Network administrators spend countless hours improving security hygiene and using antivirus, firewalls, and other automated security tools to stop security threats from getting a foothold. But the human factor means that sometimes, someone clicks on something they shouldn’t. That’s when advanced threats can evade security measures and latch onto a weak point in an organization’s network.
In a formal environment, threat hunting, or cyber threat hunting, is the proactive practice of searching for cyber threats hidden within a network. Most organizations run ongoing threat-hunting programs.
Individuals are on their own when defending home networks, so they should take a more proactive approach and take cybersecurity into their own hands. One way to avoid various viruses and other threats is using NordVPN’s Threat Protection feature. But let’s take a deeper look at what steps an interested tech enthusiast can take to help identify threats to his home environment.
What is Threat Hunting?
It is a human-driven process that uses software tools to systematically and iteratively examine entire networks, endpoints, and datasets to identify suspicious activities that existing automated tools may have missed during routine operations.
Threat hunters don’t wait for alerts from a Security Operations Center (SOC) team about the presence of an active network threat. They proactively hunt for threats that may have slipped through. This shortens the time it takes to discover advanced threats, which means they can limit or reduce the damage and scope of breaches. It does not replace traditional security measures but rather complements them.
Why is Threat Hunting necessary?
Because of the speed of change in the cyber threat landscape, security solutions can’t be 100% accurate. Sometimes, bad actors can slip through defenses, for example, via smart devices not protected by a VPN. Once inside, they can lie low and remain inactive, waiting for certain conditions to be met. Often, they conceal their activities well enough to stay under the radar for months or even years, stealing data or replicating throughout a network.
This is where threat hunting comes into play. Threat hunters gather data from security analytics and threat intelligence software to knock out threats that may have made it onto their networks. Threat hunting complements an organization’s established security measures and serves as an additional layer of protection for the organization’s network.
Threat Hunting Tools
On an organizational level, threat-hunting tools get pretty specialized fast. They use advanced analytical tools, enterprise-level integrated Security Information and Event Management (SIEM), complex Security monitoring, Orchestration, and Response (SOAR) systems, as well as Managed Detection and Response (MDR) systems.
However, for a simple home network, you may only need information from your Windows firewall and Windows 10’s handy built-in packet sniffer.
What do you need to Start Threat Hunting?
Formal organizations use large-scale blocking and monitoring tools such as firewalls, antivirus, endpoint management, and network packet capture tools. They also use Security Information and Event Management (SIEM) systems. The threat-hunting team needs additional tools, such as info from threat intelligence resources about Indicators of Compromise (IoCs) or to look up IP addresses and other information. They also need a tool to combine massive amounts of information from various sources and analyze the data.
As an interested tech enthusiast, the four essential things for a threat-hunting program are:
- Skills: On a large scale, threat hunting involves many specialist areas. They use teams of people with different skills and expertise. In practice, these teams seldom operate full-time and are more likely existing team members who set aside several hours weekly from their other duties to analyze the data. But machines don’t have the human hunting instinct. Machines can spot patterns in massive volumes of data, but humans with a wide range of technical knowledge can think laterally and look for unprecedented signals or changes. Hunches can set you off on unusual paths to find threats that have slipped through automated defenses.
- Data: Comprehensive data from multiple sources must include information gathered from endpoint, network, and cloud sources. You’ll need to know what your network (including mobile devices, IoT gadgets, laptops, gaming controllers, and smart devices) should look like. In an organization, it involves a massive amount of information and computing power. The more diverse the data is, the better. Data sources include endpoint security or AV solution logs, firewall and IDS logs, network traffic, DNS logs, Active Directory/LDAP logs, VPN, and more.
- Develop a Hypothesis, then Test it: Random scanning has limited value. Effective threat hunting requires defining a hypothesis about what you’re looking for and then testing it. In an organization, teams will start with Prioritized Intelligence Requirements (PIRs) – the questions you need to answer with your search. On a smaller scale, you could investigate whether your home network has been compromised via one of your IoT gadgets connecting to the internet without the protection of a VPN. It helps to know what to look for and where to start looking. First, describe the threats you will likely face rather than a random search. For example, in a home network, you can look for unexpected volumes of data packets from an IoT gadget.
- A Solution to Process and Analyze Data: You’ll need to process large amounts of data, filter out what is irrelevant, and see the results in a meaningful format. Tools can range from a full-fledged SIEM in organizations to an Excel workbook for a home enthusiast. The minimum (absolute) requirement is to keep your data organized. It should provide visualization to help you understand the data. Once you’ve found something, fix the issue and document your findings. For instance, inform the supplier if an IoT gadget has been compromised.
What can an Amateur Threat Hunter look out for?
Focus your efforts and increase your success rate by setting PIRs to help you narrow down the signals that you should look for. Large or small, any threat-hunting operation needs to look for a few common things:
● Unusual network traffic: Spikes in network traffic or data transfers
● Suspicious user behavior: Logging in at strange hours or accessing sensitive data without authorization.
● Anomalous system behavior: Unexpected changes to system configurations or files. ● Indicators of compromise (IoCs): Known IoCs, e.g., malware signatures or specific network traffic patterns, could indicate something amiss.
Conclusion
For organizations, threat hunting is a critical part of a cybersecurity program. It strengthens traditional security measures and is important to a company’s cybersecurity posture. However, many tech-savvy users enjoy proactively searching for threats in their home environments. It’s a buzz to try new things, and catching threat actors on your home network is more fun than you should be able to have with a machine!
