What is Threat Hunting and how it can benefit your organisation?

Cybersécurité + Malware + CTI + Threat Sébastien Guisnet aujourd'hui07/08/2020 255 4 5

Background
share fermer

What is threat hunting and why we need it now ?

Threat hunting designates all the activities conducted by a threat hunter or a cyberthreat analyst in order to find hidden persistent threats inside an organization’s infrastructure. Abnormal events such as a connection to an unknown server, access to a sensitive process memory or a DLL injection are some examples of what a threat for which a hunter is looking.  

All threat hunting activities are conducted following a simple hypothesis that assumes that the organization has already been breached. Breaching an organization is just the first step of a cyberattack and all the steps from recon to exfiltration are called the killchain. The average execution of all steps of a kill chain is 200 days. So the threat hunter job is to break the killchain by identifying weak signals or artifacts emitted by a hidden threat.

An increasing number of organizations are making the switch from traditional anti-virus to endpoint detection and response products like Nucleon Smart Endpoint. This shift is the major reason why we need threat hunters today. After switching from a traditional antivirus to an EDR, an organization has to be sure that there is no dormant threat that exists in the infrastructure.

Who can hunt ?

Having penetrating testing or red teaming experience will help the security expert for this job. The threat hunting activities require indeed a high level of technical expertise especially on the system and the network security level.

Large organizations can structure an in-house team of hunters. This team has to work closely with the internal or external SOC (Security Operation Center) and aggregate events from various on-premise and cloud sources in order to have a precise look on what is going inside the organization.

How can you hunt threats using Nucleon Smart Endpoint EDR ?

Most EDRs give threat hunters the tools needed to conduct their excavation. However, the most important feature an EDR could give to threat hunters is high granularity events. Nucleon Smart Endpoint collect all important event needed by a threat hunter from files editing to process memory access events.

After finding some interesting leads using the stored events, a threat hunter could need to retrieve the current state of file, a disk or even a process. This feature is quite easy on Nucleon Smart Endpoint and can be conducted on multiple endpoints simultaneously.

The 3 main hunting phases followed by Nucleon Security threat hunters

Proactive actions

Following an intrusion, an attack goes through several phases which constitute the “kill chain” and the execution of the latter from end to end lasts an average of 6 months. By assuming that our client has suffered an intrusion while using their old antivirus or other protection mechanism, the proactive actions of the Nucleon Threat Hunting service make it possible to identify the blind spots generated by each phase of the “kill chain” by comparing them to known TTPs. This breaks the “kill chain” of the attack.

Monitoring actions against new threats

Using the flows of threats identified at our customers as well as private and public flows, the Nucleon Security engineer will systematically test all newly identified TTPs and IOCs. If an attack is possible in the context of the customer, the information is used to modify the zero-trust rules on agents installed at the customer’s premises. Particular attention is paid to TTPs and IOCs specifically targeting our client’s industry.

Internal software analysis actions

Historical or newly used software by the customer can be susceptible open doors to attacks. Thanks to the exhaustive list of software reported by our Nucleon Smart Endpoint agent, the engineer will perform manual and in-depth analyzes (network communications, system communications, data access, etc.) of the programs used in order to identify potential threats.

Written by: Sébastien Guisnet

Rate it

Previous post

Similar posts


Gagnez du terrain sur la menace


Essayez gratuitement

Background