Svg Vector Icons : http://www.onlinewebfonts.com/icon More Guides

Threat hunting: proactively strengthen your security stance

Devastating data breaches are often weeks in the planning, with bad actors steadily gathering credentials and other information they need to unlock access to large portions of a network or digital assets. They then move suddenly and quickly, causing significant damage. In response to these breaches, organizations are turning to threat hunting to proactively search for intrusions that are as yet undetected. This capability allows them to root out suspicious activity and mitigate vulnerabilities before they’re fully exploited. 

Big data technologies, including the modern data platform, advanced analytics and machine learning, improve the effectiveness of threat-hunting efforts, helping organizations avoid significant fallout from security incidents. In this article, we’ll explain what threat hunting is, how it strengthens an organization’s cybersecurity posture and the role a modern data platform plays in supporting and powering a robust threat-hunting program. 

What is threat hunting?

Threat hunting is the practice of detecting and mitigating threats that may have slipped past an organization’s standard security measures. Threat hunters are highly skilled cybersecurity professionals who leverage advanced analytics, machine learning algorithms and the vast amounts of security data available to track down and neutralize potential threats as quickly as possible. Big data is at the center of this approach. 

Security data is made up of activity logs, network traffic data, endpoint data, user and entity behavior analytics (UEBA) data, third-party threat intelligence data and more. Threat intelligence provides security teams with the context they need to identify anomalies, patterns and other indicators that signal the presence of malicious activities.

cybersecurity analytics

How threat hunting strengthens cybersecurity

As hackers grow more persistent and innovative, organizations must continuously seek new strategies to strengthen their cybersecurity posture. Threat hunting is a powerful weapon useful for both offensive and defensive action. Here’s how this practice is being used to uncover and neutralize potential threats before they can wreak havoc on an organization's systems and data. 

  • Proactively detecting threats—Threat hunting brings the fight to the attackers, playing an essential role in minimizing the damage of an attack. By actively searching for potential threats, organizations can identify threats that may have evaded standard security measures, including firewalls and antivirus software.

  • Improving incident response—Threat hunting enables security teams to quickly identify potential attack scenarios and formulate effective strategies to counter them. As a result, organizations can mount a faster, more comprehensive response to minimize subsequent fallout.

  • Mitigating vulnerabilities—Threat hunting can help identify vulnerabilities in a company's network and infrastructure before they’re exploited by attackers. By proactively addressing vulnerabilities before they become a pathway to attack, companies can shrink the size of their attack surface.

  • Demonstrating regulatory compliance—Many organizations are governed by either industry or government regulatory requirements related to cybersecurity. Having an active threat-hunting program in place can help these companies demonstrate compliance with regulations, providing evidence that proactive security measures are in place.

Threat hunting models

Threat hunting comes in many different shapes and sizes. Although numerous approaches are used to detect and mitigate threats, three primary models guide and structure the hunting process. 

Intelligence-based

This threat-hunting method is a reactive rather than a proactive approach. Using indicators of compromise (IOC) or indicators of attack (IOA) gathered from commercial or open-source threat intelligence sources as a starting point, threat hunters launch their investigation to track down potential undetected attacks or other malicious activity.

Hypothesis-based

Using this method, threat hunters form a hypothesis based on a combination of their own experience and data from threat-hunting intelligence, such as crowdsourced attack data or a threat-hunting library. This method is commonly used when a new threat has been detected by the cybersecurity community. Using IOA and knowledge of the suspected attackers' tactics, techniques and procedures (TTP), threat hunters actively scan their own environment for signs the attacker is active in their network. 

Analytics and ML-based 

Advanced analytics and machine learning can churn through much larger amounts of data more quickly and efficiently than traditional cybersecurity tools. Using sophisticated algorithms, these technologies can swiftly identify security anomalies that would be difficult to detect otherwise. Threat hunters use these red flags as starting points for tracking down and neutralizing latent threats that have evaded detection. 

The role of a modern data platform in threat hunting

Data forms the foundation of all effective threat-hunting activities. Today, organizations have access to massive amounts of security-relevant data, but without the right tools, using that data effectively can be a challenge. The modern data platform plays an essential role in supporting threat hunters, providing them with the infrastructure and capabilities needed to collect, process and analyze vast amounts of security data.

Consolidate all security-relevant data in one place

When security data is siloed and spread across disparate systems, threat hunters can miss vital red flags that indicate the presence of a malicious actor. The modern data platform solves this, providing a single source of truth for all security-relevant data and giving threat hunters a unified view across the full breadth of high-volume log sources.

Benefit from elastic, scalable compute power

The best modern data platforms separate compute and storage, allowing investigations to progress rapidly. With near-limitless, elastic compute power, teams can run multiple threat hunts without worrying about concurrency, resource contention, compute power or scalability.

See how Comcast uses Snowflake to run multiple threat hunts without concurrency issues.

Enable advanced security analytics

The modern data platform unlocks opportunities for integrating advanced analytics and machine learning into the threat hunter’s arsenal. Organizations can join business and contextual data sets, not normally sent to a SIEM, with security data to achieve better fidelity and automation. Threat hunters analyze data with SQL/Python to build dynamic dashboards with security metrics and key risk indicators directly on the data platform or the enterprise’s business intelligence tools.

Incorporate third-party security data

Third-party data helps threat hunters augment the data sourced from within the enterprise. When threat hunters have access to continuously updated threat intelligence from commercial providers, they can more easily spot threats within their environment. 

Hone your threat hunting with Snowflake

Snowflake enables organizations to level up their threat-hunting programs. With Snowflake, security teams can eliminate the data silos perpetuated by legacy SIEM solutions, replacing their limited storage capability and high costs with virtually limitless, affordable storage. Logs and enterprise data can be unified into a single platform, joining business and contextual data sets with security data. Popular cloud object storage platforms such as AWS S3 typically require additional tools to support ML model training and deployment, making it more cumbersome. Snowflake’s single platform stores data and provides threat intel and data science capabilities that enable threat hunters to perform their duties on one platform, without creating unnecessary data silos and data movement.

Additionally, third-party security intelligence data that can accelerate threat-hunting activities and investigations is available via the Snowflake Marketplace and doesn’t require APIs to connect so you can get intel in seconds. Accelerate threat-hunting initiatives by using SQL/Python to build dynamic dashboards with security metrics and key risk indicators on Snowflake or with your enterprise’s own business intelligence tools, all in a single platform with no data movement.