The cyber world is getting more complex, and with that has come a deepening of specialisation. One role that has been legitimised in recent years is threat hunting, which is where an individual or team go out of their way to find vulnerabilities. Automated security tools don’t quite cut the mustard in 2024…
Below is a round-up of five key threat hunting methods that every IT expert should know so you can stay ahead of risks.
1. Intelligence-Based Hunting
Intelligence-based hunting uses threat data to spot potential risks. This method relies on signs of compromise, such as odd IP addresses or file hashes. IBM reports this can cut the time from breach to discovery, which currently takes 280 days on average.
To use this method well, you must use threat intelligence platforms and feeds, add signs of compromise to your security event system, and keep your threat data sources up to date.
Ultimately though, this is best done when collaborating (sharing data, threat knowledge etc.)
2. Hypothesis-Based Hunting
Hypothesis-based hunting, as you may have already guessed, starts with a theory about possible harmful activity in your network. This approach encourages creative thinking and can uncover unknown threats. Perhaps these threat are even unknown to the hackers (for now…)
To apply this method:
- Create theories based on your firm’s risk profile and industry trends
- Use the MITRE ATT&CK framework to guide your ideas
- Do targeted searches to test your theories
- Write down and improve your theories based on what you find
3. Behavioural Analysis and Anomaly Detection
This method focuses on seeking out unusual patterns that might show a threat. This is a bit like the AI method but more manual and qualitative. By setting a normal activity baseline, you can spot potential breaches more easily.
User and Entity Behaviour Analytics (UEBA) tools can be a helpful framework, but it’s important to set a baseline of behaviour and then look out for deviations.
4. Log Analysis and Correlation
An approach that blends qualitative with quantitative methods is log analysis and correlation. This method involves looking at various log sources to finding patterns that might show harmful activity.
You might:
- Gather logs from many sources (like firewalls, servers, apps) in one place
- Use security information and event management (SIEM) tools to link and analyse log data
- Make custom queries and alerts to find potential threats
- Often review and update your log analysis plans
- Use Language Learning Modlels and AI to find patterns
Heimdal Security says firms using advanced log analysis can cut their mean time to detect threats by up to 70%, highlighting how powerful this method can be.
5. Visualisation and Data Mining
Visualisation tools and data mining can help threat hunters see patterns that might be missed otherwise. This is a more hands-on and manual approach to the AI one, with a great emphasis on visualising the data. Machine learning can still spot patterns, but these clustered and groupings can be visually sorted to seek out other potential threats too (i.e. it may be wrongly classified, but visually you can see it’s close to a different, verified threat). These tools can help you make sense of large amounts of data and find hidden threats more easily.
Conclusion
By learning these five key threat hunting methods, IT professionals can improve their firm’s cyber defences. Remember, good threat hunting needs ongoing learning around both your data, and the potential threats out there, which is why it’s best to combine various methods together.
