A Wednesday in the Life of a Threat Hunter

Written by Chandra Rajagopalan, Principal Software Engineer, Netskope.

Imagine you have a role in making sure your enterprise is secure and on a typical Wednesday, you suddenly suspect that something is amiss or you come to know of a new threat intelligence about a specific technique or tool or in the worst case, your organization just had a security breach or an attempted breach.

You wake up from your slouch posture and end up sitting on the edge of your chair and you mentally prepare yourself to hunt for a potential threat in your environment.

Image generated by ChatGPT’s image generator

You know that a good approach is to think like a detective who starts with a hypothesis and then tests it. You won’t have all the answers upfront, so you must use logical steps to arrive at the truth. You ask basic questions, “Is an attacker moving laterally across the network?” or “Has there been any unauthorized data access?” You look at the common attack vectors, recent threat intelligence, or behavioral anomalies. You use data sources such as logs, network traffic, and system metrics to validate or refute your hypothesis.

Wait - do you have all the data sources centralized and easily accessible? Unlike a detective who has no knowledge of the entire environment where a crime occurred, you could have prepared your environment by getting the right tools and processes for visibility, analytics, automation and orchestration.

Nevertheless, you start thinking like an attacker to detect threats that may have slipped past automated defenses. You know the Tactics, Techniques, and Procedures (TTPs) that attackers use and anticipate where they might try to hide. You know their stealthy techniques like encryption, fileless malware, or abusing legitimate credentials. You look at the weak points in your environment - like unpatched vulnerabilities, misconfigured systems, or spear-phishing emails.

Wait - did we make sure we have alerts setup to identify potential vulnerabilities? Did we update our security dashboards to look at the new applications and the databases added for those teams that requested? Oh, what happened to those new unexpected network flows that we still have not mapped or questioned?

It’s already several hours and the work day is coming to an end.

There is definitely a need for optimal zero trust maturity in the environment, you and your team realizes.

Anyways, being aware that threat hunting requires a systematic, data-driven approach, you follow a step-by-step process and remain detail-oriented in your analysis. Narrowing down the scope, you focus on a specific subnet, user account, and / or a timeframe. Starting to correlate logs, traces, network traffic, and user behavior to identify patterns, that specific anomalous behavior in isolation that seemed benign, when linked with other suspicious activities, revealed a hidden threat.

It’s late evening already.

Now that you have identified a specific anomaly, you disable the specific entities that were affected and compromised manually. How you wish you had automation built!

You build a timeline of events to reconstruct the path an attacker might have taken and identify when, how, and where the compromise occurred. Those SIEM systems, endpoint detection and response (EDR) tools, and network traffic analysis tools did provide the necessary data.

Automation and orchestration could have helped surface anomalies faster. Your human reasoning to correlate, analyze, and investigate deeply came in handy but the intuition and suspicion, if can be verified easily with data, would have prevented or at the minimum, reduced the scope of lost data.

That was a long day, but a lot of lessons were learnt!

To avoid another mishap, you go to Cloud Security Alliance Zero Trust Resource Hub and start working on understanding Zero Trust better and make your environment achieve optimal Zero Trust maturity.