- Organizations are starting to implement a threat hunting strategy in order to prevent attacks before they occur.
- Threat hunting requires a proactive mindset on multiple levels.
- Effective threat hunting necessitates a combination of new technology, and human insight.
Sometimes the best defense is a good offense. In today’s security environment, the adage applies to information security and data protection as much as it does conventional warfare. As online adversaries have continued to enhance their capabilities, organizations have placed an increased importance on developing proactive cybersecurity measures alongside more traditional reactive practices. Threat hunting, the practice of preemptively identifying and neutralizing threats, is gaining popularity as a response to an increasingly hostile cyberspace.
Threat Hunting Basics
On a strategic level, threat hunting is any process designed to seek out cyber adversaries before an attack can be successfully executed. In order to be considered a threat, an adversary must have the intent, capacity, and opportunity to do harm.
Threat hunting is not a new approach, but it plays an increasingly important role in cyber defense plans due to the growing effectiveness of malicious actors. And it has evolved. Organizations are dedicating specific departments, resources, and analysts to seeking out potentially bad actors. Today’s threat hunting places a premium on the human element, giving individual threat hunting analysts the freedom to pursue “gut feelings” and “hunches.” The attacker on the other side is also human, after all, the idea being to combat them with an equally flexible and intuitive approach that only another human brain can provide.
Threat Hunting vs. Threat Detection
Most organizations already have some kind of Intrusion Detection System (IDS) in place in order to identify, quarantine and neutralize cyber threats. The problem with relying on an IDS is that it’s a reactive approach. You’re responding to, and investigating, potential threat alerts that an IDS generates in the hope hackers haven’t found ways to bypass it. Moreover, the analyst monitoring the threats has to be skilled and experienced enough to know which of the hundreds (if not thousands) of daily alerts warrants further investigation.
Threat hunting, on the other hand, places an experienced, dedicated analyst in the driver’s seat of searching the system for signs of malicious activity. Hunting picks up on things that most IDS aren’t capable of detecting, like fileless malware attacks, lateral hacking movement, and targeting commodity attacks. Hunting, as opposed to detection, also places a premium on analyzing post-infiltration threat behavior to pick up on patterns in order to prevent future threats. So, while an IDS might be able to identify a specific attack, threat hunters recognize patterns and are more effective at stopping full-fledged attack campaigns that occur over time.
How Organizations Use Threat Hunting Today
There’s no doubt that organizations are getting results from threat hunting. Threat hunting platforms have been reported to cut the amount of time it takes to discover a threat in half while accelerating investigation times by 42 percent. Organically integrating threat hunting into existing cyber security workflows in order to complement current efforts and personnel is a major challenge. Cooperative structures are often key. In team structures, for instance, threat hunters work side by side with other security and network teams. This prevents unnecessary competition and task redundancy.
Here are some of the principles that modern threat hunters are utilizing in concert with their internal cybersecurity partners:
- Cyber Kill Chain. An adaptation of the U.S. Military’s “kill chain” process, hunters use the Cyber Kill Chain in an attempt to identify the steps adversaries take to achieve their goals. Threat hunters will map out the phases of each incursion, and identify key indicators for each phase to hone in on patterns of malicious actors.
- Diamond Intrusion Analysis Model. Hunters use the Diamond Model to take information from the Cyber Kill Chain, and build out models for predicting future attacks and campaigns by specific actors. Grouping individual intrusions this way allows hunters to stop repeated threats over the long haul, rather than just one attempt at a time.
- Active Cyber Defense Cycle. Threat hunters take the data, intelligence, and analysis from the Cyber Kill Chain and Diamond model to formulate an Active Cyber Defense Cycle. The intent is to put information into the context of an active defense strategy that hunters can execute on, day in and day out. A typical defense cycle will consist of four continuous activities: threat intelligence consumption, network security monitoring, incident response, and threat/environment manipulation.
Organizations are developing baselines for normal network, data and user activity to enable easier identification of anomalies associated with potential threats. A recent SANS Institute survey found that companies are focusing on data sets such as IP addresses, DNS activity, file monitoring, user behavior and analysis, and software baseline monitoring to successfully support threat hunting.
The role of threat hunting will continue to grow and evolve, as organizations realize that a “sit and wait” approach simply won’t be enough in the future. In fact, roughly 86 percent of IT professionals say their organization is actively engaged in some form of threat hunting. The results they’ve cited include a decrease in surface area of attacks when they do occur, as well as speed and effectiveness of responses. Organizations will continue to utilize threat detection, but find ways to effectively integrate threat hunting personnel, strategies and processes into their existing cyber security infrastructure. At the end of the day, the combination of human intuition and technical expertise is what’s making threat hunters more prevalent, and increasingly indispensable.
Author: Josh Rittenberg
Josh Rittenberg is the Founder and Editor of Breach Memo. He is an attorney in New York City who first became interested in emerging threats while working as an analyst at the Center for Strategic and International Studies (CSIS) Transnational Threats Program in Washington, DC. He has been published by NPR, The American Lawyer, Corporate Counsel, and the CSIS Transnational Threats Update. The views expressed in this blog are his personally and not those of any other person, organization, or other entity.