What is Cyber Threat Hunting?
Hunting consists of manual and/or automated techniques to find activity likely to be present. The hunt will start with this hypothesis or educated guess. For example, our hypothesis could be as simple as: “We know that the hacker group named P4r4d0x tends to send their phishing messages from infrastructure hosted in Russia. Therefore, if they are phishing our users, we should be able to examine incoming email logs to find messages where the geolocation of the sender’s IP is in Russia.”
Threat Hunting requires awareness of threat intelligence, the use of indicators of compromise (IOCs) and knowledge of adversary tactics, techniques and procedures (TTPs).
Why proactively hunt for threats?
Every organisation is subject to cyber-attacks. Defense in depth is part of the answer to reducing exposure and mitigating impact. However, identifying threats and responding to intrusions in a timely manner is continuing to prove challenging. Cyber Threat Hunting is a proactive alternative to relying on traditional rule or signature-based security solutions.
Steve Shepherd MBE, a government-trained cyber specialist, leads 7Safe’s world-class cyber threat hunting service, providing front line consultancy and transferring the knowledge to teach your team the practical steps needed to plan and conduct threat hunting operations throughout the enterprise.
The Steps in Cyber Threat Hunting
What are the ingredients of an effective Cyber Threat Hunting Team and how do we acquire them?
- Investing in skilled Threat Hunters
- Building the Threat Hunting Team
- Developing Assets and Capabilities
- Planning Threat Hunting Operations
- Creating a Threat Hunting Hypothesis
- Investigating using Tools and Techniques
- Uncovering a Hacker’s Patterns and TTPs
- Host Analysis to compare configurations [against established baselines]
- Automation to make hunting repeatable
“Without expert help, no organisation regardless of size can be confident that malware is not present in its systems. It is unusual for us not to find evidence of malware when we carry out our standard checks on OS, apps, and network and cloud services. When you know what you are looking for and have the right methodology and tools for threat hunting, you can mitigate risks of this kind by isolating and removing the threat. After digital forensic analysis, we can report accurately on the damage, helping our clients to properly risk assess the situation with all the facts.”
Steve Shepherd MBE, 7Safe's Cyber Threat Hunting Lead
In contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), and SIEM Systems, cyber threat hunting sets out to find an Advanced Persistent Threats (APTs) before there has been a warning of a potential threat or an incident has occurred. In other words, it is a proactive process that aims to identify and quarantine / neutralise cyber threats before the attacker can succeed in their mission to steal data and/or disrupt the business activities of the organisation.
- What should you hunt for?
- How do you perform the hunts?
- What data do you need to collect?
These are some of the more obvious questions that 7Safe’s experience cyber threat hunters already have answers to, having devised our own framework of threat hunting procedures, best practices, and tips. These involve, for example, detecting compromises of internet-facing services, malware, and lateral movement.
Speak to an expert
If you would like to speak to our team about finding potential threats in your systems, please call +44 (0)17 63 285 510 or get in touch by email.
Or if you would like to read more about our CREST accredited incident response services see Why Choose 7Safe for CSIR or our CSIR Operating Model .
Alternatively, complete the enquiry form below and a member of our team will get back to you.
Please try to include as much information as possible on your requirements. Not sure on details? Not a problem, our team can go through this with you when they get in touch.