The term threat hunting has certainly been used as a fresh lick of paint on old school MSSPs, a new trendy phrase to boost security software sales, and a fancy new team title to rejuvenate tired SOC analysts. But, if you look past the branding and take a closer look, you'll also notice a rapidly growing community, one which holds the keys to leveling the playing field between the red team and the blue.
Interestingly, most organizations don't even know themselves on which side of the ‘Threat Hunting’ dichotomy their hunt teams sit. Does their organization have the real deal? Or have they just been sold a lemon by a vendor’s marketing campaign?
Do you know which side your team sits?
The problem is that threat hunting is still fairly nebulous, leaving it open to interpretation. The marketing campaigns out in the community have collectively built up a kind of checklist in the mind of consumers for what constitutes a hunt team - the most prominent misunderstanding being the belief that purchasing an EDR (Endpoint Detection & Response) solution is the sum total of building a hunt team.
The truth is, threat hunting has very little to do with technology at all. You need technology to make it happen, of course, but building a hunt team is about the team itself. Threat hunting is both a mindset and a methodology. It's a skill that is driven by the hunt team’s experience and a deep understanding of how an attacker operates during a targeted attack. It's a one-on-one battle between the red team and the blue, not between the red team and your EDR solution.
"THINK OF THREAT HUNTING AS A BLUE TEAM TRANSLATION OF PENETRATION TESTING."
If you buy a vulnerability scanner and run it across your estate, is that a pentest? No. Because an automated solution will only get you so far. Pentesting relies on the pentester's experience and skill to go beyond what your technology is telling you. In pentesting, we use technology (such as the famous port scanner Nmap) to collect information about the estate rapidly, to which the security professional can then apply their own knowledge to dive deeper and begin to identify vulnerabilities.
The same is true for threat hunting. Your technology (which should collect data from endpoints, network traffic and logs) is a threat hunter's Nmap. It allows the hunt team to collect information rapidly to navigate the estate quickly in order to uncover signs of compromise, and then take action to contain the adversary.
In the case of endpoints, many EDR solutions have begun to morph into 'Next-Gen Anti-Virus' solutions providing automated capabilities in order to lower the barrier to entry for threat hunting. The same is true for automated network and log based intrusion detection systems. There is no doubt that these solutions provide increased security and visibility, but it is important to be aware that if you are relying on automated solutions – you have built the equivalent of a 'vulnerability scanning capability' and not a 'penetration testing capability'.
At Countercept we are passionate about driving the threat hunting community as we believe it's the most promising movement on the blue team side to date. We're collaborating with people around the world on this topic, so whether you already have a capable hunt team, or you're just starting out and want some pointers, we'd love to hear from you.