Get startedGet started for free

Essentials of threat hunting

1. Essentials of threat hunting

It’s often better to take action before an incident occurs rather than responding to one after it happens. In this video, we'll explore the critical role of threat hunting in security operations. We’ll also discuss the benefits of threat hunting, and the tools that support it, with emphasis on the cloud. Let's get started. Threat hunting is a proactive method of identifying previously unknown threats within a network. Malicious actors often find entryways and pivot points in a cloud environment so they can remain undetected. Threat hunting can help you, as a cloud security professional, actively search for these types of threats in your environment. It's like being a detective in the cyber world, searching for clues and hints to identify a potential breach or attack. While there are lots of benefits of threat hunting, we'll focus on three specific benefits. First, threat hunting helps mitigate security threats. Second, threat hunting helps teams respond faster to potential threats. And third, threat hunting helps inform business objectives. Let’s explore each of these benefits in more detail. Threat hunting helps mitigate security threats by identifying issues in your organization's systems and networks, so that you can take action to prevent them from causing more damage. Threat hunting helps security teams respond faster to potential threats and make better assessments by actively analyzing network traffic for malicious content, and gathering data to investigate incidents and improve defenses. Lastly, threat hunting helps inform business objectives. This not only helps intercept possible threats, it also provides insight into the current state of an organization’s security. Organizations can utilize this knowledge to align with their business objectives, priorities, and requirements. Next, let's examine one of the most widely used threat hunting frameworks: MITRE ATT&CK. MITRE ATT&CK is a framework used to understand and approach threats. It provides security professionals with a common language to outline and understand attacks. This is done through its knowledge base of attackers' tactics, techniques, and procedures, also known as TTPs. TTPs are based on actual, observed security incidents from known threat actor groups. This makes MITRE ATT&CK a very valuable security tool that can be leveraged in threat hunting. Now, let's explore each aspect of TTPs in more detail. Tactics describe a malicious actor's reason for performing an action or technique. In threat hunting, tactics can be used to identify the different phases of an attack. For example, initial access is a tactic that malicious actors often use. The goal of initial access is gaining access into a system or network. This is similar to a heist operation where the heist team's goal is to find a way into their target. In this example, they do this by discovering an underground access tunnel with a padlocked door they can use to access the zoo. Techniques build on top of tactics by describing the specific actions a malicious actor used to accomplish their goal. For example, malicious actors can exploit unknown weaknesses in public-facing applications to gain initial access into a cloud environment. Weaknesses could be anything that is overlooked or undetected in an organization, like a zero-day vulnerability or a misconfiguration. This is like a heist team planning to use the underground tunnel to access the zoo and finding a tool that provides initial access through the padlocked door. Finally, procedures are the specific implementation of a technique. For example, a procedure can be the specific system or application vulnerability an attacker uses to gain access to a network, like a SQL injection. This is like a heist team using a bolt cutter to open the lock in the underground access tunnel which allows them access to the zoo. Understanding the different TTPs that malicious actors use in their attacks can help you map a threat hunting campaign. One approach to threat hunting is to take the perspective of an adversary. You can do this by identifying potential attack paths and focusing on specific indicators of compromise associated with the attack path. MITRE ATT&CK is one of many tools that can be used in threat hunting. Threat hunting can use a combination of different tools to search for threats in an organization. Let's explore some other tools you can use. Tools like Chronicle SIEM can be used to hunt for threats and automatically add more context to alerts so that you can better understand and respond to them. For example, MITRE ATT&CK is one of the frameworks you can apply to threat hunting along with Chronicle. Chronicle's MITRE ATT&CK mapping capability helps you understand, prioritize, and improve defensive capabilities. This can be achieved by mapping your organization's security controls against MITRE ATT&CK tactics and techniques to uncover potential gaps in your defenses. There are many threat hunting tools available for security teams to use. Threat hunting tools offer benefits in many ways such as through automated detection, which leverages machine learning and artificial intelligence to detect malicious activities, reducing the time and effort spent on manual investigation. Threat hunting tools also use alert prioritization to prioritize alerts based on severity, enabling you to deal with critical threats quickly. Pattern recognition is used to analyze patterns in data that may indicate a cyberattack, even if the pattern is subtle or complex. With historical analysis, threat hunting tools analyze past activity, which can reveal threats that have been latent or overlooked. That's a wrap on the basics of threat hunting. Remember, in cybersecurity, staying proactive is key and threat hunting is an important part of that proactive approach.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.