Despite the increasingly complex cybersecurity risks that organizations face today, most still don’t have a group of threat hunters on their cybersecurity teams. At its core, threat hunting is a proactive or an active cyber defense activity. Some consider threat hunting to be exploratory (e.g., as a threat hunter, you don’t know what you’re looking for, but your job is to explore and find things that seem “off” or malicious). Others have a looser definition of threat hunting – maybe you know that your organization uses SolarWinds technology, but you’re not sure if you were compromised as part of the major SolarWinds attack that went public in December 2020, so you need to hunt through your systems and networks to find indicators.
Because of the relative newness of the field and the demand for cybersecurity talent, there’s an assumption that only the most sophisticated organizations are able to leverage threat hunting activities. However, in reality, organizations do not have to be highly resourced or sophisticated to effectively leverage threat hunting to protect themselves from cyber risks.
In this 2021 Threat Hunting Report, built off a survey conducted by Cybersecurity Insiders, respondents shared a wide range of critical goals for their threat hunting activities:
Threat hunting can address several challenges facing cyber security teams. For example, teams running an insider threat program can benefit from threat hunting. Similarly, if your team is looking to reduce breaches and infections, external attack surface, and exposure to external threats, threat hunting can be extremely useful. Finally, threat hunting can help teams improve the speed and accuracy of response to cyber threats.
As an example, in December 2020, FireEye released a statement about a global supply chain cyber-attack that was being perpetrated through SolarWinds software and provided a number of indicators of compromise (IOCs) to support incident response. The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive, provided IOCs, and noted in multiple external engagements that the next course of action needed was threat hunting.
In this case, threat hunting would help identify if an organization had been breached and needed to go into incident response mode (e.g., reducing time to containment). Threat hunting would also help reduce an organization’s attack surface and exposure to external threats and improving the accuracy and speed of the response.
Within 24 hours of FireEye’s announcement, the LookingGlass team uploaded IPs and domain names tied to the attack to our external attack surface management and threat intelligence platform. It began gathering, mapping, and contextualizing threat intelligence for more than 1400 IPs and 1700 domain names.
The next day, we were able to identify who might be utilizing SolarWinds’s compromised product within the U.S., which led to the discovery of an additional 700 IPs that were potentially vulnerable:
Your cyber team could take advantage of this map by seeing which assets you own that are also using the Orion platform, if there are other vulnerabilities or exposures on those assets, and where those assets are located. This information helps cyber teams pinpoint their activities – so they can spend more time containing and mitigating the issue versus hunting in the dark.
This outside-in view of your infrastructure and the overlay of threat intelligence (such as known vulnerabilities, risky services, or open ports) can be extremely helpful in optimizing threat hunting missions. This allows your teams to reduce breaches and exposure to external threats, improve the speed and accuracy of your incident response and reduce the time to contain a breach.
Find out about other facets of threat hunting that could be beneficial to your cybersecurity goals in this 2021 Threat Hunting Report.