Cyber threat hunting is “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.” This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox (computer security) and SIEM systems, which typically involve an investigation after there has been a warning of a potential threat or an incident has occurred.

Threat hunting has traditionally been a manual process, in which a security analyst sifts through various data information using their own knowledge and familiarity with the network to create hypotheses about potential threats, such as, but not limited to, Lateral Movement by Threat Actors. To be even more effective and efficient, however, threat hunting can be partially automated, or machine-assisted, as well. In this case, the analyst utilizes software that leverages machine learning and user and entity behavior analytics (UEBA) to inform the analyst of potential risks. The analyst then investigates these potential risks, tracking suspicious behavior in the network. Thus hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis. There are three types of hypotheses:

  • Analytics-Driven: “Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses”
  • Situational-Awareness Driven: “Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends”
  • Intelligence-Driven: “Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans”

The analyst researches their hypothesis by going through vast amounts of data about the network. The results are then stored so that they can be used to improve the automated portion of the detection system and to serve as a foundation for future hypotheses.

The Detection Maturity Level (DML) model expresses threat indicators can be detected at different semantic levels. High semantic indicators such as goal and strategy, or tactics, techniques and procedure (TTP) are more valuable to identify than low semantic indicators such as network artifacts and atomic indicators such as IP addresses. SIEM tools typically only provide indicators at relatively low semantic levels. There is, therefore, a need to develop SIEM tools that can provide threat indicators at higher semantic levels.

Secur’s Cyber Threat Hunting Service

endpoint-threat-analytics

Endpoint Threat Analytics

Using deep analytics, we continuously monitor your endpoints for a cyber threat. Our machine learning algorithms triage every alert for suspicious activity, investigate its spread and stop the attack with our threat hunting tools. Our threat hunting experts then verify these outputs to remove false positives and query the data information and systems further to detect attacks and a cyber threat that may have bypassed other security controls.

user-behavior-analytics

User Behavior Analytics

Threat hunting includes monitoring user and contextual data to analyze user behavior anomalies, insider threat, and frauds. Our machine learning and statistical models identify threat actors and anomalies and map them to the cyber kill chain. Our cyber hunter with proprietary tools at disposal detect even the slightest “bread crumbs” of insider threat activity and act immediately to inform and collaborate with your team for appropriate countermeasures.

network-threat-analytics

Network Threat Analytics

Our network threat hunting specialists analyze a variety of data to sift out suspicious activities in your network and applications because intrusion prevention systems alone will not stop creative attackers. Multi-source analytics uses statistical algorithms to continuously discover a new cyber threat, and machine intelligence systems then triage, investigate, and respond to quickly stop attack campaigns.

application-threat-analytics

Application Threat Analytics

Swift integration of vulnerability intelligence identifies high-risk applications and provides our security hunter necessary data to mitigate attacks. Our MDR, cyber threat hunting teams and security hunters not only focus threat hunting on potential targets like your high-value business systems and vulnerable entry points but also tracks low footprint applications that are often attractive targets for exploitation. Our cyber hunting and proprietary vulnerability triaging, and orchestration technology ensures your systems are protected from zero-day exploits.