Threat hunting: Automation & being proactive – Part 2
In our last post in this series, we introduced the concepts of threat hunting. In this blog, we continue with this theme, but we introduce how your organization can be proactive.
Proactive threat hunting differs from businesses to corporations. What needs to be specifically tracked down and mitigated depends largely upon their security environment as well as their specific requirements. In general terms, there are four major proactive threat hunting categories:
1. The Hypothesis Driven Investigation:
This is where it is discovered that a brand-new threat vector is imminent, based upon a significant amount of data that is collected from the various intelligence feeds. Based upon this data, the threat hunting team will probe deeper into the network logs and attempt to find any hidden anomalies or trends that could be foretelling a cyber-attack.
2. The Indicators of Compromise (IOC) Investigation:
This is when the threat hunting team does a “deep dive investigation” into the IT infrastructure to determine where the malicious activity is specifically taking place, based upon the alerts and the warnings they have received.
3. The Analytics Driven Investigation:
The threat hunting teams conduct targeted exercises based upon the information and the data that are collected from Machine Learning (ML) and Artificial Intelligence (AI) tools.
4.The TTP Investigation:
TTP stands for Tactics, Techniques, and Procedures. This kind of threat hunting reveals the mannerisms of a cyber-attacker. It is important to keep in mind that the cyber-attacker will not use the same toolset when launching another attack; but rather, they will typically utilize the same operational techniques. This is a hierarchical threat hunting technique, and it is illustrated in the diagram below:
In our next post for this series, we examine how your company can actually engage in a proactive threat hunting exercise in order to find any malicious activity that could be transpiring.