SEARCH for Hidden Cyber Threats: 6 Steps to Unleash a Hyper-effective Threat Hunting Team

SEARCH is a carefully-tuned methodology that balances people, process and technology for threat hunters actively searching for, and disrupting, distinctly human threats.

Scott Taschler, Director of Product Marketing for CrowdStrike

December 6, 2021

4 Min Read
Macro shot of Needle hidden in a haystack.
Source: Stuart Burford via Alamy Stock Photo

Your cybersecurity defenses might be chock-full with every established threat-blocking mechanism there is — firewalls, secure web and email gateways, antivirus protection and more — but with today’s threat landscape, it is likely only a matter of time before sophisticated adversaries evade all of those well-established defenses and gain a foothold in your systems.

On average, cybercriminals are able to take this initial access and move laterally toward their ultimate goal within 92 minutes, according to CrowdStrike’s 2021 Threat Hunting Report. Even more concerning, in more than 1/3 of the incidents (36%), it took attackers less than 30 minutes to carry out their objectives. Old attack methods — and current defenses — are mostly centered on malware strategies. But, attackers are increasingly relying on malware-free techniques. The research shows that 68% of incidents over a three-month period were not malware-based and therefore flew under the radar. Defenders need to adapt to this new reality if they want to avoid a costly breach.

Today's autonomous detection technology can be very effective at thwarting the vast majority of attack activity but cannot guarantee foolproof defenses. This is why threat hunters — human analysts who actively search for and disrupt distinctly human threats — are a last line of defense. Technology gives us a strong first pass at detection, but human threat hunters can take efforts the last mile and identify the wolves who might have slipped past the gates.

Threat Hunting Anchored in SEARCH

Optimal threat-hunting processes dictate that threat hunters carry out the following six steps in an iterative “SEARCH” cycle.

  • Sense

  • Enrich

  • Analyze

  • Reconstruct

  • Communicate

  • Hone

Sense: To hunt for threats, you need hunting grounds. Collecting deep and broad telemetry data that comprehensively captures behaviors and activity across the entire organization's network lays a strong foundation. It establishes the boundaries for the hunt, allowing hunters to focus and target their efforts.

Enrich: To understand what the telemetry data is telling you, you need to enrich it with context and threat intelligence. Without enrichment, it can be difficult to make sense of raw telemetry data, making it much more likely to miss an attack. Questions to ask: What does “normal” look like in our enterprise environment? What do we know about attacker activity? Which systems tend to connect to each other? Sifting data through this context sieve allows for a more targeted hunt for possible non-malware attacks.

Analyze: Threat hunters analyze the data points to decide whether to validate the suspicious activity they might be seeing. It involves working with complex statistical methods, examining outliers and carrying out frequency analysis. Threat hunters make educated guesses and test those hypotheses to figure out where and how a determined attacker might operate in attempts to remain unseen. To be effective, this process requires the ability and expertise to think like a seasoned attacker — a skill that can only be honed by thousands of hours of advanced, highly focused and meticulous threat hunting experience. The human element is most important in this stage of the SEARCH process because hunters’ knowledge can be applied across multiple threat behaviors and possible intrusions.

Reconstruct: Once the threat hunter has decided that a particular intrusion warrants closer inspection, it’s time to dig in and paint a picture of events that might have led to the breach. How far has it spread, and has it inflicted any damage yet? Does it make sense that this threat surfaced the way it did? Fleshing out a more thorough picture ensures that defenders have all of the information they need to respond to the threat quickly and decisively.

Communicate: When an intrusion has been validated and the current scope has been captured, the threat hunter will relay the information to your security operations center (SOC) so they can respond and thwart attacks effectively.

Hone: The insights derived from a successful threat hunt can be used to inform the technical security controls so that future intrusions of a similar nature can be spotted and disrupted more quickly and autonomously. This helps threat hunters focus their skills on uncovering new and novel methods of cyberattacks. Technology and threat hunters work hand in hand, augmenting each other’s strengths.

Continuous SEARCH for Threats

At the end of the day, the best way to stop a smart, creative and determined intruder is with a smart, creative and determined defender who is armed with the right technology and the right processes — around the clock.

The SEARCH methodology provides a solid framework for threat hunting, but for it to truly be effective, putting SEARCH into practice 24/7 is crucial. Remember, it only takes 92 minutes for an attack to move deep into your system — whether that’s at 2 p.m. or 2 a.m. Making your SEARCH operation continuous is the simplest way to ensure this methodology works best to keep your data safe.

About the Author(s)

Scott Taschler

Director of Product Marketing for CrowdStrike

Scott Taschler is a 20+ year veteran of the cybersecurity industry, with a strong focus on security operations, threat hunting, and incident response. In his current role as Director of Product Marketing for CrowdStrike, Scott works with organizations all around the globe to understand the biggest barriers to productivity in their security operation center (SOC) and how the most successful organizations are driving dramatic improvements in speed and efficacy. Prior to CrowdStrike, Scott served as a technical leader and Principal Engineer for McAfee, gaining deep expertise in IR, SIEM engineering, threat intelligence, and other building blocks to a successful SOC. Scott is based in Minneapolis, Minn.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights