Skip to main content
Opens in a new tab External site
Hero banner Banner

Cyber Threat Hunting

Delivered by Stroz Friedberg Incident Response

 

Talk to Our Team
Need Immediate
Breach Assistance?

Download Aon's Cyber Loop Whitepaper
Jump to Section:

What is Cyber Threat Hunting?

Threat hunting is the practice of systematically and proactively looking for malicious cyber activity inside of your organization’s network—it is a critical element in defending against cyber attacks, mitigating the impact of cyber incursions already inside your network, and establishing a complete approach to cyber resilience.

Importantly, effective cyber threat hunting cannot be achieved solely by deploying software and hardware technologies to scan for malicious code. We know this because cyber threat actors regularly penetrate and lurk within corporate networks for prolonged periods of time—over 200 days on average—before being detected.

In today’s fast-moving cyber environment, organizations need skilled and experienced cyber incident response professionals to serve as threat hunters who can leverage sophisticated tools and situation-specific methodologies to anticipate both known and unknown cyber threats. 

When Should You Conduct a Threat Hunt?

It is always best practice to perform cyber threat hunts on an annual basis as part of your cyber resilience strategy. However, it is also important to perform targeted threat hunts when major changes take place in your environment or uncertainty is identified. Examples of situations that may necessitate a threat hunt include:

Identification of a major vulnerability (such as Log4j) or breach (such as SolarWinds) on a critical asset or software your organization uses.

M&A activity to ensure you are protected against “buying a breach.”

Periods of major system change to ensure attackers don’t take advantage of disruption.

After a cyber event to provide confidence to third parties that your organization hasn’t remained actively compromised.

Annual cyber resilience assessments, to check if your cyber strategy, controls and cyber risk mitigation processes are working as planned.

To learn more about launching a cyber threat hunt for your business, either on an ongoing basis or to address a recent event, contact our team. 

What are Common Cyber Threat Hunting Techniques?

Our Stroz Friedberg team relies on proven cyber threat hunting techniques to guide our work, which we calibrate to align with the needs of your operation and cyber risk tolerance. Importantly, our mission goes far beyond finding malicious code in your network. We seek to identify any threat actor operating in, or with persistent access to, your network, so you can kick them out and prevent similar attacks from happening in the future. Our methods include:

Intelligence-Based Hunting
icon

Regardless of the tactics, techniques and procedures (TTPs) used by a threat actor to compromise a computer network, they will leave footprints behind. These clues, or patterns, provide valuable intelligence to experienced cyber threat hunters, who can then quickly zero-in on root causes and potential remedies.

Cyber Threat actors can use sophisticated approaches to compromise a network. For example, the use of natively embedded tools from Microsoft Windows, macOS, and Linux/Unix to blend in with normal activity is on the rise. This behavior is often overlooked by security software because it’s expected network and computer behavior.

Leveraging our deep knowledge of threat actor tactics and behaviors, coupled with active monitoring of cyber threat intelligence, our team can help to identify even the most careful attackers who would otherwise go unnoticed.

Situation- or Event-Based Hunting
icon

There are multiple ways an organization can learn about actual or potential threats inside their network, including finding a ransomware note on a computer, a notification from law enforcement or intelligence, receiving an antivirus alert, or hearing from the finance department that a fraudulent wire transfer just occurred.

In all cases, whether the incident has a clear starting point or a dubious origin, you must act immediately to answer several key questions. A situation- or event-based threat hunt seeks to answer these questions, including:

  • Who is the threat actor and are they credible? It is important to know who you are dealing with and whether they are a known or unknown actor. Are they an opportunistic hacker, a well-known criminal group, or a nation state?
  • How did the threat actor initially access your network? Once identified, these vulnerabilities need to be addressed as quickly as possible.
  • Where did the threat actor go in your network and what did they do? Did they read emails, access specific datasets and systems, or take and sell information, among other things?
  • How long was the threat actor in your network? The answer to this question will help you assess potential damage and will help to better inform potential customer outreach.

Answering some or all of these questions will be important to your recovery and rebuilding a formidable cyber security posture.

Hypothesis-Based Hunting
icon

Imagine a scenario where your company receives information that a specific dataset you own is the target of a known and capable threat actor. What should you do next?

In these cases, our team will launch a hypothesis-driven threat hunt, which starts by asking the question: “If I were a hacker, how would I try to steal this data?” From there, we ask: “If I undertook an attack of this nature, what evidence would I leave behind, and what could someone do to find this evidence?”

Working backwards from the outcome your organization is trying to avoid, our cyber threat hunters can help identify evidence of past attacks, successful or failed, and sometimes even detect and interrupt cyber attacks in progress. 

How Aon Can Help

We’ve responded to thousands of cyber incidents over many years and know every business has a unique cyber footprint. Therefore, every client deserves a cyber threat hunt designed to align with the specific needs of their network setup and layout.

With this in mind, our diverse threat hunting teams bring Stroz Friedberg’s unique experience in digital forensics, law enforcement, and technical and risk management to bear, allowing us to build programs around the needs and capabilities of your business. Some examples include:

Endpoint Detection and Response Deployment and Monitoring

Does your company need an advanced endpoint security tool? If so, we can deploy market-leading EDR tooling during our engagement to help identify threats. Or, if you already have a tool in place, our experienced threat hunters can utilize any major EDR platform to search for threat actor activity.

Device Forensic Review

Do you have computers, network appliances, servers or mobile devices that are currently unprotected or show indicators of compromise? Our team is well-versed in performing fast and thorough forensic analysis to establish whether a device has been accessed by a malicious actor.

Cloud Threat Hunting

Does your infrastructure reside in Azure, Google Cloud, AWS or a similar cloud service? What about your email? Moving data to the cloud does not automatically ensure its security. Our threat hunting team can analyze your cloud instance(s) and/or infrastructure to identify if there are existing malicious cyber criminals accessing your systems.

Network Log Review

Network logs often can show how an attacker got into a computer network and moved laterally throughout the network. Our team can review logging in place and, where necessary, deploy sensors or collectors to capture networks.

Deep/Dark Web Scan

What activity references your company on the deep and dark webs? Our experienced team regularly performs dark web intelligence gathering and analysis to assess online targeting and external-facing risk exposure of external assets, breached data, compromised credentials, or other online security vulnerabilities. Understanding that information can be critical to a successful threat hunt.

Cyber attacks continue to become more frequent, targeted, sophisticated and costly. This means companies shouldn't wait for a visible or disruptive cyber event to occur, such as ransomware or a large fraudulent financial loss, to realize they have been compromised. Given the current threat landscape, we recommend a regular proactive cyber threat hunt with Stroz Friedberg to build cyber resilience.

To learn more about launching a cyber threat hunt for your business, either on an ongoing basis or to address a recent event, contact our team. 

Insights From Aon

The Cyber Loop: A Model for Sustained Cyber Resilience

The Cyber Loop: A Model for Sustained Cyber Resilience

Learn more
Ransomware Isn’t Just About Data: The Rising Risk of Cyber Business Interruption

Ransomware Isn’t Just About Data: The Rising Risk of Cyber Business Interruption

Learn more
Navigating New Sources of Volatility in a World of Interconnected Risks

Navigating New Sources of Volatility in a World of Interconnected Risks

Learn more

Talk to Our Team

To learn more about how your organization can benefit from a Cyber Threat Hunt, please complete the form below. A member of our team will be in touch shortly.

Aon and other Aon group companies will use your personal information to contact you from time to time about other products, services and events that we feel may be of interest to you. All personal information is collected and used in accordance with our privacy statement.

Please click here to manage your communication preferences.

 

 

General Disclaimer
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own professional advisors or Technology Department before implementing any recommendation or following the guidance provided herein. Further, the information provided and the statements expressed are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources that we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

About Us
Cyber security services are offered by Stroz Friedberg Inc., its subsidiaries and affiliates. Stroz Friedberg is part of Aon’s Cyber Solutions, which offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.