What is Threat Hunting?
The German term for Threat Hunting is Bedrohungssuche. It is a proactive method of improving cyber security. Threat Hunting actively looks for threats on the network before there are concrete signs of an attack. In this, the method differs from classic approaches that react to specific alerts or events that have already occurred. The goal is to find potential threats, isolate their patterns and use them to optimize existing security systems.
Threat hunting is performed by a Threat Hunter or a team of Threat Hunters. Much of the activity must be done manually. Automated techniques such as “User and Entity Behavior Analytics” (UEBA) and security tools support the Threat Hunter by examining large amounts of data for deviant behavior patterns (anomalies) using machine learning (ML). This helps find hidden indicators of threats and compromise (Indicators Of Compromise – IOC).
Methods and operation of Threat Hunting
Threat Hunting is to a large extent a manual process. A security professional, in this case called a Threat Hunter, scours the network and IT systems for potential threats.
For example, it looks for attackers who have already gained access but are currently keeping quiet. The Threat Hunter is supported by automated techniques such as “User and Entity Behavior Analytics” (UEBA) and security tools. They are able to scan large amounts of data for anomalies and suspicious behavior patterns.
To uncover potential risks, these tools use machine learning (ML) methods and Big Data technologies. Anomalies found are then examined in more detail by the Threat Hunter. Threat hunting is an iterative process that verifies assumptions made for potential threats through repeated, refined searches. The results can be used to inform those responsible for cybersecurity and to optimize automated detection systems.
Differentiation from classical methods
Threat hunting differs significantly from the concepts of classical security systems and their reactive methods of countering cyber threats because of its fundamentally preventive approach. Systems such as intrusion detection and intrusion prevention systems (IDS and IPS), firewalls, virus and malware scanners, or security information and event management (SIEM) react to security events that have already occurred.
Active defense measures or further analyses are only initiated after a threat has been detected. Threat Hunting, on the other hand, scans and analyzes networks and systems without the need for concrete evidence of a threat.
Advantages of using Threat Hunting
The benefits of using preventive threat hunting include the following:
- Attackers cannot move unnoticed in the IT environment for a longer period of time
- Faster detection of potential threats without the need for a specific security event
- Minimization of the consequences of security breaches
- Detection of dangerous user behavior
- Optimizing automated security systems using threat hunting insights
- Reducing the potential attack surface and mitigating cyber security risks