Where Are All the Threat Hunters?

Threat hunting likely ranks second after artificial intelligence as a leading cybersecurity marketing buzzword and top airport advertising theme. Why not hunt for threats when dwell time between attack infections and detections can take months? Hiring threat hunters could change the playing field dynamics so if attackers make a mistake, they risk being detected. Sounds good, however, the real answer is more complex.

Know the Differences Between Threat Detection, Threat Modeling and Threat Hunting  

Threat detection leverages multiple detection techniques from signatures, rules and patterns to anomaly detection, machine learning and behavioral analysis to find known threats, query or model. Matching indicators of compromise to various data sources is a form of threat detection and so is searching a security data lake. It is all too common for security and service vendors to incorrectly market threat detection as threat hunting.

Threat modeling is a proactive process to improve applications, systems and network security by assessing potential risks, threats and vulnerabilities often from an attacker’s perspective, and then prioritize countermeasures to address the effects. This practice is maturing and will be increasingly important for cloud, internet of things, and autonomous solutions for converged information technology/operation technology networks.

Threat hunting is a proactive, analyst-centric, iterative and interactive ad hoc process driven by expert intuitive hypotheses assuming a breach. The practice combines security expertise, data analyst skills and creative thinking upon a knowledgebase across applications, systems and networks. This is usually implemented by only the most mature security organizations.

Why Is Threat Hunting So Hard to Do?

The traditional security approach has been signature-based and identifying malware and threats that are known to be bad. Adversaries know this model and work to bypass it with a wide range of techniques. In order to find attackers, you need to look as deep into your network as they’re hiding. Unfortunately, most “advanced” threat solutions don’t go that deep and are narrowly focused on finding malware coming in and command and control traffic beaconing out. If you’re only looking for malware and the attacker isn’t using it, you won’t find them. This is where advanced detection and the ability to hunt for threats come into play.

We sponsored research this year which found fewer than a fifth of organizations have a dedicated threat hunting team. Most threat hunters are senior-level security professionals with years of operational or threat-related experience—think of them as the Navy Seals of the security team. These folks have unique expertise and capabilities in the hunt for “unknown” threats. While an incident responder goes into action when they are notified of a potential attack, a threat hunter flips that model on its head to proactively looks for trouble and indicators of compromise before an attack occurs. Like the best criminal investigators, a threat hunter must have techniques, tactics and procedures, known as TTPs, on the adversary to start the hunting process.

Additionally, organizations need to support threat hunting with the right tools and data. Rich metadata collected from networks, endpoints and cloud environments allows for cross-session analysis, multifaceted and behavior analysis, and is critical for post-breach investigations of the unknown. The alternatives to metadata are SIEM or log data often not providing the necessary content and context.

When it comes to threat hunting, you have an unknown—an alert, anomaly, some data, or hypothesis. Even with emerging technology, the deception alert requires analysis to find out how and where the attack entered, what TTPs were used, and determine what other systems were impacted. 

More Organizations Want to Hunt for Threats But How Do They Get from A to B?

Companies are advised to have mature threat detection and alert triage skills before considering threat hunting. Hypotheses for threat hunting mainly come from the expert intuition of security analysts and include past incident data, threat actor capabilities, red team and threat simulation artifacts, threat intelligence, and anomalies. For example, traffic to dynamic DNS sites indicating exfiltration or command and control, unusual child processes may indicate exploitation, known file names with uncommon paths masquerading as Windows processes, or the presence of RAR files for attack staging.

The most popular tools for threat hunting are endpoint detection and response (EDR) and network traffic analysis (NTA) with automated duties to help gain direct visibility of unknown advanced attacks. Hidden behind these tools is metadata for real-time and retrospective analysis by content and context not possible with NetFlow data, logs and events. While threat hunting is a human hypothesis-driven iterative process, automation can be applied to data collection, investigation and response. Network sensors and endpoints can automatically collect vital metadata, plus trigger automated recordings of forensic evidence. Automation can be applied to investigation steps often performed manually by security analysts. Once a threat is detected, automated response can isolate a system, terminate a process, wipe a file, or create and use restore points.

Outsourcing threat hunting is one option; however, many service vendors lack in-depth knowledge of your environment for applications, systems and networks, putting them at a disadvantage. Given preventive defenses are in order and IT staffing has limits, enterprises should consider outsourcing managed detection and response (MDR) services to augment security operations. Look to MDR providers with a rich toolset and visibility model beyond services built around Netflow data, SIEMs or just endpoints/EDR managed services, along with that Navy Seal-like team who has fought in the cyber trenches.   

With proactive threat hunting, organizations can shift from being on their heels, waiting for the inevitable and hoping to detect it before real damage is done, to being on their toes. But, with an overall cybersecurity skills shortage, don’t push your security operations center team to threat hunt while they are still battening down the hatches and ensuring basic security protocols are met. If you need to get on the hunt, and don’t have the manpower, consider an MDR service with access to the native data needed to be “on the hunt.”

Tim Roddy is the vice president of cybersecurity product strategy for Fidelis.