Threat hunting: the proactive search for threats that have evaded detection by traditional security measures. It’s the critical but often unseen layer of cybersecurity, the last line of defense against sophisticated adversaries.
Nick Pettini, a seasoned threat hunting specialist at SOSi currently working in Sierra Visa, AZ supporting our work with the U.S. Army’s Global Cyber Center (GCC), likens it to finding a needle in a stack of needles.
Pettini, who spends his days sifting through vast amounts of network data to identify potential threats to the U.S. Army’s critical networks, shares his insights into this complex and evolving field.
In an era where cyber threats are becoming increasingly sophisticated and stealthy, traditional security measures like firewalls and antivirus software are no longer sufficient. Adversaries are adept at evading detection, lurking in networks for months or even years before striking.
This is where threat hunting comes in — it’s a proactive approach to cybersecurity that assumes breach and actively seeks out these hidden threats.
But why go to the trouble of finding a needle in a stack of needles? The stakes couldn’t be higher. For organizations like the U.S. Army, a successful cyberattack could mean compromised sensitive data, disrupted operations, or even loss of life. Threat hunting is a critical investment in risk reduction, allowing organizations to identify and neutralize threats before they can cause harm. In the hands of skilled professionals like Pettini, it’s a powerful tool in the cybersecurity arsenal.
Understanding the Adversary
The first step in effective threat hunting is understanding the potential adversary.
“We look at what the likely target might be,” Pettini said. “Where are they going? Are they financially motivated? Politically motivated? Reaching for nation-state level objectives?”
By assessing the capability and tactics of the malicious actor, threat hunters can narrow down the most likely paths of attack.
The Tools of the Trade
Threat hunters employ a variety of tools to sift through vast amounts of network data. Two key tools are PCAP (Packet Capture) and Netflow. PCAP allows for granular examination of individual data packets, while Netflow provides a summary view of network traffic.
“When chaining the two together, usually an investigation starts with Netflow and is further investigated with a PCAP tool,” Pettini said.
Developing a Hypothesis
When a potential threat is identified, threat hunters develop a hypothesis and systematically investigate.
“I’ll start with either a report or tactic utilized by an adversary,” Pettini said. “I then develop a likely avenue of approach based on my findings and determine where the entry point would be. From there, I use my tools to prove or disprove my hypothesis.”
Assessing the Threat
Assessing the severity of a potential threat involves considering several key factors:
- Capability: Does the attacker have the means to perform the attack?
- Complexity: Does the attacker have the technical capability and knowledge to exploit a vulnerability?
- Intent: Is the attacker specifically targeting the organization, or are they opportunistic?
- Vulnerability: Is the organization actually vulnerable to this specific attack?
Pettini underscored the importance of context in threat assessment. “You can brief a Common Vulnerability and Exposure (CVE), but if you don’t have any of the affected devices, then it’s irrelevant,” he said.
The Evolving Landscape
Threat hunting has evolved significantly over the years, particularly from the perspective of large-scale networks like those used by the U.S. Army.
“Everything has changed, from techniques used, tools, and scope of our threat hunting,” Pettini said. “We now have to be experts in every tool we touch and pass that knowledge where possible.”
Looking ahead, Pettini said he anticipates that the shift towards Zero Trust security models will significantly impact the field of threat hunting.
“As communities catch up and start implementation, the focus will shift from perimeter-based focus to the endpoint. This adjustment will certainly impact how organizations function and look at threat hunting.”
At SOSi, our team of dedicated threat hunting specialists, like Nick Pettini, are at the forefront of these developments. With their deep expertise and commitment to staying ahead of emerging trends, they are uniquely positioned to defend the critical networks that keep our nation safe.
