If an organization’s network is quiet and no alarms are sounding, does that mean the environment is threat-free? The answer, as any security operations center (SOC) team knows, is no. Analysts can never be certain that adversaries haven’t slipped past detection or that unknown vulnerabilities don’t exist.
This is why the SOC must be empowered to hunt for threats. Threat hunting allows security teams to take the initiative. Before any incident is identified or investigation begins, they search for risky activity. If they find a credible threat, it exposes a blind spot in the SOC’s visibility into the organization’s IT infrastructure. It means an intruder or weakness in the defenses went undetected, and an attack could already be underway.
This drives home the importance of threat hunting as a security strategy. After all, not all suspicious or malicious behavior is conspicuous; often, attackers use valid credentials to compromise data without sending up any red flags. So while threat hunting is important, doing it well can be incredibly difficult.
Threats Can Originate From Inside and Outside the Organization
Adversaries outside an organization have many ways to gain legitimate access to data and systems. Scams like phishing can easily turn trusted employees into compromised insiders, creating serious problems for the organization.
Research shows that 68% of breaches include a non-malicious human element, such as a team member making an error or falling for a social engineering attack. In these cases, employees become unwitting accomplices, helping adversaries move laterally and exfiltrate data.
Then there are the adversaries who already have valid credentials because the organization trusted them. Of the various types of insider threats, malicious insiders are the most insidious and nefarious.
For any number of reasons—a grudge against a manager, a new job prospect with a competitor, or a bribe from a criminal—someone might deliberately abuse their access to steal, alter, or destroy data. The question is: How can they be caught?
For Threat Hunters, Conventional IoAs and IoCs Aren’t Enough
Traditional threat hunting often falls short when it comes to quickly and accurately detecting insider threats. That’s because it’s predicated on basic indicators of attack (IoAs) and indicators of compromise (IoCs), such as hash values, IP addresses, and domain names. While these can provide some insight into external threats, they’re limited in identifying insider threats that appear to be trusted users.
IoAs and IoCs typically show up only after an attack is already in progress. They rarely identify the activities and behaviors that precede at attack, meaning damage may have already occurred. This is why basic IoAs and IoCs, like hashes, IP addresses, domain names, and network and host artifacts form the lower tiers of the widely known Pyramid of Pain model.
Effective threat hunting faces further obstacles because many organizations depend on correlation engines with thousands of rules for threat detection. When logs include data from endpoints, firewalls, web traffic, and tools from multiple vendors, it creates a lot of noise that can distract analysts and mask adversary activity.
To manage the deluge of alerts, security teams often disable the majority of their correlation engine’s rules. However, this tradeoff can allow anomalies and unknown threats to go undetected.
Threat Hunters Must Move to the Top of the Pyramid of Pain
How can analysts move beyond basic IoAs and IoCs to spot the early signs of an attack or detect an adversary’s intent? The key is to identify tactics, techniques, and procedures (TTPs).
TTPs represent the higher tiers of the Pyramid of Pain model and involve more complex, behavior-based indicators. When analysts can detect TTPs, they align with threat hunting best practices. For instance, the MITRE ATT&CK® framework connects TTPs to specific adversary behaviors.
Identifying and intercepting attackers’ TTPs not only helps prevent an imminent attack, but also forces adversaries to rethink their strategies. Once their methods are detected, they can no longer avoid scrutiny. This makes TTPs an essential line of defense for organizations.
Two capabilities are critical for advanced threat detection. The first is a modern security information and event management (SIEM) solution that gathers data across the organization, streamlining alerts and centralizing the analyst’s threat hunting efforts.
The second is user and entity behavior analytics (UEBA), which uses machine learning to establish a baseline of normal activity within the organization. This allows it to automatically flag any anomalous behavior, even if it comes from a trusted user or device with legitimate credentials.
Together, these solutions form a solid foundation for detecting anomalies, identifying TTPs, detecting insider threats, and strengthening your threat hunting program. For a complete guide to empowering your SOC’s threat hunting, download our white paper, Nowhere to Hide: A Programmatic Approach to Threat Hunting.
