CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Trustwave Blog

3 Ways Your Threat Hunting Program Could Be Failing You

As a concept, threat hunting has a somewhat glitzy name and, on the surface, may appear to be a project that an organization can pull off by simply adding a couple of automatic detection tools and then tasking a few security staffers to keep an eye on the results that pour in.

Nothing could be further from the truth. In fact, to be conducted properly, threat hunting requires an integrated team of security specialists using a platform specifically designed for threat hunting.

Gartner defines threat hunting as searching for security threats by looking for traces of attackers, past and present, in an IT environment. Organizations that employ threat hunting use an analyst-centric process to uncover hidden, advanced threats missed by automated, preventative and detective controls.

However, if an organization does not handle threat hunting correctly, the information gathered will be of little use, and the defense put in place will likely be ineffective.

Here are three common ways a threat hunting program goes off track.

1. A Lack of Human Involvement

As Gartner’s definition states, threat hunting is an analyst or human-driven endeavor. The concept of threat hunting is often incorrectly defined as being centered on security teams simply detecting threats using automated tools. However, a human element must be involved when creating a successful threat hunting team.

Specifically, it’s critically important that an organization have a security staff with the experience and training to conduct threat hunting properly. The task is not something that just anyone can handle. It requires a certain mindset and level of training to do so correctly.

2. Being Passive

Threat hunting is a proactive activity conducted by security teams that combines automated tools, such as Endpoint Detection and Response (EDR), with analysts using a hands-on approach to parse through the data for adversaries and infiltration vectors they can exploit. The people in the chain must actively search through the data being gathered, looking for anomalous behavior that tools alone won’t detect. 

3. No Preparation

A team cannot simply start “threat hunting.” There are a number of preparatory actions a team must implement before the project commences. First, the team charged with protecting an organization must answer a list of questions that will help create a profile that will guide the defenders during their task.

A good threat hunting team will begin this process when it takes on a project to gather up information on the environments involved, discover what threat actors have been actively attacking such environments, determine what the attackers are looking to accomplish, and where similar organizations have been shown to be vulnerable.

The intelligence gathered through this process is used to generate a custom hunt for that customer, relying on field experience to help find where the attackers typically are and what tactics they tend to use.

Interested in learning what other attributes a good threat hunting program should have? Download our Proactive Threat Hunting Data Sheet below.

 


17135_proactive-threat-hunting_cover
DATA SHEET

Trustwave Proactive Threat Hunting

People are at the core of threat hunting and central to the practice. Trustwave Proactive Threat Hunting combines human-driven and automated process with supported technologies in your existing environment and our purpose-built threat hunting capabilities to help you get ahead of your adversaries.

 


Latest Trustwave Blogs

Law Enforcement Must Keep up the Pressure on Cybergangs

The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware...

Read More

Effective Cybersecurity Incident Response: What to Expect from Your MDR Provider

Companies engage with a managed detection and response (MDR) provider to help ensure they detect cyber threats before they do any damage. The "response" part of the MDR moniker is key to that effort,...

Read More

The Power of Red and Purple Team Drills in Enhancing Offensive Security Programs

Despite investing in costly security solutions, keeping up with patches, and educating employees about suspicious emails, breaches still occur, leaving many organizations to wonder why they are...

Read More