What is threat hunting?
I am a Hunter. Different kind one.
When we examine this term we can see that it is hunting to uncover the threats in the information system. But we need to add something to describe it properly. We can describe it as we hunt for threats by imagining a hypothesis that there is a threat to our information system and based on that we conduct the hunting by using numerous techniques and tools.
Why threat hunting?
We need to conduct these threat hunting activities regularly to uncover the possible security threats to our information system. Because there can be zero-day vulnerabilities also. After we have discovered any kind of threat, we need to inform them to the liable authorities who can take action and mitigate them. By following this procedure we can secure our information system and it is an important step for information security.
What is the threat hunting cycle?
This threat hunting is never ended and we need to conduct it regularly as this is a cyclic process. It begins with the hypothesis which describes there is a possible threat in our information system which we need to uncover. So, creating a hypothesis is the first step.
After having a hypothesis we need to discover and uncover what are these possible threats using different tools and techniques. We need to search for these threats by taking time and we have to continue until we get any clue about a threat. sometimes it can take more than one month to uncover a threat.
As a third step, we need to uncover new patterns and TTPs. It means we need to uncover new possible threats to our systems. Here we should be able to uncover the new threats as day by day they and their patterns will change. Here the TTP term describes as Terrorist, Tactics, Techniques, and procedures. The terrorists are the attackers or the person who can carry out the threats to our system. Tactics mean the behavior mechanisms the people use to carry out the threats to our information systems. Techniques and procedures can describe as the tools, procedures, and mechanisms use to make a possible threat to our information system.
After those previous phases, we need to create proper analytics and reports and analyze what are the weaknesses in our systems and what are the possible threats and what are patterns attacker use to carryout these threats.
Written by Sankalpa Rajapakse — 3rd Year 1st Semester -Cyber Security Student-SLIIT