Usually, in the field of cybersecurity, there are two distinct figures: attackers who try to obtain something illicitly (increasingly often data), and defenders against attacks. However, in the practice of Threat Hunting, the parties are reversed, and so it is those who are attacked (or potentially could be attacked) who hunt for any traces of the attackers. And this greatly increases the level of effectiveness of countermeasures against cyber attacks.
What Threat Hunting is for?
Threat hunting is a cybersecurity procedure that looks proactively for IT security threats that lurk undetected in a network. Threat hunting digs deep into the IT ecosystem to identify cybercriminals that have evaded the initial defences of endpoint security and managed to enter the IT infrastructure.
After sneaking in, an attacker can remain hidden in a network for months while quietly collecting data, searching for confidential material or obtaining access credentials that allow them to move 'sideways' within the network.
Once a cybercriminal has broken through an organisation's defences, many organisations do not have the advanced detection capabilities needed to stop the threat from settling into the network. This is why threat hunting is playing an increasingly essential role in a defence strategy.
Hunting for threats in the corporate network
As the security firm HWG suggests, the key word in Threat Hunting is proactivity. In this way we try to prevent a potential attack before it happens, by aiming to block the problem at its source. In this sense, many technologies can be involved, but above all many procedures. Starting with the corporate infrastructure, we can analyse the indicators of compromise, i.e. we look for signs that may indicate the presence of suspicious activity. For example, it might be that a user logs in from a geographical area that is not his usual one.This in itself is not necessarily a problem because the user in question may simply be abroad, but if a few minutes later the same user logs in from another part of the world, there is obviously something strange going on.
In such a situation, even before the compromise occurs, an alert can be sent to security officers requesting them to block the user or force a password change. In other words, a remediation activity has been initiated before the attack has even started.
The same can happen if, within a very short period of time, abnormal activity is detected on different devices. This is a lateral action that must be considered as an alarm signal.
Threat Hunting in the Dark and Deep Web
HWG emphasises that the hunt can also be extended outside the corporate perimeter, by monitoring the Deep and Dark Web to look for traces that lead back to a specific company. These traces consist of the names and surnames of employees or of the board members, the addresses of the headquarters or the production facilities. But it can also be databases, e-mails or passwords that can be found for sale in the various marketplaces of the Dark Web. This, again, is an indication that certain data have been stolen. If, for instance, the password found has been changed, no action is necessary, but if it has not been changed, then action must be taken immediately. However, this introduces another aspect: it is an alarm bell that goes to the sphere of procedures, i.e. the password policy, which the company must implement and enforce among its users. If you have a password that never expires, the risk of compromise obviously increases, while changing it periodically is substantially reduced.
Threat Hunting also includes searching within hacker discussions on various blogs, in which a company, office and so on might be mentioned. Nothing has happened yet, but the trace must alert again because it could be a preparatory activity aimed at an attack.
The next step in threat hunting according to HWG is to create traps for attackers. This is an activity to distract the hacker and get even more data to conduct the hunting. These are real traps, called deception technologies. This is done by activating fake servers, fake files and fake active directories, or by replicating elements of the company's infrastructure in an isolated area specifically created to induce the attacker to launch threats. So whatever is done will not affect the operation or security of the company but at the same time will give visibility of any abnormal activity. And if the trap works, and an attack does happen, it will be immediately blocked and 'locked out' of the company's infrastructure.
To check for other vulnerabilities in the company, HWG replicates the same attacks that a hacker would launch to see if there are any critical points and how they could be exploited. A patching remediation operation is then initiated to prevent an attacker from finding an open window to enter the company's network