Threat hunting is an alternative approach to dealing with cyber-attacks, compared to network security systems that include appliances such as firewalls that monitor traffic as it flows through a system. While these common methods of defense generally investigate threats after they have occurred, the strategy of threat hunting involves searching through networks, detecting and isolating threats, and eradicating them before traditional warning systems have even sounded the alert.
This can be achieved manually by security analysts, who search through a system’s data information to identify potential weaknesses within the network and create “what-if” scenarios they use to proactively counter those weaknesses. Today, though, threat hunting is becoming more automated, and the process takes advantage of user and entity behavior analytics to inform the security analyst of any potential risks.
There are three types of hypotheses that analysts look for while threat hunting:
Analytics-Driven: Considers user and entity behavior analytics (UEBA) and machine learning to develop accumulated risk scores and further hypotheses Intelligence-Driven: Fueled by threat intelligence reports, feeds, malware analysis and vulnerability scans Situational-Awareness Driven: Uses enterprise risk assessments or Crown Jewel analysis, evaluating a company or individual’s trends
There are a variety of trustworthy vendors that