Threat Hunting Techniques for the Future SOC

What is threat hunting?

Threat hunting is a proactive, exploratory activity designed to identify unknown, active threats in an environment. The process is an investigative method of testing an evolving set of hypotheses using technology toolkits that both enable creative detective work and drive workflows based on new findings. Threat hunting techniques shifts enterprises from reactive response to proactive identification, enabling them to get ahead in the fight against adversaries.

The difference between threat hunting and investigation

Threat hunting and threat investigation are two different functions within a SOC. Threat hunting is a proactive approach to identify unknown threats, while threat investigation is a reactive approach to validate and understand an active, known threat.

Threat hunting: The top 5 challenges facing SecOps

Data Growth

SOCs today are plagued with tremendous rates of data growth, reducing visibility across organizational silos and impeding their ability to develop the full threat story. This is further aggravated by a constantly growing defense surface with new applications, services, and data constantly being added.

High Cost

Organizations have found that collecting too much data can put a sizable dent in budgets. For most SOCs, license costs and data storage make it too expensive to collect and store all data for real-time and historical analysis.

Slow Queries

Collecting as much data as possible can slow query response times. Some traditional solutions can take hours to run a query due to scalability and performance issues, threatening an organization’s ability to hunt for and respond to threats.

Lack of Context

Threat hunting requires relevant threat, network, and data context to accurately identify a sign of compromise, but it can be difficult and time-consuming to connect the dots across petabytes of data.

Threat Complexity

Modern threats are complex, multi-faceted beasts. Threat actors can now morph attacks on the fly, requiring analysts to hunt dynamically for tactics, technologies, and procedures (TTP).

Threat Hunting Techniques & Methodologies

Technique 1: Test evolving hypotheses across all data

Missing data can lead to a missed cyber threat, and if left undetected for too long, a potentially high-profile, expensive breach. SOCs leading the charge on threat hunting recognize the need for a single line of sight into all real-time and historical data for comprehensive analysis. This requires collecting, storing, and analyzing all security data in one place, regardless of type, source, or time-horizon, to test evolving hypotheses.

Technique 2: Conduct a historical analysis

Threats run deep in an environment, remaining undetected for months, even years. Modern SecOps combines the analysis of live, hot data with historical analytics to accurately establish the threat path, tactics, and impact to the business. This requires a powerful data platform that can collect and store event data, always hot, for as long as necessary. The ability to easily look back and drill down into petabytes of data to identify patterns is critical for threat hunting.

Technique 3: Support creativity with agile search

Threat hunting does not always lead to a positive outcome. Hunters may test multiple hypotheses throughout the exploration process. As a result, they need agile querying capabilities to pivot, filter, and iterate on their analyses. Threat hunting platforms support creative detective work with simple, fast queries at scale. This enables threat hunters to collect, analyze, and connect various data sets for richer context, without having to wait hours to see the results.

Technique 4: Integrate threat intelligence

The cyber threat hunting process for campaigns like advanced persistent threats, or APTs, is difficult in the absence of threat intelligence. Threat hunters tap into high confidence, high fidelity threat intelligence feeds curated by practitioners and Indicators of Compromise (IoCs) to inform their analyses. This includes integrating proprietary threat intelligence or leveraging built-in open-source intelligence, or OSINT, feeds within threat hunting platforms.