Enhancing Security Posture: What Is Threat Hunting?

Organizations that work in the cloud face an increasing number of potential threats every day. Fortunately, automated detection and response can block many of these lower-level threats before they even require human attention. Unfortunately, that means the threats that evade automated defenses may be perpetrated by driven and sophisticated attackers — the kinds of threat actors who can infiltrate a system and remain undetected for up to 280 days on average.

Threat hunting allows organizations to face these advanced challenges with a combination of automated tools, extensive datasets, and human ingenuity. Organizations with reason to fear attacks from advanced persistent threats (APTs) or other cyber attackers need to know what threat hunting means and how it integrates with their overall cybersecurity posture.

‍

What is threat hunting in cybersecurity?

Threat hunting in cybersecurity is the practice of actively seeking out potential threats within your organization’s security perimeter. For example, a threat actor who infiltrates your perimeter may remain largely dormant for weeks or months at a time to avoid alerting automated monitoring methods. However, their initial access and slow work in siphoning data or elevating privileges for a future attack may still leave behind Indicators of Compromise (IoC).

Threat hunters use shared knowledge bases of adversary tactics and data from their organization’s comprehensive monitoring tools to identify these early signs of improper access and halt the attack before it begins. In essence, a threat hunter acts much like a wildlife hunter; by carefully seeking signs of their quarry — whether fresh hoofprints on a game trail or a previously overlooked IoC within an access database — they can track them to their hiding spot.

‍

How threat hunting compares to other cybersecurity methods

Threat hunting is a powerful way to elevate your cybersecurity posture, one that empowers your security operations center (SOC) to take an even more active role in defending your assets. Yet it cannot function alone. Here is how threat hunting compares to and fits in alongside several other common functions of your SOC.

Threat hunting vs threat intelligence

As Sun Tzu said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Threat intelligence is how you know your enemies in the cybersecurity landscape. It includes the identification of threats that have previously targeted your organization, but high-level threat intelligence also thrives on cooperation between businesses and public institutions.

After all, it’s uncommon for a threat actor to exclusively target a single organization. By pooling knowledge about different groups’ attack patterns and capabilities, everyone can better protect themselves.

To empower your threat-hunting capabilities, it’s essential to collect, cultivate, and maintain your own stores of data forensics as well as access to shared resources across the field of cybersecurity. Threat intelligence is also an important part of overall SaaS security best practices.

Threat hunting vs threat detection

Attack surfaces for organizations have grown beyond their physical premises, into the cloud, and onto every mobile device in employees’ pockets. That has made threat detection an increasingly complex yet necessary task. Your SOC must use threat intelligence, automated monitoring, and human know-how to identify when a threat has evaded your outermost layers of security.

Threat detection can work in a number of ways, such as by looking for common behaviors of cyber attackers, scanning traffic to identify signatures of specific types of malware, and identifying anomalies that may correspond to an attempted attack. This initial layer of detection feeds into automated defenses, which can lock out many would-be attackers without human intervention while also providing threat hunters with the forensics they need to identify more sophisticated threat actors.

Threat hunting vs incident response

Incident response is whatever an organization does with the information it gains from threat detection. If you follow the common NIST Cybersecurity Framework, the appropriate steps would be to Protect, Detect, Respond, and Recover. What each of those steps looks like will differ depending on the nature of the attack and your organization, as well as the capabilities of your SOC.

Threat hunting can be one form of incident response when done reactively — as seen in the dramatic story of the RSA hack and the company’s real-time response. Once a threat is identified, it’s essential to diagnose not just what the attackers attempted to access but also how they got there in the first place. That way, your organization can improve its defenses for the future and ensure that future attacks cannot exploit the same vulnerabilities.

Cyber attackers pool their knowledge just as cybersecurity professionals do. You may never be able to deter them from attacking entirely, but your incident response measures can at least give them a moving target.

‍

Why (and where) threat hunting is essential

Rising rates of APT activity show these groups are adapting ever more intricate attack measures, including subverting cloud services and impersonating web gateways to gain command and control over organizations. Automated threat monitoring and response is essential to filter out the majority of potential attacks, but threat hunting is an essential way to contend with APTs and other threats on a similar scale.

It’s also critical to take a modern mindset when planning how your organization will identify and remediate threats. Few organizations run solely on legacy devices such as laptops and on-premises servers anymore, and every mobile device that connects to your services — and every site and app that device uses — is a potential attack surface.

That’s why the Lookout Threat Intelligence Platform puts the world’s largest AI-driven mobile security solution to work for your organization. Our services can also strengthen the human element of your SOC: our experts on mobile security, as well as our threat hunting and training workshops, can help bolster your internal research and response capabilities. Talk to a Lookout sales representative today to learn more.