Threat hunting—a method for proactive security work

Interview with Emil Johansson, security analyst

By working preventively and methodically, a company can identify risks and threats at an early stage. Proactive security work is therefore an important part of achieving balanced security across all operations and thereby reducing the risk of intrusion in critical systems. We interviewed Sectra’s security analyst Emil Johansson about one of these methods for proactive security—threat hunting.

What is threat hunting?

Threat hunting is a method used in proactive security that entails investigating saved log data, based on the theory that deviations from normal behavior have taken place. This way, signs that someone has tried to break into an operation’s critical systems and networks can be identified. By creating hits (searches) in a system, information can be generated to create detection rules that the monitoring system will use to react in the future.

“Thanks to these investigations, we gain information that helps strengthen the security system’s detection ability, regardless of whether we find a potential risk or indications of a cyberattack,” explains Emil.

This method is intended to survey risky or damaging behavior from an actor in the system, making it possible to apply rules in all operations that use this type of proactive security.

If we perform a threat hunt for one customer, it benefits all of our customers.

Emil Johansson, security analyst

The rules created in the monitoring system are generic and pertain only to the security system’s design. They don’t reveal anything about a specific customer’s data. This method also provides a clear overview of which systems are used by whom in the organization, and how clients use the systems every day. This allows for specific adaptations and configurations for each customer’s system based on security, needs and demands. In this method, each threat hunt carried out builds better protection.

What are the advantages of using threat hunting as a supplemental method in proactive security?

The first step in threat hunting for a new customer is to go through the operating system logs as well as network traffic, which have hopefully been saved. The more logs that a customer has saved, the better it is for providing as much data to work with as possible.

The biggest advantage of using threat hunting is obtaining an understanding and overview of the activity in the critical networks of an operation. Working methodically with threat hunting offers customers the opportunity to identify risks and threats. It also provides them with a good overview of what has already happened in the network and what is happening right now, so they can better prepare themselves for what might happen in the future.

“Going back to saved logs is a huge advantage, since it allows us to detect whether anyone has previously attempted or succeeded in accessing the network. When we work with threat hunting in a network, we always look for signs or deviations from normal behavior. If we see something unusual, we can compare the behavior with the MITRE framework to see if it follows a previously observed attack pattern.”

Why is proactive security important?

Proactive security is important from several perspectives, but most of all this approach helps a client establish continuous operations by working preventively to manage threats and risks to their critical networks. An interruption in their critical production can have serious consequences for society and result in large expenses for the operations. Working proactively with security means that operations can stay one step ahead of attackers and reduce the risk of production stoppages.

Three tips for proactive security

There is never any guarantee that an incident won’t occur, but there is a lot a customer can do to reduce the consequences of a potential attack. The most important is to work proactively with security and to always try to anticipate which threats and risks are present in order to detect abnormal network activity. Here are three tips from Emil for how a company can work proactively with security:

  1. One of the most important things a company can do is to train its employees and give them the tools they need to avoid human error, such as clicking on a suspicious link. If employees are well prepared and have the necessary expertise, this reduces the risk of a mistake that will affect production.
  2. Make regular backups of all critical systems, as well as log data, which can be easily restored. If the worst happens and a company suffers an attack, or systems are locked due to something like ransomware, operations can rebuild their systems with the backups that have been made. However, this requires backups that have been kept updated and separate from the system.
  3. The last tip is to implement central monitoring of network traffic and logs connected to security. Start by logging a central server with a lot of traffic that has good network coverage to get access to as much data as possible. This is a very powerful took for working proactively with security and to identify risks and threats in critical systems. This helps a company detect suspicious activity early on, which allows them to avoid an attack and thereby reduces the risk of a production stoppage.

Related reading

Related products