Cyber Threat Hunting
What is Cyber Threat Hunting?
Cyber threat hunting is the practice of systematically and proactively looking for malicious cyber activity inside your organization’s network – it is a critical element in defending against cyber attacks, mitigating the impact of cyber incursions already inside your network and establishing a complete approach to cyber resilience.
Importantly, effective cyber threat hunting cannot be achieved solely by deploying software and hardware technologies to scan for malicious code. We know this because cyber threat actors regularly penetrate and lurk within corporate networks for over 200 days on average before being detected.
In today’s fast-moving cyber environment, organizations need skilled and experienced cyber incident response professionals to serve as threat hunters who can leverage sophisticated tools and situation-specific methodologies to anticipate known and unknown cyber threats.
When Should You Conduct a Threat Hunt?
It is always best practice to perform cyber threat hunts annually as part of your cyber resilience strategy. However, it is also important to perform targeted threat hunts when major changes occur in your environment or uncertainty is identified. Examples of situations that may necessitate a threat hunt include:
- Identification of a major vulnerability (such as Log4j) or breach (such as SolarWinds) on a critical asset or software your organization uses
- M&A activity to ensure you are protected against buying a breach
- Periods of major system change to ensure attackers don’t take advantage of disruption
- After a cyber event to provide confidence to third parties that your organization hasn’t remained actively compromised
- Annual cyber resilience assessments to check if your cyber strategy, controls and cyber risk mitigation processes are working as planned
Explore More Cyber Offerings
What are Common Cyber Threat Hunting Techniques?
-
Client Portal
Clients have 24/7 access to the CyberScan online portal with real-time and on-demand visibility into their vulnerabilities and risk exposures.
-
Situation- or Event-Based Hunting
There are multiple ways an organization can learn about actual or potential threats inside their network, including finding a ransomware note on a computer, a notification from law enforcement or intelligence, receiving an antivirus alert, or hearing from the finance department that a fraudulent wire transfer just occurred.
In all cases, whether the incident has a clear starting point or a dubious origin, you must act immediately to answer several key questions. A situation- or event-based threat hunt seeks to answer these questions including:- Who is the threat actor, and are they credible? It is important to know who you are dealing with and whether they are a known or unknown actor. Are they opportunistic hackers, a well-known criminal group or a nation state?
- How did the threat actor initially access your network? Once identified, these vulnerabilities need to be addressed as quickly as possible.
- Where did the threat actor go in your network, and what did they do? Did they read emails, access specific datasets and systems, or take and sell information, among other things?
- How long was the threat actor in your network? The answer to this question will help you assess potential damage and will help to better inform potential customer outreach.
Answering some or all of these questions will be important to your recovery and rebuilding a formidable cyber security posture.
-
Hypothesis Based Hunting
Imagine a scenario where your company receives information that a specific dataset you own is the target of a known and capable threat actor. What should you do next?
In these cases, our team will launch a hypothesis-driven threat hunt, which starts by asking: If I were a hacker, how would I try to steal this data? From there, we ask: “If I undertook an attack of this nature, what evidence would I leave behind, and what could someone do to find this evidence?”
Working backward from the outcome your organization tries to avoid, our cyber threat hunters can help identify evidence of past attacks, successful or failed, and sometimes even detect and interrupt cyber attacks in progress.
Our Aon team relies on proven cyber threat hunting techniques to guide our work, which we calibrate to align with the needs of your operation and cyber risk tolerance. Importantly, our mission goes far beyond finding malicious code in your network. We seek to identify any threat actor operating in, or with persistent access to, your network, so you can kick them out and prevent similar attacks from happening in the future.
Cyber threats are evolving rapidly, and risk mitigation is an ongoing challenge. The decisions an organization makes will prove critical to its cyber resilience. Given the current threat landscape, we recommend a regular proactive cyber threat hunt with Aon to build cyber resilience.
200+
Cyber threat actors regularly penetrate and lurk within corporate networks for over 200 days on average before being detected.
How Aon Can Help
-
Endpoint Detection and Response Deployment and Monitoring
Does your company need an advanced endpoint security tool? If so, we can deploy market-leading EDR tooling during our engagement to help identify threats. Or, if you already have a tool in place, our experienced threat hunters can utilize any major EDR platform to search for threat actor activity.
-
Device Forensic Review
Do you have computers, network appliances, servers or mobile devices that are currently unprotected or show indicators of compromise? Our team is well-versed in performing fast and thorough forensic analysis to establish whether a device has been accessed by a malicious actor.
-
Cloud Threat Hunting
Does your infrastructure reside in Azure, Google Cloud, AWS or a similar cloud service? Moving data to the cloud does not automatically ensure its security. Our team can analyze your cloud instance(s) and/or infrastructure to identify if there are existing cyber criminals accessing your systems.
-
Network Log Review
Network logs often can show how an attacker got into a computer network and moved laterally throughout the network. Our team can review logging in place and, where necessary, deploy sensors or collectors to capture networks.
-
Deep/Dark Web Scan
What activity references your company on the deep and dark webs? Our team regularly performs dark web intelligence gathering and analysis to assess online targeting and external-facing risk exposure of external assets, breached data, compromised credentials or other online security vulnerabilities.
-
Customized Client Approach
We’ve responded to thousands of cyber incidents over many years and know every business has a unique cyber footprint. Therefore, every client deserves a cyber threat hunt designed to align with the specific needs of their network setup and layout.