5 Threat Hunting Techniques to Proactively Improve Your Security Posture

There’s no doubt that threat hunting is a valuable strategy when shifting your security team from reactive to proactive. Not only does threat hunting make it easier for organizations to identify more sophisticated attackers, it also gives security teams a programmatic way to identify and remediate the vulnerabilities that help attackers gain a foothold in the first place.

Many organizations, however, are stretched thin and stuck operating in reactive mode.  In order to make threat hunting a scalable reality at your organization, it’s important to start with a focused plan; otherwise, you run the risk of spending hours or even days on a hunt that returns no actionable findings. Not sure where to start? I’ve outlined five techniques to establishing a solid threat hunting plan.

1: Identify your threat hunting mission.

Without a defined mission or clear objectives, you’re just monitoring. Think of defining a mission like making a grocery list; when you go to a grocery store with a predefined list, you get your shopping done more efficiently. Without it, you might find yourself wandering around aimlessly, maybe leaving the store with things you don’t need, or even missing things you do. Defining your mission, then outlining clear objectives to help you accomplish that mission, are essential to a successful threat hunting strategy. We typically recommend starting with a baseline hunt, then moving to a threat-based hunt. It’s important to first identify what’s normal and any potential hygiene issues or logging gaps before hunting down actual threats.

ReliaQuest provides guidance on where and how to begin the hunt, including established objectives to search for, in the Threat Hunting Use Case blog series.

2: Use trending data over an extended period of time to better identify sophisticated attacks and misconfigurations.

To generate the most useful insights, use larger data sets as well as data sets from multiple sources. Longer time periods are also helpful: A 30-day data set, while helpful, won’t provide the visibility you need. You can more accurately identify sophisticated attacks and larger-scale misconfigurations when using trending data for longer periods of time, so security teams can compare daily, weekly, and monthly trends. Machine learning can accelerate this process, identifying abnormal behavior faster and prioritizing behavior based on impact to the business.

3: Continually iterate on your threat hunts.

A hunt campaign is never a one-and-done deal. Threat hunting should be iterative, and security teams should constantly track findings and improvements, building on these campaigns over time.

With a list of action items, the security team can undertake a more granular iteration of the hunt after clearing out the noise. Initial hunts should be used to baseline and remove noise that gets in the way of accurately identifying malicious activity. The goal is to constantly learn, understand, and improve your environment in order to identify “abnormal” with higher fidelity. By knowing what’s normal behavior and activity, the abnormal behavior will stand out.

4: Conduct hunts to better understand your environment.

Threat hunting is not just about looking for “evil,” or the bad guys – it’s also about looking for hygiene issues, or weaknesses in security posture that lead to attacks in the first place.

According to Security Boulevard, 60% of breaches in 2019 involved vulnerabilities where patches were available but not applied. It probably goes without saying, but the benefits of identifying and correcting security hygiene issues, such as unpatched vulnerabilities, misconfigured firewall rules, applications, and scripts, can be significant.

5: Use the results of your threat hunts to augment gaps left by static correlation.

Savvy attackers are always on the lookout for static correlations within the environment, with the goal of circumventing traditional detection methods. Threat hunting helps identify gaps in static correlation, so you can quickly close the open doors to attackers while also increasing the fidelity of your detection content. Ensure that proper logging levels and reporting are in place to constantly monitor threat hunt outcomes and baselines.

The Bottom Line

Over time, applying these five threat-hunting techniques will improve your environmental understanding and security posture. This, in turn, will let you create more dynamic content and automation that can quickly – and with high fidelity – identify when abnormalities occur in the environment.

To learn more about building a threat hunting program, including prerequisites, where to start, and specific use cases, view the white paper: Threat Hunting 101: A Framework for Building and Maturing a Proactive Threat Hunting Program

Jason Pfeiffer, Senior VP of Product Innovation for ReliaQuest, is responsible for the development and execution of ReliaQuest’s go-to-market strategy. Pfeiffer joined ReliaQuest in 2016, where he initially led the incident team and soon after was responsible for the entire Security Operations organization.  Prior to joining ReliaQuest, Pfeiffer spent his career building and leading world-class cyber security programs for global businesses, including Lockheed Martin and PwC.  He earned his B.S. in Management Information Systems (MIS) from the University of Central Florida (UCF) and his M.S. in Technology Management from RPI.  Pfeiffer also holds several industry certifications including the CISSP, ISSAP, CISM and C/EH and in 2015 he was awarded the Senior Information Security Professional of the Year by ISC2.