CCyber Security

What is Threat Hunting in Cyber Security and Why We Need It

What is Threat Hunting in Cyber Security?. Threat hunting is a process that focuses on activities that are repetitive in nature by taking an approach to identify and understand threat actors that may have entered and are in your infrastructure.

Threat Hunting is more of an outside approach. The assumption is that threat actors are already in your environment, despite your best efforts to prevent them.

What is Threat Hunting in Cyber Security and Why We Need It

Threat hunting activities look at indicators, look for behavioral anomalies that exist in your system.

Try to make hypotheses about how a threat actor can enter your system environment. That way, you can predict, or see possible loopholes that can be done by threat actors.

Threat hunting in cyber security is not something new in the realm of cyber defense.

However, in reality there are many cyber defenders who only rely on alert based investigation. Thus ruling out indicators and anomalies that may not have been detect as an intrusion alert in an organization.

As we all know that currently cyber security attacks are increasingly sophisticate and advanced.

Therefore it is not enough for a security analyst to only rely on passive security monitoring. But we needs to be a proactive response to find out whether there is an irregularity cause by threat actors inside their system environment.

Why Need Threat Hunting?

There are various reasons and goals regarding the importance of this Threat Hunting process:

1. Reducing Incident Response Time

Based on the results of research and surveys. The time it takes for an organization to detect and respond when a breach occurs is on average 146 days globally.

The average time it takes for organizations in the EMEA area to detect a breach is 496 days (FireEye, 2001). nd). With proactive threat hunting that is carried out regularly.

Therefore it is hope that this can reduce dwell time in responding to security incidents and breaches that exist within an organization.

2. Sophisticated and Advanced Attack Vector

Currently, there are many advanced methods use by threat actors. Many security perimeters cannot prevent this kind of advance attack vector.

Every day new methods are develop to deceive the system owner. So that the protection that has been implement cannot detect this type of attack.

3. Stealth Activity from Threat Actor

Passive security monitoring cannot detect most of the stealth activities carried out by threat actors. There are many methods use by threat actors.

cyber threat hunting

One of which is to perform persistence activities when they have succeeded in compromising a system environment. These indications and malicious anomaly behavior can be identifications through the threat hunting process.

Threat Hunting : People

Threat Hunting will always be guide by people, processes, and technology which will be interrelate with each other. These three elements are a unit that must be integrate together.

People

One of the common myths about threat hunters is that threat hunting can only be done by security analysts at the elite level.

This is not entirely true considering that currently Security Analyst L1 must have basic skills and knowledge regarding threat hunting. General jobs, such as responding and reducing false positive alerts, should be able to be handled automatically.

Thereby reducing the workload of Security Analyst L1. They can explore deeper and practice hunting bad adversaries starting from L1.

However, to be able to start the hunting process. The security analyst must be equipped with some basic knowledge in the security are and already understand several areas. Some things to consider to start the hunting process are as follows:

1. Log Analysis

The ability of security analysts in terms of reading logs, and carefully studying every log from each data source, is very important to have.

In addition, the ability to perform basic scripting in terms of processing and parsing logs also plays a very important role in facilitating the work of security analysts in the hunting process.

The ability to understand log anomalies in each data source also correlate logs from multiple data source logs.

2. Analytical Mindset

Security analysts must be able to reason and think analytically. Therefore this is the most basic basic skill and must be owned by every threat hunter.

In every investigation and hunting process carried out. Security analysts will find many pieces of the puzzle that need to be assemble into one and form a hypothesis.

It has the ultimate goal of finding adversaries and the source of the problems that occur.

The passion and curiosity of security analysts play an important role.

threat hunting

Because tireless work and never give up in assembling puzzle pieces and analytical thinking, will greatly assist security analysts in uncovering a case.

3. Attacker Lifecycle

One example of the attacker lifecycle can be understood in the Kill Chain Process which was first initiated by Lockheed Martin. By understanding the context of the attacker’s lifecycle.

Threat hunters can formulate hypotheses and predict possible techniques and methods used by adversaries in the exploitation process in an environment.

In addition to the Kill Chain Framework, what can also be use as a reference is the MITER ATT&CK Framework which provides a big picture of the models and techniques commonly used by “hacker” in the infiltration process in an infrastructure.

4. Network Forensics

The basic ability to understand packet capture, basic networking skills, is also one of the key points that a threat hunter must have. This is especially so when threat hunters are hunting for data source network traffic.

5. Attack Method

At point number IV earlier, if you read about the attacker lifecycle, this will be closely related to this point. Various kinds of delivery attack methods has brought out by several methods.

For example, delivery through social engineering that is phishing, exploit kits. Custom malware, or also basic exploitation of existing applications or infrastructure in our environment.

Because the importance of updating knowledge regularly to keep up with the latest attack methods help threat hunters in the hunting process.

6. OS Architecture

There are times when in the hunting process, threat hunters need to analyze logs from endpoints.

The logs from this operating system need to be translate by threat hunters to become a puzzle piece that can be useful in building a hypothesis and doing the correlation process with other log data sources.

Linux in Cyber Security

In-depth knowledge of the internal operating system can help threat hunters in processing the data obtained from the endpoint side.

As a reference, you can read several books such as Sysinternal Windows, or the Linux Kernel book as a guide and foundation reference in learning OS Architecture.

Conclusion

In an IT Security paradigm, especially in this area of Cyber Defense, there are 3 things that we need to remember and we need to know about threat hunting in cyber security together, that:

  1. You cannot prevent all existing cyber attacks.
  2. Your network and infrastructure, however, and at any time, will always open the possibility for compromise / breach.
  3. 100% secure is impossible.
Tweet
Share
Share
Share
Share

Leave a Reply

Your email address will not be published. Required fields are marked *

— Previous article

The Best Web Hosting Service for Business in 2023

Next article —

10 Best Linux Distros for Programming in 2023

You May Also Like