. Reviewing user logs and using endpoint detection tools can confirm the problem during the investigation phase.

In this situation, the resolution phase might involve implementing new access control strategies with a least-privilege approach. This approach would limit the number of employees accessing your system’s sensitive data, reducing the possibility of an internal data breach.

In addition to addressing the problem directly, you can use the resolution stage to make large-scale changes to your overall cybersecurity plan. This might include shifting your system configuration, investing in new IT software programs, or changing your system monitoring approach.

Threat hunting types

There are several different types of threat hunting. The right approach will depend on your network’s specifics and the current threats.

Structured hunting

Structured threat-hunting techniques use specific procedures and criteria to uncover threats. This approach helps the IT team stay on track and work as efficiently as possible. When used regularly, structured threat hunting prevents serious security concerns from escalating.

A structured approach to threat hunting typically starts with a specific problem or question to answer. It also uses predefined, methodical strategies for data analysis and investigation to ensure that no stone is left unturned. This type of threat hunting is highly influenced by scientific principles and processes and often starts with a defined hypothesis.

Unstructured hunting

While structured threat hunting focuses on a specific goal or hypothesis, unstructured threat hunting is much more open-ended. In an unstructured threat hunt, your team explores many different aspects of your system, taking time to look for anomalies and dive deep into any concerns that come up.

For this type of threat hunt to succeed, you will need a team of experienced cybersecurity professionals tuned into the current threat landscape. These team members can use their research, intuition, and past experiences to inform the threat hunt.

When your IT experts have the freedom to explore, they might discover threats that could be missed during a more structured threat hunt.

Situational- or entity-driven hunting

Situational threat hunting is an approach that focuses on protecting the highest-risk systems and data from cyber threats. When deciding on a trigger for this type of threat hunt, teams will need to conduct a holistic risk assessment to determine which components of your system are the most vulnerable.

For example, many hackers target healthcare organizations searching for patient information, which can lead to identity theft, hefty fees, and even lawsuits. In this case, a healthcare organization might focus a situational threat-hunting campaign entirely on protecting patient assets.

Many organizations use this threat-hunting approach because it focuses on reducing the impact of cyber threats on their businesses. When you have limited resources, it’s most effective to address the threats that could cause the most damage to your organization first.

Threat hunting methodologies

Since different organizations experience different security concerns, you’ll need to adjust your threat-hunting approach to suit your operations. Most threat-hunting campaigns fall under one of three methodologies.

Hypothesis-driven investigation

This type of investigation starts with a predefined hypothesis about a possible threat. For example, if cyber criminals have been targeting your competitors with a specific strategy, you can hypothesize that the threat is also in your system.

As with any form of threat hunting, this approach starts with data analysis to strengthen your hypothesis and determine what the threat might look like in your systems. Then, you can assess your systems and look for potential behavior patterns that match the hypothesis.

Indicators of attack investigation

This threat-hunting methodology searches for known indicators of attack (IoAs) throughout your systems. An IoA is a specific characteristic associated with a cyberattack in the past.

For example, you might notice that your internal servers communicate with public servers more often than normal. This is an IoA that is often correlated with the spread of malware. In this scenario, you could launch a threat-hunting investigation to determine how the hackers have accessed your servers and what you need to do to re-secure them.

Advanced analytics and machine learning investigation

One of the biggest challenges in any threat-hunting campaign is processing and analyzing large volumes of data in a relatively short amount of time. Luckily, AI and machine learning technologies make this process much more efficient.

Many machine learning tools can analyze large data sets quickly, identifying anomalies and trends that can serve as the hypothesis for your threat hunt. This approach should be paired with human IT and cybersecurity expertise for the most effective results.

Examples of threat hunting

Threat hunting examples will look different for every organization and the specific security threats it deals with. For example, a healthcare organization will face very different security threats than a financial organization and may need to take a different threat-hunting approach.

Common examples of threat hunting include:

• Searching for user access patterns that could indicate an insider threat
• Checking software programs with recently found vulnerabilities for signs of a cyberattack
• Monitoring for irregular network activity indicative of a DDoS or malware attack

If these hypotheses are confirmed after the initial investigation, security teams will need to address them immediately and re-secure the systems.

Tools for threat hunting

Using threat-hunting tools makes the entire process more efficient and can help you catch potential threats you would have missed on your own. Here are some of the most popular threat-hunting solutions.

SIEM

SIEM stands for security information and event management. These automated security programs collect and analyze security data from various points throughout your system. When a security event occurs, it generates an automated response, which could serve as the starting point for a threat hunt.

MDR

MDR stands for managed detection and response, a service provided by cybersecurity professionals. It is an excellent option for organizations that lack the resources to conduct threat hunting in-house.

MDR is a completely managed threat-hunting service that includes constant system monitoring, support for threat investigations, and response when threats do appear.

EDR

EDR stands for endpoint detection and response. EDR programs monitor activity on your organization’s endpoint devices, such as a computer, mobile device, or even an IoT device. These software programs help you identify threats coming specifically from these devices.

NDR

NDR stands for network detection and response. These software programs are similar to EDR but focus on network security rather than endpoints. A program that combines aspects of EDR, NDR, and other system monitoring tools is called XDR, which stands for extended detection and response.

The importance of threat hunting in cybersecurity

Threat hunting is an essential component of any cybersecurity strategy. No matter how advanced your automated security tools are, some threats can slip through the cracks.

Scheduling time for comprehensive investigations and investing in threat-hunting solutions will help you catch these threats before they compromise your most sensitive data. NordVPN’s Threat Protection Pro™ is a valuable tool that helps you catch threats in real time as you work and supports your threat-hunting strategy.