The term ‘threat hunting’, whilst widely used, is open to interpretation. It’s one of the most important approaches for any organisation in defending against the range of targeted attacks that are bypassing even the most advanced security tools. Yet, as with many buzzwords in the industry, some misconceptions persist around what exactly is involved and why it’s so important. Little wonder the real meaning of the term can become obscured. Here, we debunk five of the many myths surrounding threat hunting.
Myth 1: Threat hunting requires manually trawling through reams of data
Those not familiar with threat hunting might imagine that it needs to be done by an operative sitting at a monitor viewing a never-ending stream of data. In the real world however, not only is this impractical, it is also ineffective. Just one host can produce more than one million events in a single day, which would take months to analyse manually. Multiply that by the number of hosts the average organisation has and it soon becomes clear that this type of “threat hunting” is a waste of time.
Instead of trying to look at all the data produced by hosts, threat hunting should focus on finding gaps in an organisation’s detection capabilities. This information can then form the basis of use cases for detection tools that help plug those gaps that attackers exploit.
Myth 2: Threat hunting only needs to be done once
Once existing security gaps have been closed, it can be easy to assume that the job is done. Unfortunately, this is far from the case as threat actors are persistent and patient and will never stop looking for new vulnerabilities to exploit. They work around the clock to develop and put in play new techniques that can bypass the latest security solutions.
Similarly, defenders need to continually spot and mitigate the latest vulnerabilities that exist on their networks. In this way, they will prevent threat actors from taking advantage of any weaknesses.
Myth 3: Threat hunting is the latest and only solution detection and response teams need
Read and listen to some of the marketing materials out there and you could be misled into thinking that threat hunting is the ‘be all and end all’ in security solutions. They will convince you that it is the most recent development in defensive technology and, once in place, there is no need to have anything else.
Such an assertion is incorrect. For starters, threat hunting has been around for some time now helping detection and response teams keep their networks secure. That said, threat hunting solutions are always updated with new and improved capabilities to ensure they can keep pace with a rapidly changing threat landscape.
Threat hunting cannot in isolation protect an IT network. Its purpose is to support an organisation’s detection and response solutions by finding the holes they are not currently covering. Use cases are then generated that can fill these holes.
Myth 4: Managed Detection and Response can be replaced by managed threat hunting
Organisations use Managed Detection and Response (MDR) to provide the level of coverage that they are unable to achieve inhouse. Those vendors that add threat hunting into the mix often do so in name only. In other words, they say their solution is managed threat hunting, whereas it is nothing more than a conventional MDR solution.
Threat hunting needs to supplement detection and response by finding those areas it doesn’t currently cover. Only by using threat hunting in combination with MDR will organisations achieve the fully rounded defences they need.
Myth 5: AI removes the need for humans to threat hunt
While it would be nice to imagine that IT networks can be solely defended through tools powered by machine learning and AI automatically tackling the threats generated by other automated tools, this is not the case. Threat hunting cannot be done by artificial intelligence alone. While AI is good for processing large data sets, it is unable to think in a way that is creative enough to solve the issues uncovered by threat hunting solutions. Such thinking can currently only be achieved by humans.
A more standard definition
We’ve discussed what threat hunting is not, but we still need to establish a definition of what it is. Designed to find vulnerabilities in existing detection and response solutions, threat hunting provides a continuous improvement process to ensure these tools can defend against the latest threats. This is enhanced by ongoing research into the techniques of attackers. The success of threat hunting is determined by the quality of the use cases generated.
How to succeed at threat hunting
The first element needed for effective threat hunting is to think like an attacker. This offensive mindset requires being familiar with the techniques, tactics and procedures (TTPs) threat actors use to bypass security tools. Open-source frameworks such as MITRE ATT&CK can be used to build up a picture of what any attack might look like and how it would progress.
In order to understand how a threat actor thinks, analysts need the time to research the relevant TTPs, as well as the types of threat an organisation wants to detect. This allows an organisation to prioritise its threat hunting activities and better defend its corporate network. Effective threat hunters also need the tools to help them access and interpret raw data from a range of sources. Finally, getting a red team to put to the test any improvements brought about by threat hunting enables a security team to identify any gaps that still need to be filled.
Threat hunting is an overused term that has steadily become obscured as more vendors use it to try to make their product stand out from the crowd. By going back to the term’s origins, organisations can ensure that their detection and response capabilities are performing optimally.
Arran Purewal, Senior Threat Hunter, F-Secure