Insider threat hunting is essential – here’s how to get started.

In 2022, Singapore’s Cyber Security Agency launched new requirements for critical information infrastructure (CII) owners, mandating biennial threat hunts to search for and identify potential cybersecurity threats lurking within their systems. 

Who are CII owners? These refer to government agencies and companies operating within eleven key industry sectors such as financial services, utilities such as energy and water, transportation, communications, and emergency services. These are prime targets for malicious actors.

But what is threat hunting, and how can large public sector organisations put this concept into practice? GovInsider speaks to Daniel Chu, VP of Systems Engineering at cybersecurity company ExtraHop, to find out more.

1. Assume a breach has already occurred

Central to insider threat hunting is adopting a mentality that a breach has already occurred, or what the industry calls “assumed breach”, says Chu.

Unlike a typical Security Operations Centre (SOC) that is tasked to reactively respond to new alerts, threat hunting is a proactive approach that requires CII owners to actively look for suspicious activity that have evaded detection, rather than just defend against cyber risks, he explains. Remaining proactive is the best defence against evolving threats.

Such threats may be lying dormant to launch an attack and may have already compromised the environment.

2. Treat it as an operational task, not a checkbox

Next, organisations should treat insider threat hunting as an operational task, rather than a checkbox to be ticked off, he says.

“When we interact with CII owners, a lot of security operations are flooded with alerts and cybersecurity teams are trying to stay afloat with the workload they already have. When new regulations come in, it’s easy to view that as just more work and processes to deal with, especially when there’s a talent shortage,” says Chu.

But if organisations view insider threat hunting as a regular operational task, they will be motivated to put in place the appropriate structures and discipline to keep the practice going as smoothly as possible, he explains.

When you think of it as an operational task, you are more inclined to take a step back, formulate a clear strategy, and answer foundational questions.

“How long does it take to perform these hunts? What are the goals you want to achieve as an output? What does your methodology entail?” he asks.

3. Examine your terrain

This starts with knowing your terrain well, he shares. 

“When you go hunting, you have to know the forests, ponds and mountains well. Similarly, you need to know where your assets are in your infrastructure, where your potential weaknesses lie, and what data you need to collect when hunting,” he explains.

When it comes to data, organisations can use endpoint detection and response (EDR) solutions to collect activity on individual devices, network detection and response (NDR) solutions to understand and review network traffic, as well as security information and event management tools (SIEM) to oversee security logs.

“These are the building blocks to ensure you have the right data to start your threat hunt, but organisations need to properly leverage that data for meaningful analysis,” he says.

4. Formulate and test a hypothesis

This is when organisations have to formulate a clear hypothesis to test, he shares.

“It’s very tempting to just dive into the data, but the more you plan ahead, the better findings you will have as a result of the threat hunt. How might potential attackers have penetrated the defences? Which systems might have been targeted and compromised? What data may have been accessed?” 

Once organisations formulate a hypothesis in terms of how a breach may have happened, along with which systems and what data may have been compromised, they will be in a better position to understand what to look for and how they can proactively test their hypothesis. 

“The main challenge is, do we have the right toolsets to perform advanced analysis to test your hypothesis? If there’s a new breach that emerges, is there a tool that can quickly analyse all the historical data to find a match?” he says.

In the wake of the infamous Solarwinds supply chain attack in 2021, ExtraHop worked with a large bank in Southeast Asia to identify devices that had previously connected with suspicious servers that were used during the supply chain breach.

“Once we had new information to work with, doing that threat hunt allowed us to find specific indicators of compromise in the past by analysing the rich historical network data we had collected,” says Chu. Through their investigations, they were able to find two such insider devices.

5. Automate regular hunts

Finally, as organisations become accustomed to threat hunting, they can increase the frequency of such hunts and automate some of the processes.

ExtraHop provides guided threat hunt workflows that can automate tasks such as auditing insecure or uncommon protocols and investigating trusted devices that have established internal connections in suspicious manners or or communicated with external services in countries that business is not typically conducted in.

As organisations get accustomed to biennial threat hunts, they can implement more regular threat hunts – even up to once every two weeks. More regular threat hunts will also help organisations improve their hypotheses over time.

The results from each threat hunt offer opportunities for organisations to improve their cybersecurity processes, he says.