What Threat Hunting Techniques Should You Be Using?


Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Tuesday, November 1, 2022

Threat hunting has a key role in keeping your business safe from threats - but are you using the right techniques to do this?

Article 4 Minutes
What Threat Hunting Techniques Should You Be Using?
  • Home
  • IT
  • Security
  • What Threat Hunting Techniques Should You Be Using?

Threat hunting should be a key part of your cyber security strategy. This involves proactively searching for problems within your network that may have slipped past your perimeter defenses, as opposed to reactive investigations, which are only launched after an issue has been raised.

However, doing this can be tricky. Threat hunting is a specialized discipline within cyber security, so you'll need both the right skills and the right resources to make this work. So what should businesses know in order to increase their chances of success?

The need for active threat hunting

Some of the biggest cyber security breaches occur when hackers are able to slip stealthily onto a firm's network and remain there for weeks or even months evading detection. This enables them to quietly gather and exfiltrate valuable data and move laterally within the system looking for access to more systems.

According to IBM's Cost of a Data Breach report for 2022, the average time to identify and contain a breach in the last 12 months was 277 days. However, the study also noted that firms that took less than 200 days to contain an incident saw savings of more than 26% compared with those over 200 days. In today's environment, that equates to savings of over $1.1 million.

Therefore, the ability to proactively seek out threats that would otherwise remain undetected is an invaluable part of any firm's strategy. But how should you go about this?

Key types of threat hunting methodology

When it comes to implementing threat hunting strategies, there are a few different principles you can turn to. However, they all have a few things in common, such as a general three-step process for the activity.

This begins with a trigger phase, followed by an investigation, and finally a resolution. However, it's what happens within these phases where differences can arise depending on the methodology. Here are some of the most common structures for proactive threat hunting.

  • Intelligence-based hunting

This is the most reactive form of hunting, as it responds to intelligence from outside sources about potential threats. These may come in the form of indicators of compromise (IoCs), IP addresses, hash values or domain names and can be integrated into security information and event management (SIEM) tools to raise alerts and investigate unusual activity.

  • Hypotheses-based hunting

A more forward-looking way of approaching threat hunting, hypotheses-based approaches typically use crowdsourced data such as threat libraries to uncover new tactics, techniques and procedures (TTPs) used by attackers. Once these have been identified, threat hunters will examine their own environment to see if they can spot similar behavior within their systems.

  • Indicators of attack

This type of methodology uses threat intelligence to catalog known IoCs or indicators of attack (IoAs) that can be used as the basis for hunting activities. This requires good situational awareness of both your own network and the wider industry and may use advanced analytics and machine learning techniques to match behavior to potential threats.

Essential techniques that need to be in your armory

Whatever methodology you're using to identify potential threats, you'll need to use the right techniques to examine your network activity and hone in on your own suspicious behavior. To do these, there are a few common types of analysis you should employ.

Volumetric and frequency analysis

Volumetric and frequency analysis are related but distinct techniques that look closely at datasets and endpoints to identify anomalies in how data is being handled.

Volumetric analysis considers the volume of transactions, such as how much data is being sent out of a network, abnormal session lengths and which systems have the most antivirus alerts. Frequency analysis, meanwhile, looks at how often certain occurrences take place. Working together, they can provide a detailed picture of what normal and abnormal network traffic looks like.

Historical data analysis

This technique compares live data with historical records to establish the path of a threat and what the impact will be. This can be tricky as it requires businesses to maintain a comprehensive repository of data in a format that can be easily accessed and compared with what's currently happening - cold long-term storage records won't be enough.

Clustering analysis

Clustering analysis is a method of statistical analysis that groups data around a particular set of characteristics in aggregate. This technique can help identify potential issues such as behavioral outliers that may require further investigation - for instance, an uncommon number of occurrences of a common action.

It's related to grouping analysis, which is similar, but focuses on a smaller number of narrowly-specified characteristics, such as outbound network sources.

Stack counting

Stack counting bears some similarities to clustering in that it is looking for outliers in given sets of data. In this case, it involves counting the number of occurrences of specific values and analyzing the extremes. Being able to identify and study these statistical outliers in more detail is a relatively straightforward method of threat hunting and works best with data sets that provide a finite number of results, such as port numbers, specific file names and their locations and installed programs across an organization.

Tech Insights for Professionals

The latest thought leadership for IT pros

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.


Join the conversation...