Threat hunting is a proactive cyber defense activity, which is focused on the pursuit of attacks and the evidence that attackers leave behind when they’re conducting reconnaissance, attacking with advance malware, or exfiltrating critical data.
Rather than just relying on reactive information or hoping that the SOC (Security Operation Centre) tool flags and alerts to the suspicious activity, a threat hunter will apply human analytical capacity and understanding about environment context to more quickly determine when an unauthorised incident happens.
Threat hunting allows attacks to be discovered during the early phase with the goal of stopping them before adversaries can carry out their attack objectives.
While skill and experience definitely helps, the ever-changing landscape of threat actors, and their sophistication, requires the threat hunter to take a well-organised approach and follow an open framework that structures a methodical hunt based on updated TTPs (tactics, techniques, and procedures) of top global threat actors.
Simplifying SOC complexity with evolving threat landscape
The Gartner Board of Directors Survey 2022, found 88 per cent of respondents viewed cyber security-related risk as a business risk – not just a technology risk – and 51 per cent of respondents had experienced a cyber security risk incident in the past two years.
By getting ready for the inevitable breach, rather than expecting that it will always be prevented, organisations having Modern SOC with threat hunting capabilities can deliver a better security posture and set the foundation for their team to proactively hunt for advance threats.
Respondents to th VMware Global Incident Response Threat Report (2021) indicated that targeted victims now experience integrity and destructive attacks more than 50 per cent of the time. It also found more than 60 per cent of respondents reported ransomware attacks during the past 12 months, and these attacks are becoming increasingly malicious.
This escalation stems from adversaries implementing multistage campaigns involving penetration, persistence, data theft, and extortion.
These stats prove that attacks are becoming more stealthy, destructive, and targeting leveraging advanced techniques. IBM’s cost of data breach report 2021 found it took an average of 287 days to identify and contain a data breach.
On average, it takes organisations more than 7 months to detect a malicious attack and another 81 days to contain it.
And the average cost of a breach lasting more than 200 days is $4.87 million, which means that every second counts.
Attacks that cause the most damage and are toughest to detect and prevent include Advanced Persistent Threats (APTs) that are carried out during prolonged dwell times. Cyber Threat hunting is particularly needed in battling APTs that start with an initial undetected compromise, and then build out long-term multi-phase attacks. The SolarWinds attack disclosed in 2020 is a known and famous example of an APT.
Effective threat hunting relies on a mindset and a methodical framework that allows the security analyst to think like a threat actor, and then use that understanding to determine what clues to look for that might indicate an attack is underway.
Making threat hunting effective and efficient with MITRE ATT&CK framework
Threat hunters rely on MITRE ATT&CK framework that guides them to think through each stage of a potential attack, and then determine the evidence to search for. MITRE ATT&CK is a globally accessible knowledge base that incorporates an exhaustive list of offensive TTPs based on real-world observations, that hunt teams can draw from when constructing hypotheses. TTPs are behaviours, methods, or patterns of an activity used by a threat actor, or group of threat actors.
Cyber threat hunters start each hunt activity with a simple query: what is it that we are looking for. Since ATT&CK Framework is a complete list of all presently known post-compromise behaviours, it has answers to that query.
The framework guides SOC teams on which cyber threat groups to watch out for, which specific techniques, platforms, data sources or software programs that might be used to target your SOC environment, and how to early detect and mitigate against the adversarial techniques described in the framework.
The MITRE ATT&CK framework can be used to discover potential threats and identify areas of risk and improvement in SOC environments. It provides a detailed catalogue of which data sources should be examined when investigating the possibility that a particular tactic or technique has been used in an environment. It can be used to assess how effective an organisation’s SOC is at detecting, analysing, and responding to security breaches.
Modern SOC should leverage on ATT&CK Framework to increase the efficacy of a threat hunting program and look for a wider set of evidence by hunting for adversarial TTPs rather than specific signatures.
With superior information available on adversary groups/threat actors, the techniques they’re likely to use and how they will behave once they gain access to the target network, SOC teams can harden their defense and make targeted improvements to threat detection/prevention systems.
Thus, threat hunting leveraging the ATT&CK framework increases the likelihood of containing and preventing a threat, thereby strengthening security posture of an organisation.
Neha Dhyani is Senior Security Consultant at Nokia Solutions and Networks with more than 15 years of experience across domains including telecom security (4G/5G), cloud security, next-gen SOC security, EDR/XDR, threat hunting, container security, and advance threat analytics. Neha is an ACS Certified Cyber Security Professional and holds security certifications including CISSP, CCSP, CISM, CEH, MITRE ATT&CK Defender CTI (Cyber Threat Intelligence).
