Threat hunting. The process of actively looking for traces that may mean that systems in the environment has been compromised. It can help you identify where existing detective controls have failed to alert you to a compromise. Or, in some cases, identify where a known compromise may have been incompletely addressed. Bottom line? Threat hunting reveals issues before they impact your business—quickly.
The challenge with threat hunting can be summed up in one word. Data. Specifically, collecting and analyzing the large amounts of data required to detect malware incidents, and a subsequent analysis of the results against the latest known threat types. Complicating factors? The continuously shifting landscape of malware, threat actors, and known indicators of compromise (IOCs). In fact, Verizon’s Data Breach Investigation Report found that 56% of recent breaches took one or more months to discover.
We can help you actively look for indicators of compromise and attack. Fast.
Our proprietary platform enables collection of both historical and contemporaneous data from endpoints across your enterprise, with ingestion and analysis of that data in our cloud environment. The learnings can help you with incident response and proactive threat hunting, incorporating the latest tools and frameworks, such as MITRE ATT&CK, the National Vulnerability Database, threat intelligence feeds, open source datasets and tools, plus others.
Success in threat hunting comes in many forms, but generally, we’re hoping to identify a previously unknown threat lurking in the environment. It might be a machine that was compromised by malware and no one realized, or a compromised device that was left over from a previous incident response event, and was not identified and sanitized as part of the original response effort. Such a system may be dormant but could be used as a launching point for additional malicious activity in the future. We want to find them.
In our hunting, our team often identifies historical events or systems that did not result in any business interruption (e.g., ransomware), and therefore escaped notice but warrant additional investigation now. This may include legacy systems with insecure configurations, or systems unintentionally exposed to the internet, and in some cases, may present evidence of data being accessed by unauthorized parties (data exfiltration), business email compromise that results in emails being forwarded to external parties, or cryptomining malware.
And if we reveal no threats, we count that as a success too—you can be confident that your controls appear to be functioning as expected.
We use a proprietary dissolvable agent tool to collect diagnostic data from your endpoints, which is then encrypted and uploaded to our secure cloud analysis environment. Our analysts will review the data to provide rapid analysis. We work with your IT staff, legal representatives, and other designated parties to communicate and escalate results as needed.
Find out how we can help you: