Threat hunting is a proactive approach for finding and remediating undetected cyberattacks. It is a process that involves searching for indicators of compromise (IoC), investigating, classifying and remediating.
Threat hunting can be Infrastructure as Code-driven when the hunter investigates an indicator provided by external or internal sources. It can also be hypothesis-driven when the hunt begins with an initial hypothesis or question.
Threat hunting is necessary simply because no cybersecurity protections are always 100% effective. An active defense is needed, rather than relying on “set it and forget it” security tools. Since adversaries have followed the journey to the cloud, threat hunting is required to detect and disrupt advanced threats originating, operating and persisting in the cloud.
Today, more than 70% of application code used is open source. Attackers look to include their malicious code in common projects such as GitHub. After poisoning the well, they patiently wait as the new version makes its way into your cloud applications. Remaining undetected is vital to the success of this and most attacks. Unfortunately, most attacks succeed at remaining undetected. The average time required to identify and contain a breach is 280 days.
Threat hunting involves using manual and software-assisted techniques to detect possible threats that have eluded other security systems. These threat-hunting tasks can include hunting for malicious activity within your account. Attackers will do everything in their power to hide their actions, but usually will leave some traces of their activity — like breadcrumbs you can only see if you look in the right places.
There are three things you need to do to hunt threats effectively:
Step 1: Collect Quality Data
Data collected can come from log files, servers, network devices, databases and endpoints. In the cloud, some of the most useful threat-hunting data will come from traffic flow logs and event activity logs.
Step 2: Analyze This Data in the Context of Known Threats
Threat hunters must search for patterns and potential indicators of compromise (IOCs). You should always be looking at your logs to monitor properly. Too often, organizations don’t have enough resources and manpower to dedicate to ongoing intrusion detection monitoring.
Step 3: Analyze the Tools to Make Sense of it All
There are certain obvious signs of potential malicious activity. Do you have outbound traffic to a Tor exit node? Access tokens are being abused by new sources? What you really want is a cloud security solution that will alert you of these things automatically. Even the most skilled threat hunter might not pick up on obviously malicious activity if it is buried under a mountain of cloud logs.