According to IBM, “Threat hunting, also known as cyberthreat hunting, is a proactive approach to identifying previously unknown, or ongoing non-remediated threats, within an organization's network.”
Threat hunting is important in cybersecurity because automated tools can’t catch every threat. While these tools and security teams handle most issues, about 20% of threats are more advanced and can slip through, often staying hidden for nearly 280 days. These lingering threats can lead to data exposure and, on average, cost companies close to 4 million dollars, with long-term impacts. By hunting for these threats, organizations can catch attacks faster, minimizing damage and costs tied to prolonged breaches.
Kunle Fadeyi, Founder of Yieldvestor and tappengine, explains how AI has changed the game: “AI has revolutionized the way we protect systems, networks, and devices. Today, it acts as an essential ally, offering incredible opportunities to detect and destroy threats rapidly before they cause problems.” Kunle further highlights the benefits of AI in threat hunting, noting that “Machine learning offers rapid threat detection through two main channels: automated threat detection and response and operations led by experts. AI systems can detect patterns that may not appear on a human radar, enabling businesses and individuals to get a head start on hackers.”
Through Kunle’s perspective, we see how AI strengthens cybersecurity by analyzing data swiftly and precisely, giving organizations an advantage in spotting threats before they escalate.
Effective threat hunting is built upon a foundation of data collection and analysis. Security teams must first ensure that their enterprise security system is in place, gathering and consolidating valuable data from various sources. The data serves as the bedrock for the threat hunting process, providing clues and insights that hunters can use.
Structured hunting is a methodical approach that begins with a hypothesis based on indicators of attack (IoA) and the tactics, techniques, and procedures of known threat actors. By aligning their investigations with the MITRE ATT&CK framework, threat hunters can often identify the specific threat actor responsible, even before the attacker can cause any damage.
In contrast, unstructured hunting is initiated based on a trigger, such as an indicator of compromise (IoC). The approach allows threat hunters to explore pre- and post-detection patterns, delving into the available data to uncover hidden threats.
Situational or entity-driven hunting is guided by an organization's internal risk assessment or a trends and vulnerabilities analysis unique to its IT environment. Threat hunters can also use crowd-sourced attack data to identify the latest TTPs of cyber threats and search for these specific behaviors within their own network.
Threat hunting can be categorized into three primary models: intel-based hunting, hypothesis-based hunting, and custom hunting.
Intel-based hunting is a reactive model that uses IoCs from threat intelligence sources. Threat hunters can then investigate the malicious activity before and after the alert to identify any potential compromise within the environment.
Hypothesis-based hunting is a proactive model that aligns with the MITRE ATT&CK framework. Threat hunters create hypotheses based on the IoAs and TTPs of known threat actors, allowing them to proactively detect and isolate threats before they can cause damage.
Custom or situational hunting is tailored to an organization's specific requirements and industry-based methodologies. It involves identifying anomalies in security information and event management (SIEM) and endpoint detection and response (EDR) tools, drawing on both intel-based and hypothesis-based approaches.
Go deeper:
Threat hunters use a variety of tools to enhance their investigative capabilities. These include managed detection and response (MDR) solutions, SIEM platforms, and advanced security analytics tools. By integrating these tools and ensuring the availability of data sources, threat hunters can access the necessary information to guide their investigations and uncover even the most elusive threats.
While threat intelligence and threat hunting are closely related, they serve distinct purposes. Threat intelligence is the collection and analysis of data regarding attempted or successful intrusions, usually gathered and processed by automated security systems. Threat hunting, on the other hand, uses this intelligence as a starting point to conduct a thorough, system-wide search for bad actors, often uncovering threats that have not yet been detected in the wild.
Related: What is threat intelligence?
Threat hunting is a proactive cybersecurity practice that involves actively searching for signs of malicious activity or threats within an organization's network and systems. In healthcare, threat hunting can identify potential threats to electronic protected health information (ePHI) that may evade traditional security measures. Effective threat hunting helps ensure compliance with HIPAA by detecting and addressing vulnerabilities before they result in data breaches or violations of patient privacy.
Learn more: HIPAA Compliant Email: The Definitive Guide