Introduction

This Read Threat Hunting with Security Onion is based on the following articles:

• What Is Threat Hunting and Why Is It so Important?
• Why You Need Threat Hunting!

What Is Threat Hunting and Why Is It so Important?

Threat hunting is an active and proactive activity that involves actively searching for signs of compromise within internal systems. It is distinct from reactive activities such as forensics that respond to alerts triggered by security incidents. The goal of threat hunting is to identify indicators of compromise, such as internal systems establishing unauthorized connections with external entities. The outcome of a successful threat hunt is a compromise assessment, which provides assurance about the security status of systems. Threat hunting enables organizations to validate the integrity of their networks by actively seeking out potential threats, rather than relying solely on reactive measures.

Why You Need Threat Hunting!

Existing security tools can be classified as either protection-based or response-based, but there is a crucial missing link between the two. Log analysis, which falls under the response category, has been attempted to bridge this gap but has proven inadequate. Studies have shown that it takes more than six months on average to detect a breach, and often it is detected by a third party rather than through internal efforts. This highlights the failure of relying solely on logging for threat detection.

An example of this failure is the Starwood breach, where credit card information was being extracted from their environment without detection despite going through multiple security checks. Current processes are not effective, necessitating the need for threat hunting. The Verizon 2019 breach report provides valuable data supporting the adoption of threat hunting programs. The report reveals that a significant majority of breaches are detected by external parties, while internal log analysis only catches around 2.5% of incidents, which is considered unacceptable.

Threat hunting is presented as a better alternative, addressing the shortcomings of traditional approaches. It allows organizations to actively search for threats and fill the gap between protection and response, providing a more proactive and effective security strategy.

QUESTIONS

1. How are Threat Hunting and Pentesting different?

• Threat Hunting: Threat hunting involves proactively searching for threats and potential security incidents within an organization's network or systems. It focuses on identifying and mitigating advanced persistent threats (APTs) or stealthy attacks that may have evaded traditional security measures. Threat hunting typically involves analyzing logs, network traffic, and system behavior to detect indicators of compromise (IoCs) and uncover hidden threats.

• Pentesting: Pentesting, on the other hand, is a controlled and authorized simulation of a real-world cyber attack. It aims to evaluate the security of an organization's systems, networks, or applications by attempting to exploit vulnerabilities. Pentesters simulate the actions of a malicious actor to identify weaknesses and provide actionable recommendations for improving security controls. Unlike threat hunting, pentesting is typically a periodic activity and follows a predefined scope.

2. What is the primary objective of Threat Hunting?

The primary objective of Threat Hunting is to proactively detect and respond to advanced threats that have evaded traditional security measures. Rather than relying solely on preventive security controls, threat hunting aims to uncover existing threats or vulnerabilities within an organization's network or systems. By actively searching for signs of compromise or indicators of malicious activity, the goal of threat hunting is to reduce the dwell time of threats, minimize potential damage, and enhance the overall security posture of the organization.

3. Your organization has a fully functioning SOC but not active Threat Hunting. How would you advocate for your security organization to start Threat Hunting activities?

• Highlight the limitations of traditional security measures: Explain how relying solely on preventive security controls, such as firewalls and antivirus software, may not be sufficient to detect advanced threats. Emphasize the need for a proactive approach to complement existing security practices.
• Discuss the evolving threat landscape: Describe the increasing sophistication of cyber threats and the emergence of advanced persistent threats (APTs) that can bypass traditional defenses. Illustrate the potential risks and potential damage that can occur in the absence of proactive threat hunting.
• Demonstrate the value of Threat Hunting: Showcase case studies, industry reports, or examples of successful threat hunting initiatives. Highlight the benefits, such as early detection and response to threats, reduced dwell time, improved incident response capabilities, and enhanced overall security posture.
• Highlight industry best practices and standards: Reference recognized frameworks or guidelines, such as the MITRE ATT&CK framework, which emphasize the importance of proactive threat hunting as part of a comprehensive security strategy. Demonstrate how implementing Threat Hunting aligns with industry best practices and compliance requirements.

By effectively communicating the need for proactive threat hunting, the potential benefits, and the alignment with industry standards, you can make a compelling case for your security organization to start implementing Threat Hunting activities.