Cyber threat hunting: a proactive cyber defence approach

 

What is proactive threat hunting?

Reactive threat hunts focus on known threats, with hunts typically triggered by a security incident or set of high-risk alerts. In contrast, proactive threat hunting is a cyclical, proactive and hypothesis-driven process that assumes an undiscovered breach of an unknown type has already occurred. It is not undertaken in response to a precipitating incident or roadmap, and no high-fidelity detection rules are triggered.

 

Key tools for cyber threat hunting

Threat hunters utilise a variety of data sources, tools and techniques to uncover threats, including:

Security data and telemetry – Security Information and Event Management (SIEM) platforms help hunters shortcut data navigation and forensic analysis by collecting and correlating data from endpoint protection platforms,endpoint detection and response platforms ,

cloud security platforms, intrusion detection and prevention systems (IDS/IPS) and network monitoring tools.

Digital risk monitoring (DRM) – DRM tools crawl the dark web, social media and other digital channels to give hunters an external view of the organisation’s current threat exposure.

Security analytics – These platforms utilise artificial intelligence (AI), machine learning (ML) and behavioural analysis of network data to flag anomalous and potentially malicious activity. Hunters can leverage these detections for clues to an ongoing breach.

Threat models – Mature organisations document detailed cyber risk scenarios and countermeasures to protect their most critical data and business systems. Hunters can draw on these to target and prioritise investigations.