2nd Edition

Tracking the trends and news for IT and IT Security

Paul Davis

Proactive threat hunting: the what, why, and how

Proactive threat hunting: the what, why, and how>
– Bryan Geraldo
The concept of threat hunting originated from Richard Beijtlich’s article in 2011, where he emphasized the need for active detection and response to intruders instead of relying solely on passive defenses.
The term “hunter-killer” from the military world, referring to proactive hunting and eliminating threats, also influenced the concept’s application in cybersecurity.
Beijtlich further categorized threat hunting in his 2013 book, distinguishing between IOC-centric analysis (matching indicators of compromise) and IOC-free analysis (hunting without predefined indicators).
However, today there is still confusion surrounding the definition of threat hunting, with some associating it primarily with reactive hunts based on threat intelligence sources.
The author suggests that this confusion may stem from organizations overly relying on cyber threat intelligence (CTI) as the main driver for hunting, as well as security vendors using the term “hunting” too liberally.
The misapplication of tactics, techniques, and procedures (TTPs) within CTI may also contribute to the misperception of threat hunting.
The recommended cycle for effective threat hunting involves the CTI organization having a strategic and operational understanding of the infrastructure, supported by insights from the incident response (IR) team.
By combining this information, the threat hunting team can formulate hypotheses for structured hunts based on specific threats and vulnerabilities.
While indicators of compromise (IOCs) still have their place, such as enhancing the capabilities of security tools and conducting occasional sweeps, the focus of threat hunting should be on identifying TTPs, vulnerabilities, and areas of concern in the organization’s security posture.
The results of these hunts should serve as feedback to iterate security processes and inform CTI and IR activities.
The article emphasizes the importance of systematic, formal methodologies in threat hunting, suggesting that managed detection and response (MDR) providers should offer hunting services with clear motives, hypotheses, and completion criteria.
Organizations need to consider which approach, IOC-centric or TTP-focused, will provide the greatest long-term value for their security initiatives.
Link: https://expel.com/blog/proactive-threat-hunting-the-what-why-and-how/

Categories:

Tags: