The Threat Hunting Process

Various data sources in a cybersecurity environment provide critical information to help monitor and respond to security threats. The specific data collected from these sources can vary based on the make and model of the devices or software in use. However, collecting, analysing, and correlating data from these sources is crucial for identifying and responding to security incidents and threats in a timely manner.

This topic discusses in detail some of the key threat data sources and examples of the types of data collected. Understanding cybersecurity threat data sources is vital for fortifying digital defences. Cybersecurity threats encompass various attack types that pose unique challenges. The analysis and interpretation of this data require adopting a proactive approach with continuous monitoring and threat intelligence integration so that organisations can stay ahead of evolving threats.

In this topic, you will learn about:

• threat hunting
• understanding threat data
• threat data sources
• threat data recognition software.

Let us begin.

What is Threat Hunting?

The following video explains what is involved in threat hunting.

Threat-Hunting Life Cycle

The threat-hunting loop or cycle is a continuous process used by cybersecurity professionals to proactively search for and identify cyber threats within an organisation's network and systems. It involves a series of steps designed to detect, investigate, and mitigate potential threats.

The steps of the 'Threat Hunting Loop' are as follows:

• Create hypothesis – Here an educated guess about some type of activity that might be going on in the IT environment is formed. Appropriate attack models and possible tactics a threat might use are also laid out in this step based on a number of factors, which may include friendly Intelligence, threat intelligence and past experience.
• Investigate via tools and techniques – In this step, a variety of methods are used to discover new malicious patterns in the data by reconstructing complex attack paths. Further examination and follow-up of the attack model or theory are performed using various systems and methods that may include linked data search and visualisation.
• Uncover new patterns and TTPs (i.e. tactics, techniques and procedures) – This step involves exposure of the specific forms or anomalies that might be found in an investigation.
• Inform and enrich analytics – In this step, new findings are recorded and leveraged as they are encountered on each hunt. Analytics can be automated based on successful hunts to improve existing detection mechanisms.

The threat-hunting loop is an ongoing and iterative process, and these steps can be repeated as needed to identify and address cyber threats effectively. It involves a combination of human expertise and automated tools to detect and respond to various types of threats in a timely manner.

The following video explains the stages of the threat-hunting life cycle.

Knowledge Check

Complete the following three (3) activities to check your ability to understand the key concepts discussed in this topic. You may repeat this activity as often as you like. Use the arrows to move between the different activities.

Understanding threat data involves identifying patterns or anomalies in network or system behaviour that may indicate potential security risks. This includes analysing logs, network traffic, and system alerts for unusual activities.

Indicators of compromise

Indicators of compromise (IoCs) are specific artifacts or characteristics associated with security incidents, such as malware signatures or abnormal user behaviour.

Security professionals use advanced tools and methodologies to correlate and analyse these IoCs, aiming to detect and mitigate potential threats. This process involves constant vigilance, threat intelligence integration, and rapid response to safeguard against cyber threats and breaches, ensuring the overall security of digital environments.

The following video explains various indicators of compromise that analysts need to be aware of.

Types of Threat Data

Threat data for cybersecurity analysis encompasses various types, including indicators of compromise (IoCs) like malware signatures, suspicious IP addresses, and anomalous network traffic. Behavioural analytics involves studying deviations from normal user activity. Threat intelligence provides contextual data on emerging threats and attack methodologies. Log files and system metadata offer insights into system events and potential vulnerabilities. Additionally, vulnerability data highlights weaknesses in software or configurations. Combining these types of threat data enables security analysts to create a comprehensive picture, enhancing their ability to proactively identify and counteract cyber threats, ultimately fortifying the resilience of digital infrastructures.

The following video discusses the types of data used in security monitoring.

Firewalls

Firewalls serve as crucial gatekeepers in network security, generating valuable threat data to enhance cyber defence. Leveraging these diverse threat data from firewalls is integral to constructing a comprehensive cybersecurity strategy, enabling organisations to detect, analyse, and respond to potential threats effectively. Continuous monitoring and analysis of firewall-generated data enhance overall network security and resilience.

The following video discusses how firewalls work and the type of data they filter.

Intrusion Detection and Prevention Systems (IDS and IPS)

IDS and IPS systems generate alerts and logs that can help in identifying and responding to security threats.

Upon coming across something suspicious, an IDS will only log the suspicious events. However, an IPS can log, alert and take action if it finds a suspicious event.

The following video explains how IDS and IPS work and what threat data they can collect.

Security and Event Management System (SIEM)

SIEM systems collect and correlate security event data from various sources, providing a centralised platform for threat analysis.

Examples of SIEM Products

The following video discusses the functions of various SIEM products.

Knowledge Check

Complete the following three (3) activities to check your ability to understand the key concepts discussed in this topic. You may repeat this activity as often as you like. Use the arrows to move between the different activities.

Organisations often use a combination of threat data recognition tools as part of a comprehensive cybersecurity strategy to recognise and respond to security threats.

Let's explore some of examples of threat data recognition software tools.

Wireshark

Wireshark is a network protocol analyser that captures and inspects network traffic in real-time. It allows you to capture packets traversing the network, whether wired or wireless.

Anomalies in network traffic can be indicative of security threats. Wireshark can help identify various threat data, such as:

• Suspicious IP addresses: Identify communication with known malicious IPs.
• Unusual traffic patterns: Detect traffic spikes or unusual protocols that may indicate an attack.
• Malicious payloads: Find malware or exploits hidden in packet data.
• Reconnaissance activities: Identify scanning and probing attempts by attackers.

When suspicious traffic is detected, Wireshark allows you to drill down into packet details to understand the nature of the threat. This information is valuable for incident response and forensic analysis.

The following video demonstrates how Wireshark can identify various threat data.

Antivirus and Antimalware Software

Antivirus and anti-malware software is specifically designed to detect and remove malicious software, including viruses, trojans, ransomware, and spyware.

Anti-malware software recognises threat data by:

• scanning files and executables for known malware signatures.
• behavior analysis: Identifying suspicious activities or system changes that may indicate malware.
• heuristic analysis: Detecting previously unknown threats based on behaviour or code analysis.

Some of the features of antivirus and antimalware software are as follows.

• Real-Time Protection: Many anti-malware tools provide real-time protection by scanning files and network traffic as they are accessed, identifying and blocking threats before they can cause harm.
• Regular Updates: Anti-malware software relies on regularly updated threat databases to recognise the latest threats. Frequent updates are crucial to keeping the system protected.
• Quarantine and Remediation: When a threat is recognised, anti-malware software can quarantine or remove the malicious files and initiate remediation actions to restore system integrity.

The following video demonstrates how to use antivirus software to identify threat data.

NetFlow

NetFlow is a network protocol for collecting and recording network traffic flow information. It aggregates data about network conversations and their characteristics.

NetFlow data provides a high-level overview of network traffic, which is useful for identifying potential threats. Following are some of the types of threat data categories that NetFlow can detect.

• Volume-based anomalies: Includes unusual traffic volume or bandwidth utilisation.
• Flow duration anomalies: Includes excessively long or short network connections.
• Communication patterns: Includes suspicious peer-to-peer or lateral movement traffic.
• DDoS attack patterns: Includes sudden spikes in network traffic that may indicate a Distributed Denial of Service (DDoS) attack.

NetFlow data can be used for real-time monitoring and alerting. Security Information and Event Management (SIEM) systems often integrate NetFlow data to enhance threat detection and correlation. The following video explains the types of data that NetFlow can collect, store and interpret.

Knowledge Check

Complete the following four (4) activities to check your ability to understand the key concepts discussed in this topic. You may repeat this activity as often as you like. Use the arrows to move between the different activities.

How Did You Go?

Congratulations on completing the topic The Threat Hunting Process . You should now understand how to recognise threat data and what is involved in cyber threat hunting.

In this topic, you learnt about:

• threat hunting
• understanding threat data
• threat data sources
• threat data recognition software.