What is threat hunting?
Threat Hunting is the process carried to actively seek out threats on a network and identify malicious actors lurking on your network. Our SOC Team gathers a baseline of activity of your network to determine normal network activity. Our SOC analysts then kick off the hunt to find, track and hunt out a malicious actor. With real-time threat intelligence powered by AlienVault OTX our SOC Analysts siphon through your network traffic and host activity to compare it to the latest threats emerging. Throughout the hunting process our analysts use various procedures including Lockheed Martin’s Cyber Kill Chain, OODA Loop and Pyramid of Pain.
Why threat hunt?
There are numerous benefits to threat hunting by taking the proactive approach to look and seek out your threats. Threat hunting enriches SIEM alarming, new correlations can be created from the findings of the hunt. Underlying performance issues can also be discovered from threat hunting process. When threat hunting has been applied in your network it allows for new emerging threats to be thwarted quickly, whether it is an insider or outsider threat.
Keeping on top of identifying new threats drastically helps security posture across your network.
How do we conduct threat hunting?
Our SOC analysts actively seek out threats by hypothesising a question of what, why, where, when and how? By mining through security data applying hunting procedures and using the latest threat intelligence, new threats to your network can be stopped.
We apply threat hunting methods such as Honeytokens, Baselining, IOC based Hunting and Malware and Ransomware Remnants Hunting. We hunt out specifically target threats to your industry to help accurate locate and stop before a compromise or breach happens.
After onboarding is completed and a network activity baseline is established. Our analysts set out to hunt out and detect any malicious activity that is deviating away from normal activity.
Establishing a baseline is important before conducting any threat hunting. As some network activity may appear to be a threat may not actually be classified as threat on other networks.
Indicator of Compromise – Based Hunting
We receive the latest threat intelligence through our sources, as this intel comes into our SOC we compile these indicators of compromise and scan your network for these IOC’s. We report back to our customers with this information and initiate Incident Response to contain and eradicate these threats.
Malware & Ransomware Remnants Hunting
Any remnants left over from previous cases of malware or ransomware are also related to IOC hunting, Older artefacts can be gathered from endpoints. This may lead to the root cause of how and why a compromise happened in the past.