Threat hunting is the process implemented for proactive detection of malicious activity in computer networks.
The purpose of threat hunting is to detect cyberattacks that evade traditional defenses, such as firewalls or antivirus monitoring systems. It involves a manual or computer-aided search for and analysis of indicators of compromise (IoCs).
Threat hunting should be seen as an addition to existing protection systems, rather than a replacement for them, allowing for early detection of new and sophisticated threats in the network. It is the proactive nature that distinguishes threat hunting from traditional protection methods.
How threat hunting works
System penetration can occur at any time, so threat hunting is an ongoing process. It consists of the following steps:
- Hypothesis formulation. At this stage, infosec experts suggest areas to search for threats. The source of data for such suggestions can be both internal (company information about the state of IT infrastructure, penetration test results, and the like) and external (MITRE ATT&CK matrices, cyberthreat intelligence reports, security news, and so on). For example, if a new report highlights a previously unknown piece of malware, it can be hypothesized that this malware has infiltrated the company’s infrastructure.
- Hypothesis testing. Once the hypothesis is formulated, it is tested. For example, data from endpoints is analyzed for IoCs associated with new malware.
If the hypothesis is confirmed, the company can take the necessary incident response measures. In addition, the information obtained during the threat-hunting process can be used to formulate new hypotheses and improve protection systems, for example, by updating traffic filtering rules.
Hunting Maturity Model
The Hunting Maturity Model (HMM) is a system used to assess a company’s readiness for a proactive threat search. The “maturity” level depends on what tools and methods are available to and used by the business; there are five in total:
- Initial (HMM0) — the company relies primarily on traditional security systems. At the same time, minimal information is collected from key elements of the IT infrastructure.
- Minimal (HMM1) — analysts regularly collect information from the IT infrastructure and make use of cyberintelligence data.
- Procedural (HMM2) — the company uses standard threat-hunting scenarios. At this level, infosec experts collect and analyze a large amount of data but do not develop their own threat-hunting procedures.
- Innovative (HMM3) — infosec experts collect and analyze a large amount of data, develop and implement their own threat-hunting methods, and use them on a regular basis.
- Leading (HMM4) — infosec experts not only develop threat-hunting and analysis methods, but automate them as well. This helps to reveal more threats and lets analysts focus on improving the detection system and the company’s overall protection.