Threat hunting is the proactive search for cybersecurity threats across an organisation’s network. The search can range from open, internet-facing devices, such as end-user devices, to internal, more secure infrastructure like servers. Threat hunting aims to uncover potential, previously unaddressed cybersecurity threats or find areas in the network that are potentially already compromised.
Who conducts threat hunting?
The threat hunting process may already be a part of an organisation’s essential proactive security defences. Unlike a penetration test, which is a reactive, point-in-time audit, a threat hunt may continuously occur across the network. Internal teams, such as “red” and “blue” teams, or external teams, such as threat hunting managed services, may engage in this process.
The process
Threat hunting contributes to a wider, more holistic effort in securing organisations. As threat intelligence forums and outlets disclose new vulnerabilities or indicators of compromise, security teams include them in the proactive threat hunting process. All security efforts fall into proactive or reactive measures. Threat hunting in combination with threat intelligence, continuous security monitoring and a robust incident detection/response process are examples of proactive measures. Issues found by the threat hunting process may feed into future penetration testing by the red team and be interpreted and resolved by the blue team.
Methodologies
There are various methodologies to conduct a threat hunt. Based on existing knowledge, cybersecurity teams may use newly reported vulnerabilities or IOCs and search for them in the network. Otherwise, they may draw upon other security breaches which may be relevant and ensure the same threats don’t persist in the network. In the absence of internal or external insights, security teams may utilise threat hunting tools. The latest tools in this market introduce some components of machine learning. The tool gathers more and more information about the network and may flag potential attack vectors.