What Threat Hunting Techniques Should You Be Using?

Key types of threat hunting methodology

When it comes to implementing threat hunting strategies, there are a few different principles you can turn to. However, they all have a few things in common, such as a general three-step process for the activity.

This begins with a trigger phase, followed by an investigation, and finally a resolution. However, it's what happens within these phases where differences can arise depending on the methodology. Here are some of the most common structures for proactive threat hunting.

• Intelligence-based hunting

This is the most reactive form of hunting, as it responds to intelligence from outside sources about potential threats. These may come in the form of indicators of compromise (IoCs), IP addresses, hash values or domain names and can be integrated into security information and event management (SIEM) tools to raise alerts and investigate unusual activity.

• Hypotheses-based hunting

A more forward-looking way of approaching threat hunting, hypotheses-based approaches typically use crowdsourced data such as threat libraries to uncover new tactics, techniques and procedures (TTPs) used by attackers. Once these have been identified, threat hunters will examine their own environment to see if they can spot similar behavior within their systems.

• Indicators of attack

This type of methodology uses threat intelligence to catalog known IoCs or indicators of attack (IoAs) that can be used as the basis for hunting activities. This requires good situational awareness of both your own network and the wider industry and may use advanced analytics and machine learning techniques to match behavior to potential threats.

Essential techniques that need to be in your armory

Whatever methodology you're using to identify potential threats, you'll need to use the right techniques to examine your network activity and hone in on your own suspicious behavior. To do these, there are a few common types of analysis you should employ.

Volumetric and frequency analysis

Volumetric and frequency analysis are related but distinct techniques that look closely at datasets and endpoints to identify anomalies in how data is being handled.

Volumetric analysis considers the volume of transactions, such as how much data is being sent out of a network, abnormal session lengths and which systems have the most antivirus alerts. Frequency analysis, meanwhile, looks at how often certain occurrences take place. Working together, they can provide a detailed picture of what normal and abnormal network traffic looks like.

Historical data analysis

This technique compares live data with historical records to establish the path of a threat and what the impact will be. This can be tricky as it requires businesses to maintain a comprehensive repository of data in a format that can be easily accessed and compared with what's currently happening - cold long-term storage records won't be enough.

Clustering analysis

Clustering analysis is a method of statistical analysis that groups data around a particular set of characteristics in aggregate. This technique can help identify potential issues such as behavioral outliers that may require further investigation - for instance, an uncommon number of occurrences of a common action.

It's related to grouping analysis, which is similar, but focuses on a smaller number of narrowly-specified characteristics, such as outbound network sources.

Stack counting

Stack counting bears some similarities to clustering in that it is looking for outliers in given sets of data. In this case, it involves counting the number of occurrences of specific values and analyzing the extremes. Being able to identify and study these statistical outliers in more detail is a relatively straightforward method of threat hunting and works best with data sets that provide a finite number of results, such as port numbers, specific file names and their locations and installed programs across an organization.