With the rise of automation and artificial intelligence in IT security, you may be wondering how much of a role real people will still play. After all, with technologies like security data analytics, machine learning, and virtual patching all tirelessly working round the clock, what else is there left to do – apart from going off to get a coffee?
However, these systems have a fundamental limitation. Although they may be lightning fast at spotting individual anomalies, they lack imagination. They cannot visualise how intruders might slip past defences and roam around inside systems undetected. Neither do they understand what may be motivating hackers and attackers, or why attack campaigns may be likely to unfold in certain ways. Granted, if something bad happens, they’ll be the first to send out alerts. But why wait till that moment? Why not find bad actors before any damage is done?
Threat hunting could be the answer. While this cybersecurity activity is the new buzzword, it depends on an IT security resource that seems almost quaint – human beings. Threat hunters are people who look for traces of attacker presence and activity, before security systems generate alerts. They fill in the gaps where automated systems have failed to detect intrusion or where they do not provide coverage. Threat hunters start with hypothesis that undetected breaches have been made. They also assume that in the process the intruders have (unwittingly) left signs, also known as “breadcrumbs”. They then use their own logic and intuition to find and interpret those breadcrumbs, possibly using software tools to help them manage and process the data involved.
Although different threat hunters may go about their business in their own ways, the overall process looks like this:
Essentially, threat hunters move IT security and threat detection back along the timeline of the attack. It’s a “shift-left” approach, like the one used to do testing earlier in software development life cycles. By solving problems sooner, the impact of those problems is diminished.
Threat hunting value comes from uncovering intrusion or attack activity that is then difficult for attackers to modify or hide. By comparison, automated rule based systems often focus on indicators of compromise (IOCs) that are easy to change. Examples are domain names of command and control servers, names of infected Microsoft Office files, and malware signatures. These are all items that can be changed or permuted by the attacker or by the malware itself. Threat hunters are after different game, using methods that machines would never have “thought” of. For example:
Threat hunting offers organisations several advantages. Earlier breach detection and identification by threat hunters means that incident response engineers can then contain the breach sooner, minimising damage. Attackers are deterred by the increased difficulty of gaining a foothold. They also suffer the frustration of seeing their attack campaigns and kill chains dismantled before they can reach their goals. In addition, threat hunting helps an organisation to understand its own IT environment better, with possible spin-off benefits of increased efficiency and lower costs.
The 2017 “Threat Hunting Report” from Crowd Research Partners offers further statistics about the advantages. For almost 50% of respondents surveyed for the report, an investment in a threat hunting platform paid for itself within a year by helping to detect unknown, emerging, and advanced threats. On average, respondents also considered that threat hunting platforms could halve the time spent to detect a threat, as well as reducing by 42% the mean time to investigate and deal with a threat.
On the other hand, hiring threat hunters may be a challenge. Ideally, they possess advanced knowledge of threats and of an organisation’s IT environment, as well as programming abilities and creativity. This combination is in limited supply. Threat hunters may then gravitate towards larger organisations with higher IT risks and deeper pockets in sectors like finance, government, and defence. The report from Crowd Research Partners shows that about 80% of respondents said that their security operations centre did not spend enough time searching for emerging and advanced threats, possibly because of a scarcity of threat hunting resources.
Hiring in threat hunters is not the only option. Enterprises can also develop their own threat hunting capabilities by building on what they already have. Depending on their needs, they can progress from a level zero at which they may have no threat hunting program, to a first level of threat hunting as and when required. The second level is the systematic use of known threat hunting procedures. The third level is the development of new threat hunting procedures. The fourth and final level is the automation of threat hunting procedures that have already been found, freeing up more time for threat hunters to invent new ones. This five-level model was defined by threat hunting expert David Bianco, who pointed out that the second level may already be sufficient for many organisations.
In general, threat hunting offers additional protection, rather than replacing existing security solutions. For instance, vulnerability testing, patching, and SIEM (security information and event management) are still crucial activities. Threat hunting complements them by helping to plug gaps and detect compromises earlier. No threat hunting initiative is guaranteed to be successful. However, the chances of it being effective are increased by making threat hunting an integral part of IT security, to continually reinforce cyber defences and accelerate breach detection and recovery.
Get our comprehensive guide on how ZoneFox slots into your ecosystem, and you can empower your security team with the tools to get threat hunting. Or chat to one of our Insider Threat experts today!