Organizations can no longer afford to be just reactive, relying solely on detection and response when it comes to cybersecurity. Threat hunting is the next step. It is a proactive approach to uncovering threats that otherwise go undetected, like multi-stage ransomware attacks and malware that lies dormant in your network until activated to exfiltrate data.
What is Threat Hunting?
Threat hunting is the human-executed process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. This proactive line of defense creates a rapid response before attackers change their methods or escape detection. Threat hunting is a necessary component of comprehensive, layered security.
Common Fallacies About Threat Hunting Hold Adoption Back
Recent research from the SANS Institute shows that threat hunting adoption is growing, and it works. Sixty-eight percent of organizations measuring their threat hunting saw a 25% to 75% improvement in overall security posture. However, lack of staff and skills — along with common misconceptions about what threat hunting is — all stand in the way of broader adoption. Here are some of the fallacies our Netsurion Security Operations Center (SOC) experts have encountered “in the wild,” and what you really need to know about threat hunting.
1. Threat hunting and incident response are the same thing. Threat hunting is “before.” Incident response is “after.” They are not the same thing. If you are threat hunting, you are proactively looking for a sign of an incursion or anomalous activity in your network as part of prevention and detection. If you find something, you need to escalate it so the appropriate IT or IT security person can take action. That action, which follows the threat hunting activity, is incident response.
2. Compliance mandates require threat hunting. By compliance mandates, we’re typically talking about complying with the security requirements put forth by the Payment Card Institute Data Security Standards (PCI DSS), General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) frameworks for instance. Their security mandates address two things: security hygiene, and best practices in terms of security configuration. You can be compliant with these regulations and still have security breaches because most requirements address the least common denominator of security. As such, these regulations do not mandate threat hunting. Threat hunting is going above and beyond the basic requirements set forth by regulatory mandates.
3. Threat hunters have to know what they are looking for. Not always. Threat hunting may be triggered by an alert or an alarm that the threat hunter investigates to determine the cause. Or it can be triggered by security news, as in the case of log4j, Hafnium, and SolarWinds vulnerability new coverage, or an internal observation.
These hunts are for a known/known threat — you know what it is and that it happened. Another kind of threat hunting is looking for an unknown/unknown threat — the most difficult to find. Threat hunters proactively investigate anomalous activity in the network — like a spike in the number of attacks on a website or scans on a firewall, or an unusual number of login failures. The focus is on Root Cause Analysis (RCA).
4. Artificial intelligence and Machine Learning can take care of threat hunting. We see Machine Learning (ML) as a force multiplier for threat hunting, not a replacement for it. There are a lot of nuances and variabilities that human threat hunters are much better equipped to address. At Netsurion, we use ML for anomaly detection, which the human threat hunters then pursue. But can we give the job entirely to ML? Not yet. The technology today is still quite limited compared to the scope of the problem, but it is definitely the way of the future.
5. If you have threat intelligence, you don’t need threat hunting. Threat intelligence and threat hunting are two different things. You need threat intelligence to do threat hunting. This includes both internal threat intelligence, such as understanding your network and the baseline for what is normal. You can also subscribe to threat intelligence from any number of vendors. It consists of information about threat actor motives, targets, and attack behaviors that has been aggregated to provide threat context and insight for security professionals. If you find something unusual in your network, these threat databases give you a place to look up whether it is a known threat.
Threat hunting, performed by an elite team of threat hunters working out of our SOC, is an integral component of Netsurion’s Managed Open XDR solution. We integrate MITRE ATT&CK® threat intelligence with our hypothesis-driven approach to proactive, continuous threat hunting. Learn more here, or watch this webinar for a demo of threat hunting using our platform.