Threat Hunting. Why Is It Important for Cybersecurity?

In 2017, security researchers record roughly 8.5 billion malware attacks. Just a year later, this number grew to 10.5 billion in 2019. The same year, over 60% of businesses reported that they experienced phishing attacks.

But the attack frequency was not the only thing that grew. So did the percentage of successful infiltrations. Since 2018, security breaches have increased by 11%.  And those breaches can be devastating: it takes companies an average of about 200 days to identify a breach if one already took place, according to an IBM report.

Today, it is especially important to keep track of potential dangers — simply guarding the company’s perimeter won’t cut it if you want to stay safe. A more reliable way to prevent attacks, at least from already recorded malware, is to actively collect data and monitor networks as if you are already compromised — that is exactly what threat hunting is about.

What is Threat Hunting?

Threat hunting is a way to actively seek signs of compromise or malware activity in the network. While many security systems rely on automatic detection of malicious activity and are often designed to give a warning at the moment of infection, threat hunting often implies manual searching the network and systems for signs of compromise. Threat hunters study successful attacks of the past and look for similar indicators of compromise.

A threat hunter’s job is to create hypotheses, how the network could have been cracked, and then look for evidence. If none is found, the hunter puts a new hypothesis forward and continues in a loop.

So, why is this method so effective?

Nowadays, a lot of threats are extremely sneaky — they are too advanced and can’t be easily detected by automatic solutions. A malicious connection can utilize encryption or techniques such as DNS tunneling, appearing just like a normal connection at first glance. A trained eye, however, can notice anomalies like an unusual request size and identify a potential threat where automated systems are powerless.

How Does a Threat Hunter Work?

We’ve already mentioned that hunters rely on hypotheses when looking for threats. They can be divided into three main groups:

• Analytics-based: a hunter employs machine learning and behavior analysis (UEBA) to evaluate risks and create theories about potential vulnerabilities and compromises.

• Intelligence-based: hunter search for information about known attacks, such as published reports of new threats to create a hypothesis of compromise. 

• Situational-awareness-based: a hunter first prioritizes which digital assets of the most important for a company, then tries to see how those assets could have been compromised.

What Steps are Involved in Threat Hunting?

While working with hypotheses is the central part of the job for sure, it is not the only thing threat hunters do. To look for compromise effectively, they employ a 5-part approach.

1. Information gathering: before everything else, a hunter requires a lot of data and an environment to analyze it. The hunter collects logs of any device that can reveal signs of a breach. 
2. Hypothesis creation: once the data is collected, threat hunters can come up with a hypothesis of compromise.
3. Research and data crunching: now that the hunter knows what he or she wants to find, it’s time for the main part of the job. A hunter then must analyze all related data to find any indicators of compromise or indicators of attack. In a lot of cases, the hypothesis is proven wrong and the hunter starts from scratch. However, if it was indeed right, it’s time for the next step.
4. Threat identification: if a breach was detected, the first step to do is find out how destructive it was for the business as a whole. Was it just the beginning of an attack or was the network compromised for an extended period of time? Could attackers gain access to any vital data? 
5. Threat response: the final stage of the job is to remove the malware from the network and restore operation. This means that malicious files should be deleted and any altered files should be restored to their pre-attack state. The work shouldn’t stop there, however. It is equally important to analyze the attack and figure out how the network was compromised and what can be done to ensure it never happens again.

What skills does Threat Hunted Need?

Threat hunting is one of the most advanced forms of security research and it requires a very robust skillset and a good amount of experience in security. Some of the skills required for this profession are: 

• Analytics: hunters need to know how to recognize patterns, research large volumes of data manually, and with semi-automated tools, be familiar with data-science.

• Knowledge of OS and company networks: this job is virtually impossible without being completely familiar with all network and OS nuances of the infrastructure used in the company.

• Cybersecurity knowledge: threat hunters need to know how to reverse-engineer malware and have a strong grasp on the attack techniques used by attackers in the present and in the past.

• Knowledge of programming languages: hunters usually need to be fluent in at least one scripting and one compiler language, but the more languages you are familiar with the better.

Which Tools Does Threat Hunter Utilize?

Threat hunters rely on data to identify malware. Some of the most essential tools are:

• Information: hunters usually employ a SIEM solution to collect all needed data in one place and analyze it. They require access to logs of various devices from endpoints to firewalls and routers. The more information the hunter collects, the more effective an analysis will be.

• Standards: one of the most important tools is a defined network baseline that shows the typical network state. If there is a compromise a baseline like this can be used as a comparison, making it easier to pinpoint any deviations from the norm.

• Threat Intelligence: threat hunters use several data sources to find information about attacks and research malware. This research process is called threat intelligence, and it is vital to successful hunting. While researching, hunters can familiarize themselves with indicators of compromise of the malware they think they can find in the network, and instead of searching far and wide for anything out of the norm, focus on finding those indicators.

• Analytics and security monitoring tools: while some parts of threat hunting are done manually, it’s impossible to crunch through all that data on your own. That’s why semi-automated tools that collect security information and help analyze it by using machine learning techniques are often employed. These tools can be firewalls, AV software, and analysis software, like ANY.RUN. 

Threat Hunting with ANY.RUN

ANY.RUN is an interactive malware analysis service and a public malware database. We collect an immense amount of data from thousands of samples uploaded to the service every day. This information can prove invaluable to researchers, while the user-friendly interface and advanced search function can help find exactly what you’re looking for in mere minutes.

• ANY.RUN users process over 6000 tasks every day. Most of this data is public and can be used to research malware or indicators of compromise.

• Our Malware Trends Tracker is an interactive database of articles that shows what malware’s popularity is on the rise in real-time. Use it to find information about the most popular malware and visit linked tasks for in-depth analysis.

• We allow researchers to search for tasks by Suricata SID number. For example, input 10002790 into the “Suricata SID” field in the “Public submissions” filter to find Netwire trojan.

Conclusion

Threat hunting can bring a lot of value to the company’s cybersecurity. In the world where attacks are becoming more and more frequent and many automated tools aren’t capable to defend the network alone, a fresh approach to security can make all the difference. 

Acting as if the network is already compromised can allow a skilled professional to find threats that would have been missed any other way.
However, having sufficient data is what can make or break any cybersecurity efforts. Utilize ANY.RUN to help you with threat intelligence. Visit our Trends Tracker to see which cyber-threats are the most active right now to get an idea of what to look for in your own network.