Getting Started With Threat Hunting
Practical guidance on preparing to search for and neutralize elusive cyber threats
The practice of threat hunting has become critical in stopping today’s elusive human-led cyber threats – but it isn’t easy.
In this new report, we provide guidance on getting you started with threat hunting. Drawing on the insights from Sophos’ team of expert incident responders and security analysts, the report covers:
- What threat hunting is and why it has become so important
- A summary of the tools and frameworks security teams are leveraging to support their threat hunting objectives
- The five steps IT professionals should follow to prepare for threat hunting
The report also looks at how Sophos’ best-in-class solutions are enabling security teams to hunt down and eliminate elusive security threats.
The state of cyber threats in 2022
Attacks have increased in volume, complexity, and impact
The cybersecurity challenge facing organizations continues to grow. Over the last year, 57% of organizations experienced an increase in the volume of cyberattacks, 59% saw the complexity of attacks increase, and 53% said the impact of attacks had increased. Almost three in four (72%) saw an increase in at least one of these areas.
A growing trend is an increase in supply chain attacks, such as the SolarWinds incident revealed in March 2021. Attackers had inserted modified instructions into the source code of their Orion solution that is used to manage complex networks remotely. This backdoor enabled the adversaries to access the networks of SolarWinds’ customers, including several government agencies.
Ransomware is a real threat to all organizations
66% of organizations were hit by ransomware in the last year, up from 37% in 2020. This is a 78% increase over the course of a year, demonstrating that adversaries have become considerably more capable of executing attacks at scale.
The growing use of legitimate tools in cyber attacks
Adversaries are increasingly taking advantage of bootleg or pirated copies of legitimate, off-the-shelf software and free, open-source tools. Typically, these tools are designed to simulate cyberattacks to improve security but can be exploited by criminals to do the opposite. Tools like Mimikatz (used by penetration testers and malware authors alike), while not strictly commercial offerings, were used widely, appearing in nearly every hands-on-keyboard incident Sophos investigated over the past year.
Also, notably dominant (thanks to its source code being leaked in 2020) were pirated copies of Cobalt Strike (an adversary simulation software), which were not only used in ransomware attacks but also dropped as an initial payload of other malware.
How Sophos can help
As we’ve already mentioned, effective threat hunting is incredibly complex, requiring next-generation technologies coupled with extensive human expertise. Fortunately, Sophos can support your threat hunting objectives irrespective of your cybersecurity maturity.
Preventing threats from breaching your network – Sophos Intercept X Endpoint
Threat hunters can only conduct their roles efficiently if they aren’t inundated with security alerts. One way to achieve this is to introduce best-in-class prevention technologies so that defenders can focus on fewer, more accurate detections and streamline the subsequent investigation and response process. Enter Sophos Intercept X Endpoint.
Sophos Intercept X is the industry-leading endpoint security solution that reduces the attack surface and prevents attacks from running. Combining anti-exploit, anti-ransomware, deep learning AI, and control technology, it stops threats before they impact your systems. Intercept X uses a comprehensive, defense in-depth approach to endpoint protection rather than relying on one primary security technique.
The prevention capabilities in Sophos Intercept X endpoint protection block 99.98% of threats (AV-TEST average score Jan-November 2021). Defenders can then better focus on the suspicious signals that require human intervention.You can learn more about Intercept X Endpoint here .
Conducting threat hunts yourself– Sophos XDR
Designed for security analysts working in dedicated SOC teams and IT administrators covering security and other IT responsibilities, Sophos XDR enables your team to detect, investigate, and respond to incidents across endpoint, servers, firewall, cloud workloads, email, mobile, and more.
Immediately get to the information that matters to you by choosing from a library of pre-written, customizable templates covering many different threat hunting and IT operations scenarios – or write your own. You have access to live device data, up to 90 days of on-disk data, 30 days of data stored in the Sophos Data Lake cloud repository, and an automatically-generated list of suspicious items, so you know exactly where to start.
If you would like to try out Sophos XDR to conduct your own threat hunts, Sophos gives you the tools you need for advanced threat hunting and security operations hygiene. You can either start an in-product trial (if you have a Sophos Central account) or take a trial of Sophos Intercept X, which includes XDR.