There are many misconceptions about what threat hunting actually is. If we remove the hype and marketing we can then ask: what is it, who needs to do it and how can it be done? Here, we will answer these questions, as well as the required skills and common challenges we face when implementing threat hunting into a security program.
What is threat hunting?
Threat hunting is the process of actively hunting through networks to detect and isolate advanced threats that bypass existing security solutions. It is assumed that things such as anti-malware or AI-led intrusion detection have all been bypassed by a human attacker. With this in mind, a different approach is needed to find an attacker who is already on the network. This is where threat hunting comes in.
Who must do it?
An organisation should consider a threat hunting approach if they meet any of the following criteria:
- Holds significantly valuable data to a sophisticated threat factor such as personal information.
- Has a business model the needs availability, such as manufacturing, which can be leveraged for ransom.
- Is considered either critical infrastructure, making it a geographical target.
How to hunt
Threat hunting is a process and often takes the following sequence events that feedback in a loop.
The first thing you need to do is generate your hypotheses. for example, a threat factor could be using Microsoft Office templates as a persistence mechanism on the network. This could be a go-to method for recent attacks in your industry, or it could be recently discovered and you may want to check if it has been used against your organisation. The most proactive threat hunting teams will be consistently researching new approaches to attacks and hypothesising these to stay aware of attack possibilities.
You can then use data from your estate to check your hypothesis, which must be done with the collected raw data. You need to determine what data is needed, and from where, to check the hypothesis. This data could already be logged by an existing security tool, meaning you can start the hunt. However, in most cases, the data is yet to exist. an EDR tool, network capture or enhanced logging will be required depending on the hypothesis.
If the collected data allows you to confidently generate high fidelity alerts on your hypothesis, it can be automated and the hunt team can move onto the next one. If there is low confidence in the data, then the hunt team could consider adding more data, as well as machine learning and correlation techniques to improve the confidence in automating the hunt. If the nature of the attack means that it is too difficult to apply automation with confidence, then the hunt can be scheduled into the manual workflow as needed.
If an attack is identified, the hunt teams should be able to remotely assess the capability of the attacker and gain visibility of actions to date, as well as the potential targets. This is so that they can the degrade, contain and remove the attacker. Learnings from the attack can then be hypothesised.
What skills does a hunt team need?
The best hunters can hypothesise attacks with the same mindset of an attacker. Experience pen-testers are ideal hunters. They understand that an automated security control represents a static target that attackers can bypass. Therefore, they can hypothesise the forms of attack.
An understanding of real-world incident response is beneficial as it shows an understanding of how security controls were bypassed. It also shows the activities and behaviours of the attacker that enabled them to blend in. What’s more, incident response skills are beneficial in effecting a live containment response after identifying an attack.
Threat hunting does come with obstacles. SOC and MSSP reporting metrics are often based on numbers of events, and KPIs around escalation through the tiers in the SOC. Threat hunting does not translate well into any of these metrics. Therefore, it can be difficult for a hunting program to prove its value to the business. This is certainly the case if early hunting activity does not reveal any attack behaviour. So, buy-in from many stakeholders is often a pre-requisite to a successful hunting program.
It’s ambitious to spin up a 24/7 hunt team and needs a mix of attack expertise, incident response and a large budget to provide the right tools for collecting and interrogating your estate data for any given hypothesis. You could consider outsourcing hunting while building your own capability if your business is currently in at risk of targeted attack. Alternatively, you could slowly build up a hunting approach into your usual business security activities.
Threat hunting may be our best weapons against targeted attacks from sophisticated actors. As a result, the term has been heavily adopted by the security industry, with AI, threat intelligence and next-generation controls all being perceived as “threat hunting”. The principles we have discussed will help you ask informed questions of vendors in this space while offering a high-level overview if you’re looking to build your own hunt team.