Cyber Threat Hunting Explained: Advanced Techniques, Tools, and Intelligence

What Is Proactive Threat Hunting?

Proactive threat hunting is a cyclical and hypothesis-driven process that assumes an undiscovered breach of an unknown type has already occurred. In proactive threat hunting, there is no precipitating incident or roadmap; no high-fidelity detection rules have been triggered. As noted in NIST Special Publication 800-53, “The objective [of cyber threat hunting] is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses.”  By enabling organizations to identify and eradicate advanced persistent threats (APT) and uncover attacks that could be missed by automated cybersecurity controls, proactive threat hunting provides a critical way for organizations to improve their long-term cyber resilience.

“If you can simply write a rule, write a rule. But then you don’t need to hunt,” – Anton Chuvakin, Former Vice President and Distinguished Analyst at Gartner, now senior security advisor for the office of the CISO at Google Cloud.

Reactive Vs. Proactive Threat Hunting

In contrast with the proactive approach to threat hunting, legacy investigative approaches are often purely reactive, focusing on known threats. Hunts are typically triggered by a security incident or set of high-risk alerts. Investigators are often mid-tier Security Operation Center (SOC) analysts responsible for triaging and investigating alerts, root cause analysis, incident response, and consolidating logs in a security information and event management (SIEM) system. This essential work can be highly stressful due to the large daily volume of false positive alerts. Chronic alert fatigue is widespread, leading analysts to overlook many of the alerts. This means that reactive threat hunting can only go so far in supporting an effective security strategy. Effective cyber threat hunting is proactive and is essential to build true cyber resilience.

Cyber Threat Hunting: Key Benefits

Proactive threat hunting provides a number of security benefits for organizations seeking to achieve and maintain a robust cybersecurity status:

• Improved Speed of Threat Response

  Proactive threat hunting speeds up the process of identifying and responding to threats by searching through networks for indicators of abnormal behavior caused by potential attacks and identifying an activity or attack pattern that might already be present in an IT environment.

• Enhanced Threat Response Accuracy

  Alongside its role in driving up the pace of responding to threats, proactive threat hunting also helps to improve the accuracy of threat response. By balancing automated detection systems with human expertise, threat hunting enables faster and more focused identification of attack patterns that mimic regular activity, as well as more accurately pinpointing the affected program or area of an IT environment.

• Reduced Incident Investigation Time

  The deeper insight into incident causes, scope and impact provided through threat hunting helps to accelerate the time required to investigate incidents, as well as broadening knowledge to help prepare for future incidents.

• Improved SOC Efficiency and Performance

  Cyber threat hunting combines in-depth specialist insight and strategic analysis to help lower instances of false-positives and reduce the burden on SOC teams.

• Fewer Instances of Breaches and Breach Attempts

  Proactive threat hunting enables organizations to gather more data from potential malicious activity which can be fed back into security systems to help continually improve and enhance organizations’ response both to breaches and attempted breaches.

Proactive Threat Hunters: Key Characteristics

Successful cyber threat hunting relies on the expertise of experienced professionals. Expert threat hunters possess elite skills in surfacing anomalous cyber activity, detecting gaps in the security infrastructure and identifying ways attackers can exploit these gaps to compromise an organization’s operational integrity. Their extensive red team experience enables them to think like adversaries, intuit their objectives and see through their attempts to evade detection.

Thanks to proactive threat hunters’ close familiarity with their organizations’ digital estate and business processes, they excel at leveraging the latest threat intel and crowdsourced attack data to efficiently sift through vast stores of network, endpoint and cloud security data for artifacts of an ongoing attack. Threat hunters excel at deductive reasoning, malware analysis, data science and communicating their findings in actionable terms meaningful to business and IT leaders alike.

Key Tools for Cyber Threat Hunting

Threat hunters utilize a variety of data sources, tools and techniques to uncover threats.

• Security Data and Telemetry

  SIEM platforms help threat hunters to shortcut data navigation and forensic analysis by collecting and correlating data from Endpoint Protection Platforms (EPP), Endpoint Detection and Response Platforms (EDR), Cloud Security Platforms, Intrusion Detection and Prevention Systems (IDS/IPS) and network monitoring tools.

• Digital Risk Monitoring (DRM)

  DRM tools crawl the dark web, social media, and other digital channels to give threat hunters an external view of the organization’s current threat exposure. For example, threat hunters may learn that stolen credentials to internal systems are being offered on a dark web marketplace or sensitive data exposed in a cloud repository.

• Security Analytics

  These platforms utilize artificial intelligence (AI), machine learning (ML), and behavioral analysis of network data to flag anomalous and potentially malicious activity. Threat hunting specialists can leverage these detections for clues to an ongoing breach.

• MITRE ATT&CK Framework

  Threat hunters can draw from the documented Indicators of Attack (IoA) and tactics, techniques, and procedures (TTP) to inform and test their hypotheses.

• Threat Models

  Mature organizations document detailed cyber risk scenarios and countermeasures to protect their most critical data and business systems. Threat hunting professionals can draw on these to target and prioritize investigations.

Threat Hunting + Threat Intelligence

Threat intelligence provides key insights to inform the threat hunting process. Cyber threat intelligence (CTI) is a formal process for collecting and correlating data about attempted or successful intrusions from multiple internal and external sources. SIEMs often incorporate data from threat intelligence feeds to help automate rule creation. While inherently a reactive medium, threat intelligence furnishes hunters with a rich repository of TTPs and IoAs for proactive investigations. It provides an essential starting point and foundation for effective threat hunting.

Security and Risk Leader Perspectives on Threat Hunting

Cyber threat hunting plays a critical role in enabling organizations to mitigate key challenges. Kroll’s 2023 State of Cyber Defense report, which surveyed 1,000 senior information security decision-makers across the world, highlighted significant issues. Many security leaders were over-confident in their ability to defend against the latest threats, and not all security leaders understood what their tools were even protecting against. Respondents also indicated that they had a lot more trust in their security teams than in the tools they were using. In this context, proactive threat hunting can be hugely valuable to defend against threats that slip through the net.

Seasoned Threat Hunting Perspectives

What tools and data are needed for effective threat hunting? How does one hunt for an unknown unknown? How is success gauged? We asked members of our threat hunting leadership team to share their experiences in the field. Here are some highlights:

Thwarting Actor Attempts to Evade Detection

Threat actors utilize many techniques in their attempts to evade detection. One of their methods is to rename their tools and malware.

This means it is important to search for executable files with odd names or in odd locations running on endpoints. For example, on one assignment, the threat hunting team found a file named s.exe. Because this violates normal file naming conventions, a term frequency search was run to determine the prevalence of the file in the client’s environment. Multiple instances were found on finance department systems. A sample of the file was then detonated in a sandbox.

The file turned out to be an instance of Rclone, a legitimate file management tool used in ransomware attacks to exfiltrate data. Ultimately, the initial compromise was traced to the system of a finance clerk who had succumbed to a phishing exploit. The threat hunting team succeeded in locating and helping neutralize the ransomware before it could spread and detonate.

Threat Hunting Uncovers Cryptocurrency Mining at the Office

During one monthly assignment, Kroll’s cyber threat hunting specialists discovered an employee in the IT department using work assets to mine cryptocurrency. Here’s a condensed account of the hunt and its aftermath.

The client asked the team to focus on potential threats of loss or damage to its proprietary design and engineering data. Employees in several departments were allowed to use USB drives, which can be infected with malware or used to exfiltrate data.  The team suggested that a USB exploit could be underway. They began by analyzing EDR data collected in the SIEM for evidence of unusual USB activity or strains of USB-related malware. As it happened, this didn’t yield results because the compromised system was on a network segment without EDR installed.

Instead, the team located a suspect machine in the IT department by ingesting and analyzing NetFlow logs. These showed an employee’s system communicating with several cryptocurrency hauling services. Further analysis found the employee was running cryptojacking executables from an lnk file in the thumb drive storage volume. The team also found links in his search history to sites on the dark web showing how to cryptojack without being detected.

The hunt team carefully assembled and preserved the necessary forensic data to provide the client with evidence for possible prosecution. It concluded its assignment by creating a detection rule flagging the cryptocurrency mining pools the employee had been using. That would help reduce the possibility of a similar attack in the future.

If a significant ongoing breach had been discovered, the team would have immediately notified the client and activated an incident response team. In this case, the client’s general counsel handled the matter in the normal course of doing business.

The Critical Role of Cyber Threat Hunting: Key Takeaways

First and foremost, it’s essential to distinguish true, proactive threat hunting from other investigative methods. With the elite skills required in short supply, it’s no surprise that most threat hunts today are reactive. That’s a problem because bad actors constantly introduce new TTPs specifically designed to evade detection.

The survey responses and case study outlined above demonstrate the critical importance of collecting and preserving log and telemetry data for root cause analysis and cyber threat hunting. Yet this continues to be a significant problem for many organizations. One cause is the sheer volume of data that must be ingested, correlated, and analyzed daily. Another is that actors often attempt to cover their tracks with Indicator Blocking and other techniques that impair or prevent access to investigative data. To reduce the risks, organizations must do everything possible to preserve and make this data available at scale.

SIEM and Security Orchestrations and Response (SOAR) solutions are helpful in partially automating data management, alert triage, and incident response playbooks. However, these tools still rely on detection rules that sophisticated actors routinely circumvent due to their intrinsic limitations. If rules are overly specific, they can miss crucial clues of a cyberattack. If overly broad, they can impair routine business processes and deluge SOC teams with spurious alerts. Most importantly, they cannot detect evidence of attacks that have never been seen before. That goal can only be achieved with proactive threat hunting.

Learn more about Kroll’s end-to-end cyber security services or call our Cyber Incident Response Hotline to request immediate assistance.