Threat Hunting

Organization’s can’t risk being passive when it comes to cybersecurity. Today’s malicious actors are more cunning than ever, increasingly deploying evasive human-led techniques to conduct their attacks. That’s why the practice of threat hunting has become essential in protecting organizations. By proactively seeking out and neutralizing threats before they become a problem, organizations stand a better chance of safeguarding themselves from active adversaries.

What is Threat Hunting?

Threat hunting is a form of cybersecurity in which security professionals proactively search through a network, systems, applications, or connected devices for any signs of potentially malicious activity by an active adversary. Threat hunting is typically carried out through a combination of manual and automated security techniques. Examples include analyzing log data for abnormalities, conducting network scans, or using intelligence feeds. The primary goal of threat hunting is to quickly detect and pinpoint potentially malicious behavior that other forms of security might miss.

In many ways, threat hunting is similar to real-world hunting. Rather than waiting for a target to come to them, threat hunters search for potential bad actors and malicious activity. These highly skilled security professionals often work for a managed security service provider (MSSP) or an in-house security operations center (SOC).

Why Is Threat Hunting Important?

In our survey of 3,000 IT Professionals across 14 countries, nearly a quarter (23%) of organizations experienced a cyber-attack involving an active adversary in the last year[1] – a worrying revelation.

Attacks of this nature are notoriously difficult to detect as threat actors adapt their techniques, tactics, and procedures (TTPs) on the fly using real-time hands-on-keyboard actions in response to actions by security technologies and defenders, and as a tactic to evade detection.

What this illustrates is that technology alone is no longer sufficient in blocking 100% of threats. Threat hunting is therefore essential in detecting and neutralizing threats non-detectable by traditional means.

[1] The State of Cybersecurity 2023 - Sophos

What Is the Relationship Between Managed Detection and Response (MDR) and Threat Hunting?

Threat hunting and managed detection and response (MDR) sound one and the same but they fundamentally differ in that the former is often a component of an MDR strategy.

MDR is broader in scope – it is a wholly outsourced, holistic approach to cybersecurity that, involves constant monitoring of an organization’s endpoints, network, cloud security, and user identities for known threats and abnormalities.

MDR services leverage security software that pushes automated security alerts and information to the security professional. These alerts map to known vulnerabilities and escalate detected threats based on specific logic and criteria set by the security professional.

Threat hunting, however, can be either outsourced (to an MDR provider or MSSP) or conducted in-house by an organization’s SOC.

During a threat hunt, the security professional is actively sifting through systems in search of threats instead of passively receiving alerts from software. While MDR is focused on leveraging software and automation to monitor for known threats, threat hunting is a blend of tools and human intervention. The threat hunter may not always know what, exactly, they are hunting for. Threat hunts can be based on known or unknown vulnerabilities, known or unknown suspicious behaviors, or leads and are led by highly skilled security professionals.

A good MDR service will incorporate threat hunting as an integral part of the detection and response process. In the case of Sophos MDR, our security analysts will proactively search for threats that bypass security products before investigating the severity of them and taking appropriate action.



How Does Threat Hunting Work?

Experienced threat hunters operate under the assumption that a potential threat has already evaded an organization’s defenses and is now looking to make moves to penetrate systems. The ultimate goal with threat hunting is to limit an attacker’s dwell time within the system. By reducing the time to detection, threat hunters can limit the damage an attack can cause and even stop the attack before it can take hold.

In most cases, threat hunters focus on two categories of threats:

  • Lead-driven threat hunts: A situation in which the attacker’s behavior has triggered an alert in one or more of the layers of defense.
  • Leadless threat hunts: A more proactive form of threat hunting in which no alerts have been triggered. This is a common threat hunt for unknown or zero-day threats.

Generally, hunts for leadless, unknown threats require the most human effort and can often be the most dangerous. Regardless of whether the hunt is lead-driven or leadless, any detected threats are triaged, responded to, and neutralized by the threat hunting team.

During a hunt, security analysts take stock of the tools, techniques, and procedures (TTPs) used by threat actors to determine a potential attack's stage and build intel. Once they have established this, they will take an appropriate action to neutralize the threat if necessary.

There are five core components of a threat hunting strategy:

  1. Prevention. Having robust and properly configured data breach prevention technologies, such as endpoint security, can prevent most attackers from infiltrating your organization’s network. Prevention tools can also reduce the number of security alerts generated on a daily or hourly basis. With fewer alerts to wade through, the threat hunter can better spot and focus on the signals that are the greatest threat: evasive, human-led adversaries.
  2. Collection. For successful threat hunting, security analysts need access to rich security data from your environment. To enable this, organizations need threat monitoring and security systems that constantly collect data about the environment. Collecting data provides valuable clues to threat hunters. It allows them to set a baseline, and then compare and contrast between normal and suspicious behaviors within the environment. Without the right type, volume, and quality of data, it is challenging for threat hunters to accurately identify potential attack indicators. Yet, data without context complicates the analyst’s conviction decision. Without meaningful metadata associated with the signal, the threat hunter will have difficulty determining if the signals are malicious or benign.
  3. Prioritization. The threat hunter uses data, with context, to decipher the signals that matter and then make decisions. To avoid being overwhelmed by data and failing to spot the items that warrant closer investigation, threat hunters need to be able to pinpoint the alerts that matter. The more you can improve signal-to-noise ratios by using a combination of context that only event producers can provide, together with automated and artificial intelligence, the better. Even with automation, it is not a simple process.
  4. Investigation. Once a threat hunter has isolated the key signals, it is time to add insight and measure the discovery of a potential threat against industry frameworks and models, such as the MITRE ATT&CK framework. The goal is to build a confidence threshold to decide whether the signal points toward malicious or benign behavior.
  5. Action. Once a threat hunter determines that the signal points toward a real threat, two things must happen. First, they must mitigate the immediate issue. Secondly, they must hunt down and neutralize the root cause. Sometimes it will be enough to simply quarantine a machine or disconnect it from the network. Other times, the threat hunter will need to go deep into a network to extract the attacker and ensure that they cannot try again. For instance, just because you’ve successfully blocked and removed malware from your system and stopped seeing the alert doesn’t mean the attacker has been fully eliminated from your environment.

Professional threat hunters who see thousands of attacks know when and where to look deeper. They look for what else attackers are doing, have done, or might be planning to do in the network – and then work to neutralize it.

Should I Outsource Threat Hunting or Manage It In-house?

Whether managed in-house or outsourced to a security vendor partner, threat hunting revolves around the security operations center or SOC.

Should your organization choose to implement and manage threat hunting on your own, having your own dedicated SOC is essential. A SOC is a centralized in-house business function focusing on monitoring, detecting, investigating, and responding to cyber threats while improving your organization’s overarching security posture. The security analysts in your SOC serve as your “go-to” team when it comes to potential threats and all cybersecurity matters.

There are pros and cons to managing your threat hunting initiative internally. Choosing to build your own, internal threat hunting team means that your organization will have a devoted resource that is completely focused on your environment’s ongoing security. For organizations that have already built and continue to maintain a SOC, a threat hunting team can be a natural extension of what you’re already doing. An in-house team knows your organization’s environment better than anyone, which can often translate to faster threat detection and response times.

For organizations that do not already have an in-house SOC, there are several challenges. One of the biggest challenges for an in-house threat hunting initiative is finding security professionals with the right skills and experience. Another significant challenge for organizations is finding the right balance between your human skill set and the supporting cybersecurity tools.

Organizations that choose the outsourcing option for threat hunting receive the added benefit of an existing security operations center (SOC). When working with a cybersecurity-as-a-service vendor, you will have at your disposal a larger team of seasoned security analysts. They have thousands of hours of experience dealing with everything adversaries can throw at them. They can also learn from attacks on one organization in the SOC and apply what they’ve learned to all customers. Another benefit is scale: an outsourced SOC team can provide 24/7 support to larger enterprises with multiple locations and even remote workers.

What Are Some Common Cybersecurity Tools Used by Threat Hunters?

Visibility is crucial for threat hunters. In order to stop an advanced cyber threat before major damage is done, analysts need to be able to see intrusion attempts, unauthorized network entry, and other suspicious behaviors as they’re happening. This is where the threat hunter can be supported by cybersecurity technology, which can serve as the eyes and ears of the security strategy. These tools can help a threat hunter decide to look deeper into a system or network to find more evidence of a security incident.

Technology solutions such as next-gen endpoint security, and firewalls are critical layers of defense. They assist in stopping advanced, human-led attacks.

Most organizations today have already deployed these tools and use them to gather much of the raw telemetry needed by threat hunters to assess risk and, when necessary, take a deeper dive for more information.

Endpoint, firewall, identity, email, cloud, and network security solutions all provide valuable insights that enable threat hunters to detect, identify, and respond to sophisticated attacks.

Once threat hunters have achieved visibility, they can draw actionable insights from security telemetry. This is considered a specialist skill. The threat hunter uses data from telemetry to make faster and more informed decisions about how to proceed. While many technologies generate security alerts and insights that are useful to highly trained analysts, leveraging the information is another story. That’s where the highly skilled threat hunter comes in.

Threat hunters use telemetry tools and automated security software to wade through massive volumes of data. They leverage data collected from managed detection and response (MDR) platforms, security information and event management (SIEM) solutions, and security analytics tools as a foundation for their hunt.

Additionally, threat hunters leverage endpoint detection and response (EDR) and extended detection and response (XDR) solutions. They enable threat hunters to quickly see suspicious behaviors and investigate them thoroughly. EDR software provides inputs from all endpoints in the environment. In contrast, XDR consolidates signals from across the wider IT environment, including firewalls, mobile, email, and cloud security solutions.

Who are Threat Hunters, and What Skills Do They Have?

Threat hunting is a highly complex operation. Therefore, individuals who work as dedicated threat hunters possess a specific set of skills.

The typical traits required to be a successful threat hunter include:

  • Intellectual curiosity: Looking for threats is often like looking for a needle in a haystack. Threat hunters can often spend days looking for threats, using numerous methods to unearth them. They must be naturally curious and creative to stay on track and solve problems.
  • Extensive cybersecurity experience: Threat hunting is one of the most advanced operations within cybersecurity. It’s essential for threat hunters to have prior experience in the cybersecurity field and foundational knowledge of the most common attack vectors.
  • Threat landscape knowledge: Threat hunters stay up on the latest threat trends because they’re constantly evolving.
  • A hacker’s mind: One of the key attributes of a successful threat hunter is the ability to think like a hacker.
  • Technical writing ability: Threat hunters are required to log all their findings as part of the investigation process. They must have the ability to communicate complex information to stakeholders who may or may not be technically savvy.
  • Operating system (OS) and networking knowledge: Outside of cybersecurity experience, advanced working knowledge of common OS and network tools is essential.
  • Coding/scripting experience: This is required to help threat hunters to build programs, automate tasks, parse logs, and carry out data analysis tasks to aid and progress their investigations.

Unfortunately, there’s a significant shortage of security professionals with these specific skills. And seasoned threat hunters don’t come cheap. Many organizations opt for MDR or MSSPs to help with threat hunting, because they are more likely to have staff with the deep expertise required at a more affordable cost.

What Are Some Steps I Can Take to Prepare for a Threat Hunting Program?

Preparation is the key to success when it comes to any cybersecurity initiative, and threat hunting is no exception. Whether launching an in-house threat hunting program or choosing to outsource, your organization’s environment must be up for the task. It’s important to lay the right foundations before you begin to threat hunt.

Here are five steps to set your organization up for success with threat hunting:

  1. Understand the maturity of your current cybersecurity operations. Mapping your processes to a cybersecurity maturity model (such as the CMMC) is a great way to establish how well-equipped (or not) you are to begin threat hunting. It’s also a good idea to audit your security posture to determine just how susceptible to threats you might be.
  2. Decide how you want to go about threat hunting. Once you’ve established your cyber maturity, you can decide whether threat hunting is something you want to do in-house, fully outsource, or a combination of the two.
  3. Identify technology gaps. Review your existing tools and identify what else you need to do effective threat hunting. How effective is your prevention technology? Does it have or support threat hunting capabilities?
  4. Identify skills gaps. Threat hunting requires specialist skills. If you don’t have the experience in-house, explore training courses to help develop the necessary skills. Also, consider working with a third-party provider to supplement your team.
  5. Develop and implement an incident response plan. It is essential to have a fully-fledged incident response plan in place to ensure any response is measured and controlled.  Having a well-prepared, well-understood response plan that all key parties can immediately put into action will dramatically reduce the impact of an attack on your organization.

Final Thoughts on Threat Hunting

MDR providers such as Sophos Managed Detection and Response (MDR) offer a variety of advantages over an in-house threat hunting program. The most significant advantage of them all is often experience.

The Sophos MDR team has thousands of hours of experience. They can provide 24/7 support delivered globally. To discuss how Sophos can support your organization’s threat hunting initiative.

Get in Touch Today