Did you know that the average detection time of an incident/security breach is 200 days? Did you know that once it is detected it takes an average of 66 days to contain the incident? This shows that the current detection and response mechanisms are not sufficient.
Although the majority of the field is talking about threat hunting when explaining detection mechanisms, the reality is that very few have developed an accurate hunting approach.
Why Proactive Threat Hunting?
We all are aware of organizations that are investing considerable amounts of resources into detecting advanced threats with no success. Some of them are even targeted by ransomware gangs because of the lack of having good detection and response capabilities.
This scenario is becoming more and more relevant as we are learning that classic Threat Detection capabilities are not enough. We need to evolve from traditional SOC to proactive Threat Hunting. This is achieved by focusing on TTPs analysis instead IOCs, by utilizing the Compromise Hypothesis instead of Reactive approach once a security event has been detected and more.
Protects against a well-known attack.
The investigation stage of an alert or event.
SIEM, IDS, FWs, Proxy technologies, among others.
Signature and IOC based detection.
Deployment of technology, creation of use cases, source diversity, blind spots, configuration faults, alerts and false positives.
New forms of attack are being investigated.
We are constantly investigating under an undetected breach scenario, assuming that a sophisticated attack has been produced and no security event has been triggered.
Telemetry & Deception
We collect and analyze activity from endpoints, servers and deception campaigns.
Targeted and Unknown Attacks
TPP, intelligence, tracking and hypothesis-based detection.
Detection based on telemetry provided by EDR/XDR technology.
What Makes our Threat Hunting Approach so Unique?
Our 24x7 Proactive Threat Hunting service understands Malicious Adversaries better than a regular SOC, enabling the possibility to detect and respond to Malicious Operations even before a single security event has been made known. That can be accomplished because of our Proactive Threat Hunting service relies on the following fundamentals:
Hunting over approved EDR/XDR
- We are continuously analyzing new technology that allow us to perform a high-quality Threat Hunting service
- To maintain our quality standards, only technologies that pass our internal evaluation are used
- Even when there is not a proper detection from the technology, our experts can identify Malicious Operations from the telemetry
- We use our Red Team as a Threat Hunting accelerator
- We deploy our own Threat Hunting Intelligence™ on top of the EDR/XDR detection capabilities
- Our service is a never-ending effort to maintain a proactive hunting position while considering compromise hypothesis
- Using compromise hypothesis allows us to detect unknown Malicious Actors
- We perform thousands of custom queries to available telemetry every month to find unknown threats
World Class Team
- Our hunters are real researchers thinking like real adversaries
- We provide a cutting-edge service using the most innovative attacking techniques and detection bypass possibilities
- We consult the most innovative technology to analyze emerging threats
Threat Hunting Intelligence ™ as a distinctive Threat Hunting accelerator
Our Threat Hunting service improved not only by continuous research on Malicious Operations, Threat Actors profiling or public advisories analysis, but also by improving detection capabilities when the threat is able to perform detection bypass techniques.
All those improvements are centralized in our Threat Hunting Intelligence™ and included in our unique Threat Hunting service.
Under this context, it is particularly relevant that our Red Teamis an excellent accelerator to improve our Threat Hunting service, and vice versa. In fact, having both services at the same time is a possibility that more and more clients are requesting. They request the following combined approach:
Red team Service
Our Red Team simulates threat actors, adversaries or cyber exercices to bypass defensive layers
We are continuously reporting improvement possibilities to the Threat Hunting team
Threat hunting Service
Our researchers are continuously learning from new techniques, tactics and procedures (TTPs) used by malicious actors and the learning process is accelerated by Red Team exercises
Overcoming the EDR/XDR detection capabilities
With the aim of performing an extraordinary Proactive Threat Hunting service, only extraordinary EDR/XDR solutions are accepted after intensive testing and evasion techniques performed in our lab.
In addition to the detection capabilities offered by EDR/XDR technology, our Threat Hunting service deploys additional detection capabilities by performing thousands of additional detection checks molded to every client environment.
*The technology approving process is a continuous evaluation of the most relevant EDR/XDR solutions so if using a technology not shown above, please contact us for further information.
Threat hunting FAQs
What is threat hunting?
Threat Hunting is a service aimed to proactively detect advanced threats in corporate endpoints and networks by using compromise hypothesis approaches, as well as responding to the compromise.
What are the benefits of threat hunting?
Threat Hunting is strongly suggested to detect and respond in front of unknown threats. That can be accomplished because instead of focusing on Identificators of Compromise (IOC), Threat Hunting focuses on Mitre Techniques, Tactiques and Procedures (TTP) to detect Malicious Operations that could perform an APT when no IOC’s are available in advance.
What does a threat hunter do?
Threat Hunters activities need to cover the following activities:
- Analyze suspicious detections performed by the EDR or XDR technology, including investigations to confirm a malicious operation or discard false positives.
- Threat research, which includes maintaining an updated knowledge about low level details on emerging critical vulnerabilities, exploits, APT, attacking campaigns, techniques, tactiques and procedures that a malicious actor could use to compromise an organization and its resources.
- Transforming results from the researching activities into proactive hunting by exploiting the available data or telemetry.
What are the types of threat hunting?
Even when the objective is the same, Threat Hunting activities differ from traditional Threat Detection in the way they achieve those objectives. Some of the main differences can be summarized as:
- Threat Hunting requires searching proactively for unknown threats, while Threat Detection is a reactive process initiated once an alert arises.
- Threat Hunting analyzes TTP’s, while Threat Detection is focused on IOC’s or well-known patterns.
Threat Hunting is focused on analyzing data and telemetry provided by EDR or XDR technologies, while Threat Detection analyzes events and logs centralized in a SIEM.
What is a cyber hunt team?
The team performing Threat Hunting activities is based on tiers like a regular Threat Detection service. Instead of that, Threat Hunters are always very skilled professionals that know how an attack works under the hood so they can identify any malicious operation just by looking at the available resources like data and telemetry (even when there is no alert associated with the malicious operation).
Among the skills of a Threat Hunting team it can be highlighted (among others):
- Vast experience in offensive techniques
- An excellent understanding of Windows and Linux internals, as well as networking skills.
- Malware reverse engineering
- Continuous researching to know emerging offensive techniques
- Supporting other teams involved in an Incident Response