Threat Hunting: The Next Evolution in Cybersecurity

With cyberattacks increasing, organizations must continue to invest in protecting against threats. Cybercriminals have become more intelligent and focused, leaving companies blindsided. As a leading cybersecurity company, Cisco has integrated threat hunting into its offering, which can help to disrupt attacks before they materialize. By engaging Cisco to employ threat hunting, companies can proactively pursue, discover, and stop cyberthreats in their tracks.

Threat Hunting is Critical to Cybersecurity
Traditional cybersecurity tactics are reactive, waiting for malicious activity to begin.
While Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) are more effective than no cybersecurity at all, once cyberattacks are detected, it can be too late to stop them. That’s why solely relying on protective measures to thwart attacks is no longer a sustainable strategy.
Threat hunting changes the way companies protect themselves by pursuing cybercriminals before they can create harm.

What is Threat Hunting
Threat hunters formulate hypotheses from a variety of input variables and apply them to a repeatable process utilizing previously catalogued information to find signs of compromise that have evaded detection.
Developed to enhance, not replace legacy cybersecurity tactics, threat hunting augments security measures already in place.

Traditional Cybersecurity vs. Threat Hunting

Legacy security tools fail to stop advanced threats
Sophisticated attackers make detection extremely difficult
Even artificial intelligence and machine learning techniques may fall short in stopping all attacks

How It Works

Threat hunting analysts use a hypothesis driven methodology.

First, they identify techniques that may come from MITRE, incident response observations, or research. Next, they formulate a plan and scope. Analysts then execute the action plan and obtain data. With that data, they perform automated analysis and analytics. Finally, they adjust or accept the hypothesis, and repeat the process.

Unusual behavior or malicious activity is reported to an internal security team, so they can take measures to stop it.

Threat Hunting Categories:

Advanced analytics and machine learning investigations:

Combining powerful data analysis and machine learning to sift through a massive amount of information, threat hunters can detect irregularities pointing toward possible attacks.

Investigation based on known IOCs or IOAs:

Leveraging tactical threat intelligence to catalog known Indicators of Compromise (IOCs) and Indicators of Attack (IOAs) associated with new threats, threat hunters use these catalogs, such as MITRE ATT&CK™, to uncover malicious attacks or hidden activity.

Hypothesis-driven investigation:

Triggered by a new threat that’s been identified through a large pool of crowdsourced attack data, threat hunters will look to discover if the attacker’s specific behaviors are found in their own environment.

MITRE ATT&CK™ – The Backbone of Threat Hunting

Effective threat hunting doesn’t happen just once or in a vacuum.

It’s continual, proactive, and powered by strong intelligence built through analytic detection capabilities, which can be complex and time-consuming. That’s why MITRE has been gathering information since 2013, to provide threat hunters with actionable information for an organization’s cybersecurity program. MITRE developed ATT&CK™ (Adversarial Tactics, Techniques & Common Knowledge), an empirically-driven framework which facilitates gathering, interpreting and sharing information on cybercriminals.

ATT&CK provides clear, structured ways to understand how attackers work. By accessing this information on groups of adversaries, threat hunters can analyze intelligence to detect and mitigate attacks and create a threat-centric understanding of a company’s vulnerabilities to customize defenses.

Threat Hunting Delivers Significant Improvement

Data shows that threat hunting is a must have for any organization looking to secure against cyberthreats. Most companies who had already implemented threat hunting tactics reported improvement across a number of measurable goals.

Measurable improvements as a result of threat hunting efforts	Some Improvement	Significant Improvement
Amount of breaches based on the number of incidents detected	54.2%	28.3%
Attack surface exposure/hardened network and endpoints	48.3%	47.5%
Breakout time (initial compromise to lateral movement)	44.2%	30.8%
Dwell time (infection to detection)	45.0%	40.0%
Exfiltration detection (data detected leaving your organization)	45.0%	31.7%
Frequency/number of malware infections	45.8%	37.5%
Resources (E.g., staff house, expenses) spent on remediation	49.2%	25.8%
Time to containment (detect/prevent spread or lateral movement)	55.8%	32.5%

Top 5 Barriers Keeping Companies from Adopting Threat Hunting

Limited Resources

Organizations are struggling in sourcing talented threat hunters. They are also challenged with their limited capability, legacy infrastructure and architecture.

Alert Prioritization

There are floods of alerts daily and it is difficult to prioritize investigations, compounded by the fact that it is difficult to identify the source of the threat.

Effective Intel Usage

It is difficult to operationalize threat intelligence and many sources are often unreliable and out-of-date.

Internet-wide Threat Visibility

Organizations struggle with how to identify where attackers stage attacks and how domains, IPs, ASNs, and malware are connected.

Threat Hunting Has a Maturation Journey

When organizations begin a threat hunting practice, they typically start with only the low–level IOCs hunts and have to advance to higher levels, which takes time.