12th May, 2021
WHAT IS THREAT HUNTING?
Threat hunting is the term used for proactively searching for cyber threats that could be present undetected within a network. The benefits of threat hunting as part of a holistic cyber-crime prevention strategy means that companies have an additional and proactive line of defence against malicious actors that may have breached endpoint security defenses, and are more likely to identify and prevent threat actors within their network before they strike.
People often confuse proactive threat hunting with threat intelligence or threat monitoring, which are different yet important aspects of cyber-crime prevention. Threat intelligence is information an organisation uses to understand the threats being targeted at it. Threat hunting is often supported by threat intelligence, and the results and findings from threat hunting can be shared as additional threat intelligence. Threat monitoring is a passive technique utilising tools to observe your landscape, identifying suspicious activity as it happens.
WHAT ARE THREAT HUNTING TECHNIQUES?
There are several methodologies that threat hunters use in order to search for potential threats within a network:
- Investigation-based threat hunting
Threat hunters will analyse threat intelligence in search of potential suspicious activity – known as Indicators Of Compromise (IOC). If they find abnormal activity which could be evidence of malicious activity, this is used as a basis for investigation.
- Hypothesis-based threat hunting
Hypothesis-based threat monitoring often takes place when a new threat is identified in crowdsourced attack data, or in the case of well-documented attacks, in the news. Information shared will include attackers’ tactics, techniques and procedures (TTP) which threat hunters can search for in their own networks.
- Analytics and machine-learning threat hunting
This form of network anomaly detection is automated rather than being human-led. Advanced computer software processes data to detect irregularities, and these anomalies are then investigated by analysts to determine whether they pose a threat.
WHAT ARE INDICATORS OF COMPROMISE?
Indicators of Compromise (IOC) is the forensic name given to the anomalous pieces of data found in a system during threat hunting which may be evidence of malicious activity in the network. Cyber security experts should check IOC data regularly in order to detect suspicious activity within the network. Examples of IOCs include:
- Geographical anomalies – attempted access from a blacklisted region or a region outside of where your company is located.
- IP address – supported by Threat Intelligence, suspected malicious IP addresses can be identified
- TOR/anonymiser – identification of an IP address associated with known TOR nodes/anonymisers
- Unusual outbound traffic – a change in what qualifies as ‘normal’ traffic for your organisation
- Increase in traffic volume – spikes in traffic are often associated with DDoS/DoS attacks
- Increase in DNS activity – this is often utilised for C2 communications when initiating connections.
THREAT HUNTING PROCESS
The threat hunting process generally follows three steps:
- Indicator – Advanced detection tools identify unusual behaviours such as the Indicators Of Compromise listed above. This trigger points threat hunters to an area where there may be malicious activity for further investigation.
- Investigation – Threat hunters use technology such as Endpoint Detection and Response (EDR) or Network Detection and Response (NDR) to analyse whether the system may be compromised. At this point the activity will either be deemed benign or considered malicious.
- Response – The final step is the resolution phase. It is vital to communicate the malicious activity to security teams so they can respond and mitigate threats. Data gathered from step 1 and 2 can then be utilised to improve threat hunting analytics and machine-learning technology further and prevent similar threats in future.
THREAT HUNTING EXAMPLE
SOLARWINDS SUPPLY CHAIN ATTACK EXPLAINED
SolarWinds is a major US information technology firm. In December 2020, it was reported that the firm had been hit by a cyber attack that went undetected for months and had spread to its clients. SolarWinds have since dubbed the attack the “SUNBURST vulnerability”.
Hackers were able to gain access to SolarWinds’ system and add malicious code. This code was then unwittingly sent out to up to 33,000 of SolarWinds’ clients as part of a software update. Up to 18,000 of SolarWinds’ customers installed the updates – including Microsoft, Cisco, Intel, Deloitte and even parts of the Pentagon – leaving them vulnerable to attack. It is believed that attackers from Russia were able to hack into and spy on high-profile private companies and senior US Government departments including the Treasury Department and the Department of Homeland Security.
The SolarWinds attack had a huge impact in the cybersecurity industry and within large organisations and resulted in a massive upsurge in interest in threat hunting as a means to prevent large-scale and far-reaching attacks like this from happening again.
BENEFITS OF THREAT HUNTING FOR TELECOMS COMPANIES
Threat hunting has many benefits as a means of threat protection for large organisations like telecoms companies. The benefits of threat hunting include:
- Proactive rather than reactive
Proactive threat hunting can prevent damage being done if a threat actor has gained access but not yet stolen or compromised data. Often threat actors will lie dormant in a network for months before striking – threat hunting means you’re more likely to find and respond to these malicious actors before it’s too late.
- Reduction in breaches and breach attempts
Ongoing threat hunting means more data gathered from potential malicious activity, enabling machine learning to continually improve and respond better to beaches and breach attempts.
- TTP understanding
Data gathered through threat hunting can help to establish a deeper understanding of threat actor TTPs, which can be shared with the wider threat intelligence community to better protect networks everywhere.
- Faster and more accurate responses to threats
Regular and proactive threat hunting ensures that any breaches are located and resolved more quickly.
- Improvements in security!
Overall, threat hunting improves your network’s security and forms a vital weapon in your arsenal to protect against cyber-crime.
Telecoms companies have much larger quantities of data compared to smaller organisations. Using the Telesoft Data Analytics Capability (TDAC) ensures the ability to comprehensively investigate in the event of a trigger, without missing any malicious activity. Get in touch today to find out more and book a demo.