Finding
threat
actors
before
they
find
you
is
key
to
beefing
up
your
cyber
defenses.
How
to
do
that
efficiently
and
effectively
is
no
small
task
–
but
with
a
small
investment
of
time,
you
can
master
threat
hunting
and
save
your
organization
millions
of
dollars.
Consider
this
staggering
statistic.
Cybersecurity
Ventures
estimates
that
cybercrime
will
take
a
$10.5
trillion
toll
on
the
global
economy
by
2025.
Measuring
this
amount
as
a
country,
the
cost
of
cybercrime
equals
the
world’s
third-largest
economy
after
the
U.S.
and
China.
But
with
effective
threat
hunting,
you
can
keep
bad
actors
from
wreaking
havoc
on
your
organization.
This
article
offers
a
detailed
explanation
of
threat
hunting
–
what
it
is,
how
to
do
it
thoroughly
and
effectively,
and
how
cyber
threat
intelligence
(CTI)
can
bolster
your
threat-hunting
efforts.
What
is
threat
hunting?
Cyber
threat
hunting
is
gathering
evidence
that
a
threat
is
materializing.
It’s
a
continuous
process
that
helps
you
find
the
threats
that
pose
the
most
significant
risk
to
your
organization
and
empowers
your
team
to
stop
them
before
an
attack
launches.
Protect
your
organization
from
costly
cybercrime
with
the
latest
comprehensive
report
titled
‘Threat
Hunting
for
Effective
Cybersecurity.’
Download
now
to
learn
how
to
efficiently
plan,
execute,
and
evaluate
threat
hunts,
ensuring
that
your
systems
are
fortified
against
the
evolving
landscape
of
cyber
threats.
Threat
hunting
in
six
parts
Throughout
the
hunt,
careful
planning
and
attention
to
detail
are
essential,
as
well
as
ensuring
all
team
members
follow
the
same
plan.
To
maintain
efficiency,
document
every
step
so
others
on
your
team
can
easily
repeat
the
same
process.
1
—
Organize
the
hunt.
Ensure
your
team
is
prepared
and
organized
by
inventorying
your
critical
assets,
including
endpoints,
servers,
applications,
and
services.
This
step
helps
you
understand
what
you’re
trying
to
protect
and
the
threats
they
are
most
prone
to.
Next,
determine
each
asset’s
location,
who
has
access,
and
how
provisioning
of
access
takes
place.
Finally,
define
your
priority
intelligence
requirements
(PIRs)
by
asking
questions
about
potential
threats
based
on
your
organization’s
environment
and
infrastructure.
For
example,
if
you
have
a
remote
or
hybrid
workforce,
such
questions
might
include:
-
To
which
threats
are
remote
devices
most
vulnerable? -
What
sort
of
evidence
would
those
threats
leave
behind? -
How
will
we
determine
if
an
employee
is
compromised?
2
—
Plan
the
hunt.
In
this
phase,
you
will
set
the
necessary
parameters
through
the
following:
-
State
your
purpose
–
including
why
the
hunt
is
necessary
and
which
threat(s)
you
should
focus
on,
as
determined
by
your
PIRs.
(For
example,
a
remote
workforce
may
be
more
prone
to
phishing
attacks
under
a
BYOD
model.) -
Define
the
scope
–
identify
your
assumptions
and
state
your
hypothesis
based
on
what
you
know.
You
can
narrow
your
scope
by
understanding
what
evidence
will
surface
if
the
threat
you’re
looking
for
launches. -
Understand
your
limitations,
such
as
what
data
sets
you
can
access,
what
resources
you
must
analyze,
and
how
much
time
you
have. -
Set
the
time
frame
with
a
realistic
deadline. -
Determine
which
environments
to
exclude,
and
look
for
contractual
relationships
that
may
prevent
you
from
carrying
out
the
hunt
in
specific
settings. -
Understand
the
legal
and
regulatory
constraints
you
must
follow.
(You
can’t
break
the
law,
even
when
hunting
for
bad
guys.)
3
—
Use
the
right
tools
for
the
job.
There
are
plenty
of
tools
for
threat
hunting,
depending
on
your
assets
inventory
and
hypothesis.
For
example,
if
you’re
looking
for
a
potential
compromise,
SIEM
and
investigative
tools
can
help
you
review
logs
and
determine
if
there
are
any
leaks.
Following
is
a
sample
list
of
options
that
can
significantly
improve
threat-hunting
efficiencies:
-
Threat
intelligence
–
specifically,
automated
feeds
and
investigative
portals
that
fetch
threat
intelligence
from
the
deep
and
dark
web -
Search
engines
and
web
spiders -
Information
from
cybersecurity
and
antivirus
vendors -
Government
resources -
Public
media
–
cybersecurity
blogs,
online
news
sites,
and
magazines -
SIEM,
SOAR,
investigative
tools,
and
OSINT
tools
4
—
Execute
the
hunt.
When
executing
the
hunt,
it’s
best
to
keep
it
simple.
Follow
your
plan
point
by
point
to
stay
on
track
and
avoid
diversions
and
distractions.
Execution
takes
place
in
four
phases:
-
Collect:
this
is
the
most
labor-intensive
part
of
a
threat
hunt,
especially
if
you
use
manual
methods
to
gather
threat
information. -
Process:
compile
data
and
process
it
in
an
organized
and
readable
format
for
other
threat
analysts
to
understand. -
Analyze:
determine
what
your
findings
reveal. -
Conclusion:
if
you
find
a
threat,
do
you
have
data
to
support
its
severity?
5
—
Conclude
and
evaluate
the
hunt.
Evaluating
your
work
before
you
begin
the
next
hunt
is
imperative
to
help
you
improve
as
you
go.
Below
are
some
questions
to
consider
in
this
phase:
-
Was
the
chosen
hypothesis
appropriate
to
the
hunt? -
Was
the
scope
narrow
enough? -
Did
you
collect
helpful
intelligence,
or
could
some
processes
be
done
differently? -
Did
you
have
the
right
tools? -
Did
everyone
follow
the
plan
and
process? -
Did
leadership
feel
empowered
to
address
questions
along
the
way,
and
did
they
have
access
to
all
the
needed
information?
6
—
Report
and
act
on
your
findings.
In
concluding
the
hunt,
you
can
see
if
your
data
supports
your
hypothesis
–
and
if
it
does,
you’ll
alert
the
cybersecurity
and
incident
response
teams.
If
there
is
no
evidence
of
the
specific
issue,
you’ll
need
to
evaluate
resources
and
ensure
there
were
no
gaps
in
the
data
analysis.
For
example,
you
may
realize
that
you
reviewed
your
logs
for
a
compromise
but
did
not
check
for
leaked
data
on
the
dark
web.
Take
threat
hunting
to
the
next
level
with
CTI
CTI
can
be
an
effective
component
of
your
threat-hunting
program,
particularly
when
the
threat
intelligence
data
is
comprehensive
and
includes
business
context
and
relevance
to
your
organization.
Cybersixgill
removes
the
access
barrier
to
the
most
valuable
sources
of
CTI
and
provides
deep-dive
investigative
capabilities
to
help
your
team
seek
the
highest-priority
potential
cyberthreats.
Our
investigative
portal
enables
you
to
compile,
manage
and
monitor
your
complete
asset
inventory
across
the
deep,
dark
and
clear
web.
This
intelligence
helps
you
identify
potential
risks
and
exposure,
understand
potential
attack
paths
and
threat
actor
TTPs
to
proactively
expose
and
prevent
emerging
cyber
attacks
before
they
are
weaponized.
For
more
information,
please
download
my
latest
report
Threat
Hunting
for
Effective
Cybersecurity.
To
schedule
a
demo,
visit
https://cybersixgill.com/book-a-demo.
Note:
This
article
was
expertly
written
and
contributed
by
Michael-Angelo
Zummo,
Senior
Cyber
Threat
Intelligence
Analyst
at
Cybersixgill.