By Peter Cohen at Countercept
If you ask a security professional ‘what is threat hunting?’ you are guaranteed to get a wide range of answers, including:
- “Responding to AI-generated security alerts”
- “A new term for incident response”
- “Looking at the dark web to see if anyone is going to attack us”
In fact, threat hunting is none of these things – although it has been co-opted as the buzzword of choice by InfoSec marketing departments in 2018.
This begs the question – if we strip away the hype and the marketing dollars, what actually is threat hunting, who needs to do it, and how do we do it? In answering these questions below, we can also explore the skills required, along with common challenges faced in applying threat hunting to a security program.
1. What is threat hunting?
The team at hunting outfit Sqrrl define it best:
“the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions”
The assumption is that next generation tools, e.g. anti-malware, AI-led intrusion detection and the use-cases in our SIEM have all been bypassed by a capable, human attacker – a fair assessment given their nature as static or machine-driven security controls.
Given this assumption, a different approach is required to hunt down an attacker already on the network. This is where threat hunting comes in.
2. Who needs to do it?
If an organization meets any of the following criteria then it should consider adopting a hunting approach as part of its security posture:
Holds data of significant value to a sophisticated threat actor (e.g. intellectual property or personal information);
• Has a business model that relies upon availability (e.g. oil and gas, manufacturing or logistics) which a threat actor can leverage for ransom);
• Can be leveraged for direct monetary theft (usually limited to financial services);
• Is considered either critical infrastructure or part of the fabric of society – and thus a geopolitical target.
Original article posted on https://www.countercept.com