Hunting is the art of finding a needle in a haystack. Threat hunting is the art of finding a needle in a haystack without knowing what that needle looks like. To hunt this way requires an ability to notice patterns and anomalies. The more data you have and the more time you spend looking at it, the more useful that data becomes in identifying threats.
Threat hunting is not just about trying to find a specific threat, such as malware or an attacker’s persistent presence on your network. It’s about using all of your available data to identify new things that might be threats. In most cases, this includes malicious and non-malicious activity that doesn’t look like known attacks on your network. This can mean anything from infected machines to new services running on them to unusual behavior from user accounts that might indicate misuse or compromise.
Threat hunting isn’t just about finding threats; it’s about going beyond that to examine the potential impact of threats you do find and how they might jeopardize your organization. In other words, it’s about understanding what those threats mean to your organization in terms of loss and damage. The ability to prioritize and react based on this information is one of the most important benefits of threat hunting.
How is Threat Hunting Different?
A key difference between threat hunting and other security activities is a focus. Threat hunting focuses on what isn’t normal behavior within your organization and its network environment; whereas other security activities focus on specific events that are abnormal.
Such as a successful phishing attack or malware infection—and then examine them for clues regarding who was involved and why they occurred.
As with many security activities, threat hunting can take place from an incident response perspective or on an ongoing basis as part of an organization’s regular security operations efforts. And just as the incident response can be divided into phases.
For example:
- Collection
- Analysis
- Containment
- eradication
So can threat hunting be divided into three distinct phases:
- Preparation (gathering all possible data for use during analysis)
- Analysis (using data collected during preparation with tools like Splunk App for Splunk Enterprise Security)
- Action (taking appropriate action based on findings).
Preparation Phase: Data Collection & Analysis
During preparation for threat hunting, organizations must collect all relevant data about their network environment. This includes typical network telemetry data, such as traffic flows, event logs, and configuration information.
It also includes logs from endpoints and servers, data from security devices such as firewalls and IDS/IPS (intrusion detection/prevention systems), and usage data from IT service management (ITSM) systems.
Additionally, it can be useful to gather user-related data from CRM (customer relationship management) systems, HR (human resources) databases, and other internal sources.
There are many sources for this information, including the enterprise’s network monitoring infrastructure, commercial services like Splunk Enterprise Security (ES), or cloud-based services that offer security analytics and threat intelligence.
Additionally, tools like Splunk App for Splunk Enterprise Security can pull in data from a wide range of sources and provide additional context through search-based analysis. Once you have this data in place, you can analyze it using a variety of different tools to find anomalies that might indicate a security incident or attack.