Threat Hunting & Threat Intelligence
Every day, a large amount of data is produced by organizations in the modern world. Network traffic, activities, and activity logs are produced by both small and large organizations. When it comes to cyber threats, keeping track of all the warnings and logs has always been a daunting activity. Threat hunting and threat intelligence are the two primary strategies of threat reduction which can overcome sophisticated attacks by engaging various proactive techniques.
Threat Hunting (TH) is a proactive cyclical method to search for traces of malware that are not detected by standard protection tools. The security analyst does not wait for the sensors of security systems to work, but purposefully looks for signs/indicators of compromise. To do this, analyst puts forward and tests assumptions about how the attackers infiltrate into the network. Such checks should be consistent and regular, and the process should consider the following:
- A TH specialist always assumes that the system has already been hacked, and his/her goal is to find traces of penetration.
- Search requires a hypothesis (an assumption about how exactly the system was compromised) and its further verification.
- The search should be conducted basis the analysis of hypothesis, the analyst puts forward a new one and continues the search.
It’s no secret that traditional automated defenses miss sophisticated targeted attacks. The attacks are often spread over time, so security tools cannot correlate different phases of an attack and the attackers carefully think over penetration vectors and develop scenarios for actions in the internal infrastructure.
This allows them to avoid unmasking, including presenting their activity as legitimate.The attackers are constantly improving their knowledge, buying or developing new tools to perform sophisticated cyber-attacks.
Threat Hunting: A Brief Approach
The task of identifying targeted attacks is especially important for networks that have already been compromised. According to the case studies by security researchers, it shows that more than 60% of organizations who’s networks were previously compromised were attacked again. In such cases, it is necessary to take measures for early detection of the facts of compromise.
Threat Hunting can help information security teams to:
- Reduce the time it takes to detect an attack
- Establish a Cyber Intelligence process (Threat Intelligence)
- Update knowledge about the protected infrastructure
Threat Hunting Steps:
Threat hunting involves looking beyond the known alerts or malicious threats to discover new potential threats and vulnerabilities. In threat hunting there are three steps: a trigger, an investigation and a resolution.
Image Source: Crowdstrike
When threat hunters can use MITRE ATT&CK Framework to help create a hypothesis and search for active or residual signs of attack activity. If the hypothesis does not give positive outcome, threat hunters have to look for other clues to start the hunt.
Image Source: https://www.logpoint.com
Benefits of Threat Hunting Platforms:
Image Source: Threat Hunting Platforms (Collaboration with SANS Institute)
Use Cases of Threat Hunting:
- Providing context for Security Events:With the help of the latest technologies such as artificial intelligence and machine learning, threat hunting solutions have the ability to learn from previous threats. As a result, they can provide the security analysts with a detailed context for known and unknown threats. Having the contextual information of the organization’s network and possible attack vectors, it allows the cyber security team to make better and faster decisions especially when dealing with security incidents, being fast and accurate is critical.
- Anomaly Detection: In order to detect threats, threat hunting solutions keep monitoring the network activity and assets of organization. As a result, most threat hunting solutions have an impressive capability to detect unusual behavior and anomalies.
Threat intelligence is the backbone of a company’s security. It helps to find the right answers to critical questions such as: identifying priority risks, developing an adequate strategy for responding to information threats and making optimal investments in the security system.
Every year, more and more organizations are beginning to take an active interest in the risks that a business may suddenly face, and in ways to counter them. One of the indicators of such activity is the growth of investments in research of information incidents and threat intelligence.
Threat Intelligence is a system that allows to identify the most unprotected areas of the security perimeter, determine the main attack vectors and intelligently allocate resources to prevent data leaks.
Threat Intelligence : A Brief Approach
Threat Intelligence’s key objective is to enable the organization to be one step ahead against possible cyber risks, and to fortify the perimeter exactly where it is most likely to be attacked, and where the damage caused can have the most significant consequences.
The main components of threat intelligence are:
- researching current information incidents around the world,
- analyzing the tools with which user can penetrate the security system,
- identifying the most valuable classified information,
- determining the motives of the attackers and assessing the company’s previous actions.
Threat Intelligence Lifecycle:
1) Planning and Direction: Setting the scope and objectives for core threat intelligence roles and processes.
2) Collection: Deploying the data gathering and processing techniques and sources.
3) Analysis: Translating raw intelligence into meaningful and categorized actors, events, and attributes.
4) Production: Assess intelligence significance and severity based on business and environmental context.
5) Dissemination and Feedback: Report on finished threat intelligence, considering urgency and confidentiality.
Use Cases of Threat Intelligence:
- Enriching Security technologies by integrating Threat Intelligence: Integrating Threat intelligence into already existing security processes improves decision making for incident response and policy enforcement.
According to Gartner, Threat intelligence has recently began to be widely incorporated into most security technology verticals, including Security Information and Event Management (SIEM), Firewalls and Unified Threat Management systems, Intrusion Detection and Prevention, Secure Web Gateways and Secure Email Gateways, Endpoint Protection, Web Application protection, Distributed Denial of Service, Vulnerability Management, Security Orchestration, and many more.
- Open, Deep, and Dark Web Monitoring: A good Threat intelligence solution will always gather its data from both open and closed sources on the internet. Surface web makes 4 percent of all data online wherein 96 percent is divided between the deep web and the dark web.
Vulnerabilities and their exploits are commonly discussed and traded in spaces on both the deep and dark web by threat actors.Hence it is essential to gather data from these sources to maintain a more comprehensive and up-to-date picture of what threats are out there and threat intelligence has the capabilities of performing Deep and Dark web monitoring which comes with expert analysis that cannot be replicated by any algorithm.
Image Source: crowdstrike
Threat Intelligence and Threat Hunting are two security disciplines which are complimentary to each other.
Threat intelligence can make up a small portion of the threat hunting process.However, subscribing to a threat intelligence feed does not automatically satisfy the need to threat hunt the organization’s network.
A proper threat hunt can identify threats even when they have not yet been seen in the wild. Hence, by automatically gathering and presenting real-time threat intelligence, it enables cybersecurity teams to hunt threats faster.
Managed SOC Team
Varutra Consulting Pvt. Ltd.