IT security teams are constantly on the lookout for the next hack or vulnerability. As attacks become more advanced and pervasive, the concept and practice of threat hunting has emerged. To hunt for security threats means to look for traces of attackers, past and present, in the IT environment.
Organisations that employ threat hunting use an analyst-centric process to uncover hidden, advanced threats missed by automated, preventative and detective controls. The practice is distinct from threat detection, which relies heavily on rules and algorithms.
If you can simply write a rule, write a rule. But then you do not need to hunt. While threat hunting includes the use of various tools and processes, people are at the core. These rare IT security professionals are highly and uniquely skilled, are known as threat hunters, and the best ones have a combination of systems, security, data analysis and creative thinking skills.
Threat hunting is suitable for well-resourced security organisations facing persistent and stealthy threats. Those who hire a threat hunter or team of hunters have typically maximised their alert triage and detection content development processes and matured their security incident response functions.
To understand what threat hunting is and how it works, familiarise yourself with the characteristics central to the practice.
Proactive
Hunting is about looking for an intruder before any alerts are generated. Proactive in this context refers to taking action before the intrusion alerts, not before intrusions occur.
Clues and hypotheses
Hunting focuses on following clues and ideas, not cooked conclusive alerts from tools and rule-based detections. However, hunting informs outputs that can later become rules.
Analyst-centric
The practice is analyst-centric. The tools used by hunters play an auxiliary role in helping them see hidden threats.
Breach assumptions
Hunters assume that a breach or traces of, however subtle, have been left by the attackers in your IT environment.
Interactive and iterative
Although hunting involves a process of following an initial lead or clue, there will likely be many pivots and side quests — all in pursuit of intruder evidence.
Creative methodology
Most experts agree that hunting is not about following the rules, but rather a creative process and a loose methodology focused on outsmarting a skilled human attacker.
Knowledge-reliant
Threat hunting relies on both advanced threat knowledge and deep knowledge of the organisation’s IT environment. Organisations then learn more about their IT environment and find the places where attackers hide.
The following questions will help you to determine whether or not you need to hire a threat hunter or team of hunters:
- Are you targeted by stealthy advanced threats?
- Do you have a legitimate need to push threat response time?
- Are you worried about residual risk after security controls are deployed?
- Have you had incidents not started by an alert?
If your answers indicate that you should undertake threat hunting:
- Are you able to hire and retain top-notch security personnel?
- Have you already improved and optimised detection and response controls and processes?
- Do you have a mature security operations center?
- Do you have enough visibility over your environment?
Organisations can get started with a consultant, vendor or an existing employee, someone who occasionally conducts ad-hoc hunting activities, but has not yet been formally made a hunter. While outsourcing options do exist, few vendors have the required capabilities. Many are managed security service providers not managed threat hunting providers.
Key takeaways
- If you can simply write a rule, write a rule but then you do not need to hunt.
- While threat hunting includes the use of various tools people are at the core.
- Threat hunters have combination of systems, security, data analysis and creative skills.
- Threat hunting is suitable for organisations facing persistent and stealthy threats.
- Those who hire a threat hunter have typically matured security incident response functions.
Threat hunters are a new breed of creative security specialists who look for trails of threat actors inside an organization explains Anton Chuvakin at Gartner.