Threat Hunting – what’s that then?

Threat Hunting – what’s that then?

The range of cyber related services and areas of IT service provision can be truly mystifying. It is full of technical jargon, seems to have overlapping elements and it is neither intuitive nor clear to those who are not immersed in the technical world what each service actually does or why it might be something your organisation may need to consider. 

By John Higginson

Principal Consultant, Response

28 Feb 2018

One example of a service that is still often misunderstood is the process of “threat hunting” or “cyber threat hunting”, which has increasingly been used among many organisations over the last few years. 
This blog will try to demystify this approach along with some other cyber services and aims to clarify the relevance and need for the different products available.

In one of my previous blogs, I talked about the SOC staff being the ‘virtual security guards’, whilst your IT staff are the builders and maintenance team. Taking this analogy a little further and developing this train of thought should help to provide some clarity and enlightenment…

Getting your house in order

Thinking holistically, we have the ‘trio’ of the physical, virtual and sociological elements that should make up your comprehensive security solution:

The physical elements limit and control access to your network, which is maintained by your IT team, with known access points and vulnerabilities monitored by your ‘virtual security guards’ – the SOC. Your workforce are those privileged and trusted individuals with access to your physical premises. They are able to bypass most of your physical security measures and it is therefore imperative that they are not allowed to bring in any uninvited guests. It should be standard practice that any visitors to your offices are required to be booked in and escorted at all times. In the virtual space, ensuring that your employees don’t inadvertently open a back door to your information through poor training, procedures and culture is critical – the sociological element.

If your house is in order, with the ‘trio’ of security managed in line with your organisational risk appetite, you’re in a good place, right?

The case for threat hunting

Building on my previous analogy, your virtual house (network) is being guarded by the SOC with the known entry points and vulnerabilities being monitored (think of these as the doors and windows). You clearly wouldn’t want to leave your physical premises unguarded with the doors unlocked, so the case for a SOC is clear. 

However, what about those really persistent or sneaky criminals who are able to tunnel under your house, or climb onto your roof and gain a new access route by removing some of the tiles?
Perhaps worse still, what about if someone was already inside your house hiding in a corner with a hidden trap door, after you installed your SOC? 

You may well have a false sense of security. This is where threat hunting comes in.

Threat hunting – the virtual detectives

In order to make sure your physical house has no unwanted guests, you may want to employ another specialist security team (or detectives) to do routine searches around the house, checking each room to see if anyone has snuck in undetected, either through a poorly locked door, or through a new hole in the wall. 

Your ‘virtual’ house is no different - and this is what a threat hunting team can do. 
This can either be done as one-off, known as a compromise assessment, as a single engagement to have a really good look around. It can also be done on a routine basis as an ongoing service; akin to sending your virtual detectives out regularly.

A threat hunting team can use a range of tools to conduct their search with differing levels of granularity, akin to giving your detectives a really good torch to look in the darkest corners or a magnifying glass to thoroughly examine the floor boards, to see if they have been prised up.

Depending on the nature of your business and the value you assign to keeping your information and that of your clients confidential, this may well be a service worth considering. 

Context has a team of experienced investigative consultants and response analysts who can act as the intelligent hunter that will look for threats and evidence of a compromise and investigate anything that is of concern - get in touch if you would like to find out how we can help your organisation utilise threat hunting to build cyber resilience. 

If you have a question for us or require any further information, please get in touch.

Contact Us

About John Higginson

Principal Consultant, Response

John is a member of our Response team, see our Contact page for ways to get in touch.

CHECK IT Health Check Service
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor