Notepad and pen ready to take notes

Getting started with threat hunting

By the time you realise a vulnerability has been exploited, hackers may have already caused enormous damage. Threat hunting allows you to introduce proactive processes into your defences, identifying – and remediating – previously unidentified weaknesses as early as possible to reduce the dwell time.

So how do you get started with threat hunting?

  1. Subscribe to reputable threat intelligence providers

The modern IT environment can be incredibly complex, especially where it’s a mixture of on-premise and cloud. Software, hardware, and hosted services all present their own threat vectors and attack surfaces, with new ones being discovered and developed every day. Trying to stay on top of emerging threats is a full-time job in itself, diverting important resources from other strategic projects.

One proactive approach to mitigating threats is to subscribe to updates from reputable threat intelligence providers; choosing ones specific to your industry will give you greater actionable intelligence. This will give you a constantly updated list of the latest threats directed at your industry sector and that affect the various components making up your infrastructure.

You can use the Microsoft Sentinel SIEM platform to hunt your infrastructure logs for the malicious indicators detailed by your threat intelligence provider. You should only need to do this once as Microsoft Sentinel can then ingest them into the threat intelligence feeds so that you will be alerted should they appear on your IT estate, without the need for any additional hunting.

New to Microsoft Sentinel? Check out our new eBook ‘The Operational and Commercial Benefits of Azure Sentinel’.

  1. Know what you are looking for

Conducting a threat hunt takes a little planning. Before beginning, you need to define your Prioritised Intelligence Requirements (PIRs). PIRs are the types of threat you are going to look for, such as:

  • Data being exfiltrated from the company network
  • Unusual network activity, indicating malware is potentially present
  • Application usage from outside the company firewall, that may be unauthorised

Without defining PIRs in advance, your threat hunting activities will lack focus – and yield less useful results.

Knowing what to look for is also important to ensure you can maximise time spent hunting threats. Your team may only be able to dedicate a few hours per month to the task – so you need to be sure that time is being spent effectively.

  1. How to look for threats

The Microsoft Sentinel console offers built-in threat hunting tools that help to automate processing. Threat hunting is conducted by running queries against the data collected and processed by the Security information and event management (SIEM) platform.

Microsoft Sentinel queries are based around the Kusto language, enabling you to build powerful filters that can reveal issues that have not been identified by your other security systems. Microsoft Sentinel includes a substantial amount of pre-built queries to help you get started and to familiarise yourself with the language.

Using your PIRs for guidance, you can build out and execute queries that can comb event logs to answer those questions.

  1. Get some expert guidance

Threat hunting is extremely powerful – and quite complex. Your team needs time, resources and expertise to craft threat hunting queries that really work.

There is a steep learning curve when using Microsoft Sentinel threat hunting features. Your team may lose many productive hours learning even the basics of threat hunting queries – time that may be better spent on other activities.

The fastest and most effective way to take your proactive security measures to the next level is by working with a partner who has Microsoft Sentinel expertise. A good partner will also already have access to a variety of threat intelligence subscriptions that you could take advantage of. They will be able to configure the threat intelligence signatures, and to help you identify the most relevant PIRs for investigation. They can even build out the necessary queries and analyse and action the results.

Speak to our threat hunting team about how our service could support you