Threat hunting is computationally expensive while threat detection can run in the background. But that’s hardly the full story.
Join us as we debate the pros and cons with:
- Lee Harris, MSSP & Cloud Pak for Security Sales Leader, EMEA, IBM
- Dr Alex Tarter, Chief Cyber Consultant & CTO, Thales
- James Todd, CTO – BT Security, BT
- Andy Grzes, CTA, Smarttech
Question 3, the question in security these days is it to move entirely to threat hunting. What do you think the ratio of threat hunting versus threat protection should be when identifying and remediating threats? Start with you James.
So I think we need to be quite clear what we mean about threat detection. And the various techniques that are available to us to detect threats. So if we talk about the value of static or transitory indicators, as we have historically have known them, I think they have continuous value in the fact that they run continuously in the background. They are relatively low cost to run. And if we look at the other side of the scale where we have threat hunting, which is arguably expensive to run in terms of skilled resource. Computationally expensive in terms of analytics that are running, and the data sets that we require to very focused threat hunting.
What we’re looking at is how we detect those sophisticated attacks. And those commodity attacks that have high impact to ourselves and our customers. And start off with the threat hunting perspective. So looking at the data sets that are available, bringing in all of the context of information that make that relevant to us and our customers. And use that high cost analytics, there’s highly skilled individuals to do that.
But in doing that we’ve established a way to detect novel attacks and emerging threats. And we use the MITRE ATT&CK framework, as previously discussed, to articulate that in a common language. In our ability to do that we can discuss the complexity. But then you quickly migrate that complexity down into something that is lower cost to run within an environment. So either an indicator, or a YARA rule, or any other detection capability to run routinely. And alert off that, and pass that into our ops teams. Either as a managed workflow, or a dedicated investigation, or on behalf of one of our customers.
So I think the balance is that, yes there is focus on threat hunting. But there is also advances in threat detection in terms of behavioural analytics. And very targeted use of machine learning in that space that allow threat detection to run continuously. But on more sophisticated threats.
And leave threat hunting to those things that are relevant to the environments and the assets that you care about. And discovering new vulnerabilities, or new weaknesses, that our adversaries are looking to compromise or use as an attack vector. And using a language like MITRE ATT&CK attack allows us to really hone down on the behaviour rather than necessarily the effect of an attack. So being more proactive than reactive.
Great, thank you. Thank you James. Over to you Andy.
I think James put it quite in a good perspective. What I noticed throughout the last years, that threat hunting is a little bit kind of an overused word in some extent. Because people always expect wonders out of it. And we go into the network, and we scan the whole network and we tell them all the problems they have. Yeah we can do that, but I don’t know if that is cost efficient.
The most important thing to me is of the relevance of the threat hunting, due to the current threat landscape. We work a lot with the local guardian here, we work with the FBI, and a lot of other organisations together. And there are, for some of our larger customers, a very good early warning system. We get on a regular basis notified, we talk to them on a regular basis, meet them on meetings. Lately, due to COVID, not that much. And COVID is another game changer for this threat hunting. Because the play field moved out of the internal network into the VPN and some of those other networks. Where we have to adapt.
And threat hunting is a level of responsibility, accountability, and adaptability too. Because whatever we see in our networks of our customers as an MSSP, no matter how big how small it is, we have to do due diligence to follow up on it. And in many cases, for us it turns out to become a threat hunting exercise already here. Because we see some small things like unknown protocols. Things like FDP access and so on. So it’s simple things. They’re very, very ordinary stuff. But how often we do those exercises come to the point that we see something.
That’s not necessarily a threat actor, but an insider threat because people are not following policy. So doing this is also threat hunting exercise to us because we are looking for the insider threat. And that’s what often people forget. They’re always talking about the APTs of the world. I know all about APTs and how you spin that right in a discussion. But let’s be honest, there are so many other things out there.
The most important thing, and I think we all agreed on this already, we got the MITRE ATT&CK framework. Which helps us to communicate out in the world and say hey, this is your problem. And I think the most important thing is really to have your ears and eyes open constantly. We have a team that does a dark web analytics on a regular basis. And based on their information, based on what I hear on my favourite blogs, on my favourite web pages, and there’s so many different sources where we get information now.
I go back to my analysts , or our analytic team, and our managers there, and tell them, hey look, this is the latest thing that I heard. Have you seen anything in the networks? And they stop. Often they come back, yeah you’re late. That’s OK. That’s why we pay them for that. But what the great stuff is out of that is, we can bypass relying on static threat intelligence. And that is a very important thing. Because frankly static threat intelligence gives us two things. An alarm fatigue, because we get too many alarms and we get too many false positives.
By being proactive in identifying certain threats beforehand, because we just have ideas and eyes open, we can’t actually remove that threat. There comes a lot of stuff in this automation or all those other things. And again, MITRE is our game changer here over the last years. Because we can identify, we can straightaway say do we have the counter measures in place for what we hunting.
And if not, do we have the tools in place to see what we are hunting for. Because that’s the most important thing. Everybody talks about threat hunting, and I’m like, yeah OK and how do you do that? How do you identify what you’re hunting for? Because this is a big player. I was like yeah, that’s great but you have no XDR and EDR. How do you expect me, as a service provider, to do that? Do you want me to look into every single machine for you and look for it?
And that is exactly the difference between the ’80s and ’90s of doing things. And working intelligently, and informed, and going about. If you asked me for ratio, I can’t give you a ratio. Because the problem is every day is different. The threat event is exchanged, I get a call from the FBI at 9:00 in the evening. Saying hey Andy, your customer xyz, we noticed this activity from China going.
That’s a moment where I was active threat hunting. That’s a moment where I say, OK guys all hands on deck. That is threat hunting to me. We are proper threat hunting. Not just a little, oh. Citrix is acting up again with a vulnerability. Yes, of course, that’s also threat hunting. But that is a different level of doing thing.
Great thank you.