So what does threat hunting actually mean? How does it differ from penetration testing? And how does threat hunting strengthen your online security?
What Is Threat Hunting?
Threat hunting involves actively searching for signs of dangerous, unwanted activity. It’s the opposite of waiting to get a security platform alert about signs of trouble.
Some people initially think penetration (pen) tests are the same as threat hunting exercises. However, a pen test aims to find all vulnerabilities and determine the risks of leaving them unaddressed. Threat hunting assumes an attack has happened, and the goal is to curb its progress.
Threat hunt outcomes often reveal vulnerabilities, too, though. That’s especially true once cybersecurity practitioners learn more about entry points and attack methods.
How much do threat hunters make for their efforts? The average base salary in the United States is more than $110,000 per year, indicating such services are in high demand.
How Do People Engage in Threat Hunting?
Threat hunters look for Indicators of Compromise (IoC) and Indicators of Attack (IoA). An IoC focuses on what hackers want to accomplish by breaking into the network. Then, the IoA is a suspicious activity that could be a sign of an attack.
A person practicing threat hunting assesses the environment using several possible methods. For example, a data-driven approach looks at resources like proxy logs and evidence of large data transmission volumes.
Intel-based threat hunting relies on open and commercial data sources showing cybersecurity risks and the symptoms of such problems.
Threat hunters may also focus on an attacker’s tactics, techniques, and procedures (TTP). For example, what tools does a hacker use to break into the network? When and how do they deploy them?
Behavior-based threat hunting is a newer technique but extremely useful for detecting possible insider risks. Threat hunters establish a baseline for expected actions from network users, then search for deviations.
The Importance of Relevant Information
Succeeding with these techniques requires a threat hunter to have extensive knowledge of expected activity on a network.
As today’s workforce becomes more distributed, a company’s firewalls are often insufficient for safeguarding a network. However, experts believe there’s an ongoing need to verify the people trying to access company resources are the authorized parties. That’s why businesses often authenticate workers with various pieces of information.
Threat-hunting teams need large quantities of log data collected across time. Getting that information from various sources helps them proceed efficiently and spot signs of trouble. Endpoint data is generally the most valuable to threat hunters because it’s closest to the unwanted event.
Threat Hunting Strengthens Your Cybersecurity
Threat hunting is not something to do once and consider the job done. Continual iteration makes detection efforts more fruitful. Once threat hunters learn what constitutes normal activity, unusual events become more obvious.
The more knowledge gained about an IT environment and network, the stronger an entity will be against attempted cyberattacks.
