A Threat-Hunting Guide for Small Businesses

Protecting your computer network against cyberattacks requires threat hunting. This proactive approach catches security breaches that have eluded detection. Read on to learn more about threat hunting.

We may receive compensation from partners and advertisers whose products appear here. Compensation may impact where products are placed on our site, but editorial opinions, scores, and reviews are independent from, and never influenced by, any advertiser or partner.

Cyberattacks cost companies an average of $200,000 in damages, and over half of small businesses suffered a security breach last year. Installing endpoint security software is a must as your first line of defense.

An endpoint is the IT (information technology) industry’s term for computing devices used at your company such as laptops, mobile phones, and servers. Businesses can possess scores or even thousands of endpoints, making endpoint protection a key aspect of IT security.

Despite this protection, stopping all attacks isn’t feasible. Some will penetrate your defenses and stealthily collect data, obtaining passwords and stealing confidential information.

Unlike simplistic threats in the past, today’s cybercriminals move from the initial endpoint to infect other machines, a technique called lateral movement. Catching the initial infection won’t ensure your IT network is safe. What can a small business do?

The answer lies in a security technique called threat hunting. This is one of the key means of finding and eliminating attacks that have already penetrated your defenses.


Overview: What is threat hunting?

Traditionally, cybersecurity centers on prevention. Prevent cyberattacks from entering your IT network, and you have nothing to worry about.

This method is unrealistic. It’s impossible to stop all types of malware, phishing, and the myriad other attack forms. Just one employee opening an infected file emailed to them is all it takes for a criminal to breach company defenses. I’ve seen co-workers routinely tricked into doing this.

The modern IT security approach assumes a breach will happen, and that’s where threat hunting comes into play.

Threat hunting involves proactively seeking cyber threats lurking undetected in your IT network. For example, abnormal endpoint activity is a sign of a cyberattack in progress.

This cyber hunting approach involves a human IT analyst, the threat hunter, using software tools and analytics to zero in on where the attack is taking place in your network.

Rather than wait for your automated security systems to alert you to an issue, threat hunting is about finding the issues as soon as possible to minimize any damage and associated costs.


The 3 traditional threat-hunting methodologies

According to an IBM-sponsored study, the average time to discover a data breach is over six months. This underscores the need to seek out cyberattacks proactively.

How can a small business perform effective threat hunting? Three primary techniques apply.

1. Look for indicators of compromise and attack

A common threat-hunting approach involves looking for indicators of compromise (IOCs). An IOC is a sign of suspicious activity on your computer network that may signal a security breach.

The threat hunter examines these activities to evaluate if an attack is occurring. Examples include network traffic anomalies, unusual system setting changes, and logins indicative of non-human behavior.

An indicator of attack (IOA) is an advanced security approach used to identify the steps cybercriminals take before stealing your data. Like a bank robber who cases the bank before the actual robbery takes place, cybercriminals perform procedures that allow them to dig deep into your systems and avoid detection to carry out their objectives.

IOA examples include remote execution of software code and cleaning up logs to leave no trace of the activities performed. With IOA techniques, the threat hunter can reduce the time to find and stop cyberattacks.

A diagram contrasts the indicators of compromise with the indicators of attack.

The use of IOCs to identify security threats differs from IOAs. Source: crowdstrike.com.

2. Use crowdsourced attack insights

As new forms of attacks are discovered, security firms document cybercriminal tactics, techniques, and procedures (TTPs) and share them publicly to help companies beef up their IT security. A TTP details cyberattack behavior such as phishing tactics to trick an employee into providing information to gain entry into your systems.

Understanding how specific attacks are orchestrated prepares organizations to mitigate these threats. This crowdsourced information also enables threat hunters to look for these TTPs in their own networks to catch an attack in progress.

3. Employ analytics and tools

Threat hunters cannot manually comb through the massive amounts of system processes and data across an IT network to uncover attacks promptly. The task requires more advanced threat-hunting tools and sophisticated data analysis.

Threat hunters examine historical data against current processes performed on your network to identify malicious actions. Data from firewalls, endpoint security software, and other protections paint a picture of an attacker’s activities when contrasted with historical norms.

This data is combined with threat intelligence, a repository of information maintained to flag known threats such as malicious IP addresses.

Software providing security information and event management (SIEM) insights help in this approach. SIEM data, such as log files aggregated from across your network, enable real-time analysis and lead to developing security alerts for your IT team.

Threat hunters use machine learning techniques to efficiently sift through data to identify signs of attack. Machine learning’s ability to evolve over time also allows your company to keep pace with the changing TTPs employed by cybercriminals.


What do you need to begin the threat-hunting process?

Threat hunting is a continuous process broken into individual missions called hunts. To set up a threat-hunting process at your organization, follow these steps.

1. Define objectives

Begin the threat-hunting process by defining the objectives for each hunt. Doing so creates a clear path to resolution and guides tasks such as identifying the data needed to detect threats.

Example objectives include searching for signs of a newly-discovered TTP infecting your systems, or responding to notification of an employee who clicked on a suspicious email attachment.

2. Identify legitimate activity

The hunter must be able to identify legitimate activities from malicious ones to avoid false positives and any adverse impact to your IT network. This requires a few weeks of observation and analysis when a threat hunter begins monitoring your IT systems to build familiarity.

The threat hunter collects historical data and contrasts this with the current state to identify anomalies. Observing network behaviour over time also helps to catch anomalies.

Understanding how various software applications behave and are used by your company allows threat hunters to document legitimate use cases and filter these out when seeking threats. Any uses outside what’s documented become the target for deeper investigation to ensure your network is clean.

For example, Microsoft’s PowerShell, a computer scripting language used by IT teams and cybercriminals alike, shouldn’t show up outside IT uses. If a salesperson is running PowerShell on their computer, it’s a likely sign of malicious activity.

3. Start investigating

A hunt involves the hunter employing solutions to achieve the hunt objectives. A popular approach is the use of endpoint detection and response (EDR) to create visibility into suspicious activity. EDR incorporates forensic tools and techniques such as data analysis to identify threat patterns.

The investigation continues until the hunt objectives are achieved. If a threat is identified, a hunter builds a complete picture of the malicious activity to ensure the attack is stopped in its totality (since sophisticated attacks infect multiple endpoints).

Signs to look for include computer processes changing registry keys, network activity involving unfamiliar geographies, and attempts to access certain software libraries.

4. Define resolution steps and a feedback loop

Determine the processes for resolving issues discovered during a threat hunt. A cyber hunt team typically takes these steps.

  • Notify the IT team of the breach, including the security operations center (SOC) if they’re not conducting the hunt.
  • Try to shut down the attack and undo the damage, such as restoring or removing altered files.
  • Update company defenses to prevent similar future attacks. This can involve changing permissions, updating system configurations, and applying security patches.
  • Document the specific TTPs of the attack and add them to the company’s threat intelligence database.

A feedback loop is a key piece of establishing a threat-hunting process. Every threat discovered allows fixes for new vulnerabilities and strengthens company defenses.

Lessons learned can include actions beyond changes to the IT network. One important area is employee education. Teach staff how to spot and avoid attacks.

A diagram outlines the steps in the threat-hunting process.

The threat-hunting process is a key part of your IT security. Source: carbonblack.com.


Threat hunting frequently asked questions

What if my company is inexperienced at threat hunting?

If your IT team has little experience with threat hunting, or your business is without an IT department, hire an outside security firm specialized in threat hunting.

If your business lacks the budget to hire an external company, turn to software tools specialized in threat-hunting techniques. Some security software can automate the process to a degree.

Another area to focus on is educating your staff on how to prevent attacks. Criminals send email made to look like a legitimate source to trick employees. Educate the team on the signs of phishing and other security best practices.

What tools are needed?

Technology employed in threat hunting includes a range of tools. SIEM software is common to gather and analyze log data. Another is a threat intelligence database to create the feedback loop to identify hunt opportunities and improve company defenses.

Virtual machines are also a key tool. Threat hunters need a virtual environment to analyze and simulate attacks, and to control all device activities to zero in on threats.

Others include debugging capabilities and memory dump tools to inspect a processor’s memory, restore deleted files, and other tasks.

Is threat hunting limited to finding cyberattacks?

While chiefly concerned with catching attacks, threat hunting is also useful to assess the health of your IT security. During the threat-hunting process, any discovered vulnerabilities, such as outdated software versions, should be noted and resolved regardless of the hunt’s objectives.


Final advice about threat hunting

For small businesses with limited resources, enlisting a threat-hunting service managed by an external security firm is an ideal approach. Before going that route, ensure your small business has taken the steps to solidify your IT security.

  • Ensure company data is encrypted and backed up. Have one backup stored in the cloud.
  • Adopt a password management service to make a strong password and to avoid using the same passwords across accounts.
  • Go beyond traditional security software such as antivirus and firewalls. The best endpoint security software encompasses holistic protection features including checks to determine if websites visited by your staff are safe.

Up-to-date IT defenses layered with threat hunting is a powerful combination. It puts your company in a position to stop cyberattacks and keeps your business safe.

The Ultimate Guide to Building Virtual Teams

Knowing how to build a strong virtual team is more important today than ever -- and there are six critical things you must do to succeed. That's why we've created this ultra-timely 19-page report on what you should be doing now to set your virtual team up to win.

Enter your email below to access our (no-strings-attached) free report, "The Ultimate SMB Guide to Building High-Performing Virtual Teams."

The Motley Fool has a Disclosure Policy. The Author and/or The Motley Fool may have an interest in companies mentioned.