Cyber Security domain usually throws a mix of knowns and unknowns towards decision makers and as expected unknowns are the critical factors that most decision makers (CISOs) would like to control. Specific controls provide visibility to security teams in a limited area of focus. However, there are some parameters, which are inadvertently overlooked. These parameters are typical vectors exploited by malicious actors to gain access to Organization’s network.
One of the Key best practices, that goes beyond the traditional Vulnerability and Pen tests, is Threat Hunting. Threat hunting helps organizations in identifying unknown parameters in the environment. Gartner defines Threat Hunting as an activity that organizations can consider as next step in threat detection tools and methods.
Key characteristics of Threat Hunting:
1. This is a Proactive initiative
2. Focuses on clues & hypothesis rather than definitive alerts. However, output can be actionable
3. Breach assumption is core to this exercise
4. Exercise is Iterative
5. Focused on outfoxing attacker
6. Enabled by deep knowledge of environment & threat management
There are 2 major types of Threat Hunting*:
1. Hypothesis based Hunting
2. Intel based Hunting
David Bianco’s Pyramid of pain
Hypothesis based Hunting:
This methodology is usually proactive and aligned with MITRE ATT&CK framework. Indicators of Attack (IoA) and TTPs of attackers are key inputs for this method. Hunter will look for threat actors based on specific of environment, domain and attacker profile based on hypothesis considered. Hunter would then look for patterns in activities across the environment to identify threat and isolate it. This way, hunter can identify threat actors and various unknowns that can pose threat to environment.