Cyber attackers often circumvent, bypass or avoid security tools and technologies. Community-Powered threat hunting and investigation provide a crucial second line of defense to detect malicious behavior that cannot be easily detected by automated tools.
Cyber threat hunters use expert knowledge of key attacker tactics, techniques and procedures (TTPs) instead of volatile indicators to detect and stop advanced threats before they compromise your organization. Their proactive approach reduces the amount of time spent investigating suspicious activity.
1. Crowdsourcing
Crowdsourcing on the internet is an invaluable tool for businesses and organizations to gather ideas from customers, potential employees, community members and the general public. This practice of crowdsourcing can be applied to many different businesses across a range of industries.
Business advantages can include speed, cost-savings and access to people with skills that a company may not possess. For instance, if a company needs to complete a task quickly, they can break it into smaller tasks and assign them to freelancers who can complete them faster than an in-house team could.
Nonprofits and community-based organizations also utilize crowdsourcing to create or promote their work and projects at a fraction of the cost of hiring a full-time employee. This can enable them to reach new audiences or fund small creative ventures they might not otherwise be able to fund.
Businesses can become vulnerable to security risks if they do not set clear guidelines and expectations for participants. For instance, a car brand might host an event to crowdsource ideas for an electric car model, but may not be able to use all the suggestions that come up unless they know exactly what is needed.
Threat hunting is an effective tool in the cyber world to detect threats that evade standard detection. This activity relies on data that identifies tactics, techniques and procedures (TTP) employed by cybercriminals, which is crowdsourced from sources like Wikipedia or other open-source websites. With this insight SOC analysts can identify threats whose behavior has yet to be detected by traditional technologies. Using this knowledge they can then proactively scan their network in order to detect and isolate those risks.
2. Interoperability
Interoperability is the ability of security tools to interact, enabling cybersecurity teams to efficiently monitor their environments. It’s an integral component of a robust cyber defense strategy, particularly for organizations with complex IT architectures.
A well-run cyber threat hunting program can enhance an organization’s security posture by quickly detecting and eliminating previously undetected threats before hackers have the chance to infiltrate it. To achieve this result, organizations need a dedicated team of professionals, modern tools, as well as the funding and backing from key stakeholders.
However, many security teams lack the resources to implement a comprehensive threat hunting program. This is because this task often involves manually scanning through an organization’s network and endpoints – which can take an arduous amount of time.
Good news is that the Open Cybersecurity Alliance (OCA), led by cybersecurity professionals, has come together to support. This includes prominent security vendors like IBM, McAfee and SafeBreach as well as other technology companies who recently joined the governing board of OCA.
Streamlining and automating threat hunting is essential in this process, as it helps security operations teams quickly search through large datasets with minimal pipeline latency. To achieve this goal, OCA has collaborated with IBM Security to open source Kestrel, an innovative language which facilitates collaboration, sharing, and reuse of composable threat hunting flows.
Kestrel language supports normalization and correlation of diverse threat intelligence sources delivered in disparate formats such as Structured Threat Information Expression (STIX) or vendor-specific data structures, along with efficient aggregation, storage and querying these disparate data sets. By combining Kestrel with predictive data sources, security teams will have greater power to mitigate key risks.
3. Automation
Automated solutions can streamline workflows, boost productivity and minimize errors. But before implementing automation, businesses must identify processes that need automating and assess its suitability for their organization.
Security automation tools, such as threat detection and analysis software, offer a range of capabilities to assist these tasks. These systems can identify anomalous activities, detect malware and notify IT when it’s identified, and monitor suspicious activity within the network.
These tools can also be utilized to search and correlate disparate data sets in order to gain a comprehensive view of an organization’s environment. By storing security information for extended periods of time, organizations are better able to quickly uncover hidden threats, remove advanced persistent threats (APTs), and prioritize vulnerabilities before they become weaponized.
Community-driven threat hunting is revolutionizing how security teams detect threats in real time. Instead of indexing content, security operations teams can utilize live channel searches to quickly access up-to-date workbooks, commercial intelligence and global user communities with virtually zero latency.
Additionally, unified log sources enable hunters to better define and refine detections so that they align with adversary techniques and behaviors. This reduces false positives, enabling security teams to prioritize and address critical issues before they become weaponized.
Human expertise allows threat hunters to analyze large amounts of security monitoring and analytics data in order to detect threats that may slip past automated defenses. Human intuition, strategic and ethical thinking, as well as creative problem-solving are essential ingredients for successful cyber hunting.
4. Analytics
Analytics is a key area of cybersecurity innovation, as organizations and IT pros strive to utilize vast amounts of internal and externally generated data. There are various types of analytics, from simple descriptive evaluation to more complex predictive ones that uncover correlations and relationships between variables.
Security teams require an efficient way to collect and store large amounts of data for threat hunting. This includes ingesting telemetry from security information and event management (SIEM) solutions, managed detection and response (MDR), as well as other log sources. Afterward, threat hunters can search this data to detect traces of known malware and other threats while also integrating environmental data for more context.
Through machine learning and artificial intelligence capabilities, advanced threat hunters are able to quickly detect and isolate suspicious activities and behaviors that may have evaded automated detection systems. This enables security teams to respond faster to threats, mitigating damage before it occurs – ultimately decreasing the time it takes for detection and remediation of malicious activity within a network.
The CISO should evaluate their current threat hunting program to assess its efficiency. Furthermore, they should consider ways of improving this effectiveness through validating controls or uncovering things automated systems may miss.
Google Cloud and MITRE have collaborated on a community security analytics project that makes cloud-specific threat hunting simpler. The set of pre-built queries are tailored to known attacker tactics, techniques and procedures (TTPs) as well as vulnerabilities specific to each environment.
Alternatively, Kestrel, an open-source threat hunting language, is becoming more widely adopted as part of a tech standardization initiative. Kestrel seeks to reduce the workload for SOC analysts through automation and platform independence.
5. Integration
Threat hunting is an essential element of an organization’s security program. It allows companies to detect emerging threats before they are noticed and stop them before they cause major disruption or breaches. To do this effectively, organizations need dedicated full-time threat hunters with expertise on cyberattack tactics and techniques.
Automated detection tools may detect more threats, but human hunters remain the most adept at spotting advanced threats. They have the capacity to recognize suspicious activities that evade automated detection tools and use creativity to uncover dangers where automated tools cannot.
A successful threat hunt begins with a hypothesis, which could be based on risks or vulnerabilities in the organization’s IT environment, current threat intelligence or attacker tactics of choice. After this has been determined, the hunter searches for patterns within the network which may indicate either one specific attacker or an array of attackers.
Conducting a hunt can range from setting the scope and objectives to identifying the target system or systems that should be investigated and then planning how to conduct an in-depth investigation into them. No matter what stage you are at in the process, having an effective methodology is key for ensuring success and producing actionable intelligence.
Integrating multiple data sources into a centralized repository enables teams to search and correlate disparate sets for enhanced visibility and threat context. This extended storage of security information enables hunters to scan logs for suspicious activity, eliminating advanced persistent threats before they can be weaponized. Furthermore, security teams can utilize enriched telemetry data more precisely match adversary tactics, techniques, and behaviors.
