Threat hunting, or cyber threat hunting, is the process of proactively searching through networks for threats that evade the security solutions already implemented by an organization.

As this work complements the automated tools already present in the environment, it should be carried out by human threat hunters who can think how an attacker would.

Nevertheless, the success of a threat-hunting effort hinges on the quality of the available data. Ideally, a business should already employ endpoint security solutions (EDR or XDR) and network sensors that monitor everything that happens inside the network. All this data should be available in a management system to facilitate access, but a hunter will go beyond what is easily available in these systems if needed.

Why is threat hunting needed?

Threat hunting is often associated with the challenges posed by Advanced Persistent Threats (APTs). This term describes sophisticated attackers that carry out targeted attacks – in other words, they choose their targets and tweak their strategies accordingly. This in contrast to opportunistic attacks that don't seek a particular target and aren't unique.

APT adversaries can use custom tools and deploy malware code tailored to defeat or evade the security solutions present in the environment (they can also slip by when security teams don't have time to review all security alerts). In this way, they gain a foothold inside a corporate network without being detected.

While such advanced threats were seen as rare in the past – often exclusively linked to intelligence agencies and other national state actors – this is no longer the case.

The rise of ransomware and fraud carried out with corporate data led to a shift in the behavior of ordinary criminals. Instead of defrauding individuals directly, criminals developed schemes with identity theft, extortion, Business Email Compromise, and other types of fraud, making corporate data more valuable than before.

With this new approach, these adversaries now also see a reason to choose and study their targets, which are usually businesses. They want to make sure they can stay inside the network for as long as possible, and exfiltrate data for as long as they can or move laterally to deploy ransomware in the most destructive way possible.

In other words, attackers could be specifically looking to avoid automated tools and even threat intelligence efforts based on data sharing by doing something unique in each of their targets. By introducing a human element to the network defenses, the threat hunter can detect, isolate, and neutralize these threats before they cause any serious damage.

The relevance of data for threat hunting

As threat hunting aims to uncover the presence of an adversary that has yet to be detected, there's no definitive answer as to when a line of investigation should be discarded.

Threat hunting can be an ongoing, continuous effort, and not finding threats is expected when there are no threats to be found. When data is unavailable or cannot be trusted, the search could take longer or produce inaccurate results that lead to wrong conclusions.

To make sure the hunting process is robust and thorough, analysts should seek high-quality data sources, both inside and outside the organization.

External Cybersecurity and threat hunting

The Axur Platform is introducing a Threat Hunting solution to give threat hunters the power to query the data collected by our platform using the search criteria that they need the most from external sources.

Many corporate credentials are sold on the Dark Web. These user/password combinations can be used to infiltrate a network (including VPNs and web platforms used by remote workers).

A threat hunter can use this information to search the network for malicious activity and find any threats that may have slipped by – including the malware that may have stolen this information in the first place.

For this reason, usernames, domain names, and login URLs are all searchable in our dashboard.

Our Threat Hunting solution can also be used in incident response or forensic scenarios. A search query on our platform can help pinpoint which credential was used by an attacker, or that someone was using a stolen credit card and when that card was seen.

Data sources in the Deep & Dark Web can be reliable enough to determine how a piece of information was obtained (a data leak or a credential stealer, for example).

Credential stealers often report the IP address and the operating system of the computer they stole data from. This information is useful when threat hunters need to know if a system was present in the attack chain and where it was connected, so our dashboard includes a search operator for both fields.

While the Axur Platform is an external cybersecurity solution, it can and should support your internal cybersecurity, including the valuable threat hunting efforts that are necessary to fight the most challenging threats of today.