Threat hunting is another layer of defense to proactively or retroactively identify malicious activity where preventative security controls and detections may fall short. In response to breaches, organizations are turning to threat hunting as an important security function to feed into incident response and threat detection processes.
Big data technologies, including the modern data platform, advanced analytics and machine learning, improve the effectiveness of threat-hunting efforts, helping organizations avoid significant fallout from security incidents. In this article, we’ll explain what threat hunting is, how it strengthens an organization’s cybersecurity posture and the role a modern data platform plays in supporting and powering a robust threat-hunting program.
What is Threat Hunting?
Threat hunting is the practice of detecting and mitigating threats that may have slipped past an organization’s standard security measures. Threat hunters are highly skilled cybersecurity professionals who leverage advanced analytics, an adversarial mindset, and vast amounts of security data to track down and neutralize potential threats as quickly as possible. Telemetry is at the center of this approach.
Security data is made up of activity logs, network traffic data, endpoint data, user and entity behavior analytics (UEBA) data, third-party threat intelligence data and much more. Threat intelligence provides security teams with the context they need to identify anomalies, patterns and other indicators that signal the presence of threat actors.
How Threat Hunting Strengthens Cybersecurity
As hackers grow more persistent and innovative, organizations must continuously seek new strategies to strengthen their cybersecurity posture. Threat hunting is a powerful capability in a defense in depth strategy Here’s how threat hunting is being used to uncover and neutralize potential threats before they can impact an organization.
Proactively detecting threats—Threat hunting brings the fight to the attackers, playing an essential role in minimizing the impact of an attack. By actively searching for potential threats, organizations can identify threats that may have evaded standard security measures.
Improving incident response—Threat hunting enables incident response teams to identify potential attack scenarios and formulate effective strategies to counter them in the future. As a result, organizations can mount a faster, more comprehensive response to minimize subsequent fallout.
Mitigating vulnerabilities—Threat hunting can help identify vulnerabilities in a company's network and infrastructure before they’re exploited by attackers. By proactively addressing vulnerabilities before they become a pathway to attack, companies can shrink their attack surface.
Demonstrating regulatory compliance—Many organizations are governed by either industry or government regulatory requirements related to cybersecurity. Having an active threat-hunting program in place can help these companies demonstrate compliance with regulations, providing evidence that proactive security measures are in place.
Threat Hunting Models
Threat hunting comes in many different shapes and sizes. Although numerous approaches are used to detect and mitigate threats, three primary models guide and structure the hunting process.
Intelligence-based (Indicators)
This threat-hunting method is a reactive rather than a proactive approach. Using indicators of compromise (IOC) or indicators of attack (IOA) gathered from commercial or open-source threat intelligence sources as a starting point, threat hunters launch their investigation to track down potential undetected attacks or other malicious activity.
Hypothesis-based
Using this method, threat hunters form a hypothesis based on a combination of their own experience and data from threat-hunting intelligence, such as crowdsourced attack data or a threat-hunting library. This method is commonly used when a new threat has been detected by the cybersecurity community. Using IOA and knowledge of the suspected attackers' tactics, techniques and procedures (TTP), threat hunters actively scan their own environment for signs the attacker is active in their network.
Analytics and ML-based
Advanced analytics and machine learning can churn through much larger amounts of data more quickly and efficiently than traditional cybersecurity tools. Using sophisticated algorithms, these technologies can swiftly identify security anomalies that would be difficult to detect otherwise. Threat hunters use these red flags as starting points for tracking down and neutralizing latent threats that have evaded detection.
The Role of a Modern Data Platform in Threat Hunting
Data forms the foundation of all effective threat-hunting activities. Today, organizations have access to massive amounts of security-relevant data, but without the right tools, using that data effectively can be a challenge. The modern data platform plays an essential role in supporting threat hunters, providing them with the infrastructure and capabilities needed to collect, process and analyze vast amounts of security data.
Consolidate All Security-Relevant Data in One Place
When security data is siloed and spread across disparate systems, threat hunters can miss vital red flags that indicate the presence of a malicious actor. The modern data platform solves this, providing a single source of truth for all security-relevant data and giving threat hunters a unified view across the full breadth of high-volume log sources.
Benefit from Elastic, Scalable Compute
The best modern data platforms separate compute and storage, allowing investigations to progress rapidly. With near-limitless, elastic compute, teams can run multiple threat hunts without worrying about concurrency, resource contention, or scalability.
See how Comcast uses Snowflake to run multiple threat hunts without concurrency issues.
Enable Advanced Security Analytics
The modern data platform unlocks opportunities for integrating advanced analytics and machine learning into the threat hunter’s arsenal. Organizations can join business and contextual data sets, not normally sent to a SIEM, with security data to achieve better fidelity and automation. Threat hunters analyze data with SQL or a variety of programming languages to build dynamic dashboards with security metrics and key risk indicators directly on the data platform or the enterprise’s business intelligence tools.
Incorporate Third-Party Security Data
Third-party data helps threat hunters augment the data sourced from within the enterprise. When threat hunters have access to continuously updated threat intelligence from commercial providers, they can more easily spot threats within their environment.
Hone Your Threat Hunting with Snowflake
Snowflake enables organizations to level up their threat-hunting programs. With Snowflake, security teams can eliminate the data silos perpetuated by legacy SIEM solutions, replacing their limited storage capability and high costs with virtually limitless, affordable storage. Logs and enterprise data can be unified into a single platform, joining business and contextual data sets with security data. Popular cloud object storage platforms such as AWS S3 typically require additional tools to support ML model training and deployment, making it more cumbersome. Snowflake’s single platform stores data and provides threat intel and data science capabilities that enable threat hunters to perform their duties on one platform, without creating unnecessary data silos and data movement.
Additionally, third-party security intelligence data that can accelerate threat-hunting activities and investigations is available via the Snowflake Marketplace and doesn’t require APIs to connect so you can get intel in seconds. Accelerate threat-hunting initiatives by using SQL or a variety of programming languages to build dynamic dashboards with security metrics and key risk indicators on Snowflake or with your enterprise’s own business intelligence tools, all in a single platform with no data movement.