A SANS Institute survey of those organizations engaged in threat hunting reported that 74% of respondents cited reduced attack surfaces and 52% found previously undetected threats in their networks.
What exactly is threat hunting, what do the experts say about its benefits, and what are some resources to help you learn more and get started?
A Definition and a Distinction
Threat hunting is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. Threat hunting is essentially looking for the unknown.
Threat detection, on the other hand, is a broader term that covers discovering and responding to threats before, during, or after an incident. Listening technologies, such as online monitoring software, are examples of threat detection software.
Threat Hunting Basics
When organizations engage in threat hunting, they are essentially crafting a hypothesis and hunting based on the hypothesis. As a first step, organizations often identify the most valuable assets and data within the network to create a prioritized defense list. This is often referred to as the ‘crown jewels analysis’. Based on this list, organizations craft a hypothesis on how an adversary might attempt to attack these assets.
Other hypothesis may be constructed based on current events or activities within the organization. If, for example, network users have recently traveled abroad and are possibly at elevated risk of being targeted by state-sponsored threat actors, a threat hunt might start by planning to look for signs of compromise on their laptops.
The threat hunt proceeds by identifying data to search – logs, alerts, system events – and devising a plan to sort through this data. This plan typically involves both human analysis and technology interventions such as analytic tools.
This last point is key and is a differentiator between threat hunting and threat detection. While much of threat detection today is automated through the use of online monitoring software, threat hunting still recognizes the unique role of humans in the overall cyber security process. Repeatable steps should be automated, but there will always be a need for analysts who have instincts and inquisitive minds. What is powerful about threat hunting is that it pits human defenders against human adversaries.
Why Threat Hunting Matters Now
Threat hunting and threat detection are critical components of a comprehensive security program. And threat hunting is growing in importance as organizations strive to combat massive breaches.
In the light of the Deloitte breach, Sam Curry, chief security officer at Cybereason, says corporations should build a hunting practice to improve their security hygiene.
“Businesses need to improve their ability to stop attackers by deploying a strategy where they can disrupt the hackers early in the process by being able to respond, preventing attackers from setting up beachheads and backdoors.”
SecureMySocial CEO Joseph Steinberg warns that IT managers face an uphill battle to keep up with cyber criminals’ advanced tactics.
“In an effort to circumvent existing security technologies,” he said, “sophisticated, hostile actors are constantly improving their approaches and techniques. As a result, while detection tools remain critically important, proactive (and perpetually iterative) hunting for cyber threats is necessary.”
FOR MORE INFORMATION:
The ThreatHunting Project
A Framework for Cyber Threat Hunting
The Who, What, Where, When, Why and How of Effective Threat Hunting
Generating Hypotheses for Successful Threat Hunting