Symantec’s Threat Hunters

When it comes to investigating attacks and advanced threat actors, the capabilities of Symantec, by Broadcom Software, are robust. The Symantec Threat Hunter Team follows a detailed and highly successful process of shining a light on attacks and the groups behind them, whether they be espionage groups or high-level cybercrime operations capable of extorting millions of dollars from their victims.

Our investigations allow us to build a broad picture of the attack, including a profile of the attackers, and the tools, targets, and motivations behind it. The goal is to develop actionable intelligence. These insights are used to improve our products’ ability to protect against critical threats. We often share this information with customers as well in order to keep them up-to-date on the adversaries they face.

Our Threat Hunter organization behind this process is a multidisciplinary group split into three teams who collaborate closely, and the work of each team often feeds into that of the others.

The analysts on the front line who investigate incidents on customer networks and hunt for new threats are our Threat Hunting and Threat Research Team.

Their work feeds into the Security Intelligence and Analytics Team, which uses these initial findings to continually train our machine learning analytics technology to automatically find similar patterns of potentially suspicious activity. The resulting analytics give the Threat Hunting and Research team new leads for further investigations. They also trigger the creation of alerts in the EDR console, informing customers of potentially malicious activity.

Once the findings are documented, our Threat Intelligence Content team creates a range of materials for customers. They produce documents with actionable information about new tools or tactics associated with a known threat actor via “Threat Alerts”. These short reports list all available indicators of compromise (IOCs) linked to the threat, in addition to additional contextual information. In cases where they know a potentially critical breach is underway on a customer’s network, they also will reach out to the contact directly.

This is one reason why Threat Alerts have received high marks from our customers and partners.  Ultimately, they have helped stop many ransomware attacks before the attackers had a chance to steal or encrypt data.  

The Threat Intelligence Content Team also produces the Threat Landscape Bulletin, a daily digest of the big cybersecurity news stories, and two white papers per quarter. These are longform research pieces discussing a major threat or trend that’s active on the cybercrime landscape, such as ransomware or Living-off-the-Land tactics. Other papers focus on particular threat actors, such as our upcoming paper on Russian espionage groups. All of this valuable intelligence is available to customers.

Our Threat Hunter team is continually on top of the threat landscape and has taken the lead in uncovering significant new threats. In March of this year, we lifted the lid on Daxin, which is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-sponsored espionage group. Going by its capabilities, Daxin is certainly a key tool in China’s cyber arsenal. It is optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions.

The Symantec Threat Hunter team also has been highly active in responding to threats linked to the Russian invasion of Ukraine. Because of this we were able to share IOCs relating to Russian attacks against Ukraine in the hours preceding the launch of the invasion, and, since then, we regularly publish updates with new information on recent attacks.

Find out more about how our Symantec Threat Hunter group remains vigilant against cyberattacks large and small with the information below.