Threat Hunting – Hypothesis-Driven Threat Hunting

Threat hunting is a proactive cybersecurity approach where analysts actively search for hidden threats that may have bypassed traditional security measures. Since most Security Operation Centers (SOCs) rely on a SIEM (Security Information and Event Management) for threat hunting, it is also a fundamental component of our approach. SIEM systems enable collection and analysis of security logs to detect anomalies, but they rely on predefined rules and alerts, which may not always identify advanced and hidden attacks. 

At SofectaLabs, threat hunting is supported by our SIEM system, which plays a central role in our investigations. The SIEM collects and consolidates vast amounts of data from various sources, enabling us to aggregate and correlate critical information needed for a successful threat hunt. 

Threat hunting is used to uncover threats and ongoing attacks that conventional SIEM alerting or SIEM use cases would miss, based on the more advanced nature of attacks, it might not be possible to enable certain alerts, or if the alert would generate too many false positives and cause alert fatigue.

Since the volume of data is typically too large for human analysts alone, various tools and artificial intelligence (AI) play a crucial role in the process. At SofectaLabs, we utilize not only our SIEM but also a range of security and analytics tools, such as EDR (Endpoint Detection and Response) and OSquery, to collect and correlate information. 

Hypothesis-Driven Threat Hunting

At SofectaLabs, we employ a hypothesis-driven investigation model, which allows us to systematically uncover hidden and advanced threats, or be able to look at alerts that generate a lot of false positives which would overwhelm a SOC analyst, akin to finding a needle in a haystack. This method is often applied when a new threat or attack pattern is identified through threat intelligence, which provides insight into the latest tactics, techniques, and procedures (TTPs) used by attackers. Once a new TTP is identified, threat hunters investigate whether the attacker’s specific behaviors are present in the customer’s environment.

Hypothesis-driven hunting is based on three key types of analysis:

• Analytics-driven: Uses AI and User and Entity Behavior Analytics (UEBA) to develop risk scores and formulate hypotheses about potential threats.
• Intelligence-driven: Involves malware analysis, vulnerability scans, threat intelligence feeds, and internet-discovered exploits to predict possible attack methods.
• Situational-awareness driven: Focuses on enterprise risk assessments and crown jewel analysis, identifying the most critical digital assets that need protection.

How Does Our Threat Hunting Process Work?

The first step in our hypothesis-driven threat hunting process is to develop a hypothesis based on the capabilities of our available log data. At SofectaLabs, we first determine what types of information we can collect from our customers' environments, such as endpoint events, network traffic, and security logs before formulating a hypothesis. This ensures that our investigations are grounded in actionable data.

Once a hypothesis is formed, we gather the necessary data to validate or disprove it. For example, if we suspect potential communication with a Command & Control (C2C) server for a newly identified AsyncRAT variant like Gh0st RAT, we could focus on network-related data sources. By querying our ElasticSearch for firewall logs, endpoint telemetry, and other relevant security data, we look for traces of communication with known malicious IP-addresses or domains. If no such traffic is detected, we can determine that the hypothesis is false and move on to investigate other potential threats or indicators of compromise.

To enhance detection capabilities, additional security tools such as EDR and OSquery may be used for deeper insights. Automation and AI also play a role in identifying unusual activity efficiently, helping to highlight anomalies that might indicate a security threat. By structuring our investigations in this way, we ensure that time and resources are focused on detecting real threats while minimizing false positives.

Once a potential threat is identified, further investigation is conducted using Tactics, Techniques, and Procedures analysis, often leveraging the MITRE ATT&CK framework. This framework provides a structured approach to mapping adversary behavior, allowing us to correlate detected activity with known attack techniques. By aligning our findings with MITRE ATT&CK, we can better understand the tactics used by attackers, assess the severity of threats, and enhance our detection and response strategies. Analysts assess how the detected activity compares to known attack techniques and determine the attacker's possible methods and objectives. Additional data may be collected by analyzing real-time network traffic, endpoint behavior, and user activity. At the end of this phase, a decision is made on whether the detected activity is a real threat requiring action.

If the threat is confirmed, SofectaLabs experts take the necessary steps to contain and mitigate it, following incident response procedures. Automated tools and predefined security measures help accelerate the response and prevent similar threats in the future. Lessons learned from the incident are used to refine detection rules and improve security policies, ensuring that the organization’s defenses continuously evolve.

Finally, all findings and actions are carefully documented for escalation purposes to inform customers of any malicious activities in their environments and for future reference. This not only strengthens the threat-hunting process but also enhances the organization’s ability to proactively detect and respond to emerging threats.

In a nutshell

Cyber threats are constantly evolving, and attackers continue to find new ways to evade detection and circumvent SIEM alerts. While SIEM alerts are a crucial part of automated security monitoring, they may not always be updated as frequently as threat hunts are performed. Writing, testing, and validating new SIEM rules takes time, and a SOC analyst must stay up to date with the latest cybersecurity developments to ensure alert accuracy. Threat hunting, on the other hand, is more flexible and it allows analysts to proactively search for emerging threats without being constrained by predefined detection rules, enabling faster adaptation to evolving attack techniques. 

A proactive approach like threat hunting helps detect and neutralize threats before they can cause real damage. By combining AI, automation, and human expertise, we can stay ahead of cybercriminals and ensure a safer digital environment for our customers.

Threat hunting is not just about technology, but also it’s about curiosity, analysis, and problem-solving. It requires sharp minds who can think like attackers and recognize patterns that might be overlooked by technical solutions. In the end, the best defense is a strong combination of intelligent tools and skilled professionals, working together to keep digital systems safe.