Cyber threat hunting

Cyber threat hunting is an active cyber defence activity. It is both an iterative and repeatable process involving searching through endpoints and networks to detect previously undetected threats^[1][2] This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox (computer security) and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.^[3][4]

Threat hunting has traditionally been broadly divided into two major categories. These categories are derived from the methodologies used by the threat hunter to search and identify new threats. Broadly, these categories can be described as unstructured threat hunting and structured threat hunting.^[5].

• Unstructured Threat Hunting - also referred to as data-driven hunting, is a type of threat hunting that uses concepts such as the principle of least seen and statistical analysis to identify anomalies and outliers within log data. Unstructured threat hunting is often highly manual and opportunistic, requiring analysts to sift through large quantities of data in order to identify possible outliers.

• Structured Threat Hunting - also referred to as hypothesis-driven hunting, is a form of threat hunting that relies on the detection of suspicious of malicious behaviours of users or processes in an environment. While structured hunting can also be a manual process, as the behaviours being investigated are known before hand, it is possible to build automated alerting, providing a trigger for investigations.

Threat hunting has traditionally been a manual process, in which a security analyst sifts through various data information using their own knowledge and familiarity with the network to create hypotheses about potential threats, such as, but not limited to, Lateral Movement by Threat Actors.^[6] To be even more effective and efficient, however, threat hunting can be partially automated, or machine-assisted, as well. In this case, the analyst uses software that leverages machine learning and user and entity behavior analytics (UEBA) to inform the analyst of potential risks. The analyst then investigates these potential risks, tracking suspicious behavior in the network. Thus hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis.

• Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses"
• Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends"
• Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans"

The analyst researches their hypothesis by going through vast amounts of data about the network. The results are then stored so that they can be used to improve the automated portion of the detection system and to serve as a foundation for future hypotheses.

The Detection Maturity Level (DML) model ^[7] expresses threat indicators can be detected at different semantic levels. High semantic indicators such as goal and strategy, or tactics, techniques and procedure (TTP) are more valuable to identify than low semantic indicators such as network artifacts and atomic indicators such as IP addresses.^{[citation needed]} SIEM tools typically only provide indicators at relatively low semantic levels. There is therefore a need to develop SIEM tools that can provide threat indicators at higher semantic levels.^[8]

There are two types of indicators:

1. Indicator of compromise - An indicator of compromise (IOC) tells you that an action has happened and you are in a reactive mode. This type of IOC is done by looking inward at your own data from transaction logs and or SIEM data. Examples of IOC include unusual network traffic, unusual privileged user account activity, login anomalies, increases in database read volumes, suspicious registry or system file changes, unusual DNS requests and Web traffic showing non-human behavior. These types of unusual activities allow security administration teams to spot malicious actors earlier in the cyberattack process.
2. Indicator of Concern - Using Open-source intelligence (OSINT), data can be collected from publicly available sources to be used for cyberattack detection and threat hunting.

The SANS Institute identifies a threat hunting maturity model as follows:^[9]

• Initial - At Level 0 maturity, an organization relies primarily on automated reporting and does little or no routine data collection.
• Minimal - At Level 1 maturity, an organization incorporates threat intelligence indicator searches. It has a moderate or high level of routine data collection.
• Procedural - At Level 2 maturity, an organization follows analysis procedures created by others. It has a high or very high level of routine data collection.
• Innovative - At Level 3 maturity, an organization creates new data analysis procedures. It has a high or very high level of routine data collection.
• Leading - At Level 4 maturity, automates the majority of successful data analysis procedures. It has a high or very high level of routine data collection.

Cyberattackers operate undetected for an average of 99 days, but obtain administrator credentials in less than three days, according to the Mandiant M-Trends Report.^[10] The study also showed that 53% of attacks are discovered only after notification from an external party.^[11]

In 2016, it took the average company 170 days to detect an advanced threat, 39 days to mitigate, and 43 days to recover, according to the Ponemon Institute.^[12]

• Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms

• Threat hunting using DNS firewalls and data enrichment

• Bug bounty program
• Cyber campaign
• Proactive cyber defense