If you ask a security professional 'what is threat hunting?' you are guaranteed to get a wide range of answers, including:
- "Responding to AI-generated security alerts"
- "A new term for incident response"
- "Looking at the dark web to see if anyone is going to attack us"
In fact, threat hunting is none of these things - although it has been co-opted as the buzzword of choice by InfoSec marketing departments in 2018.
This begs the question - if we strip away the hype and the marketing dollars, what actually is threat hunting, who needs to do it, and how do we do it? In answering these questions below, we can also explore the skills required, along with common challenges faced in applying threat hunting to a security program.
1. What is threat hunting?
The team at hunting outfit Sqrrl define it best:
"the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions"
The assumption is that next generation tools, e.g. anti-malware, AI-led intrusion detection and the use-cases in our SIEM have all been bypassed by a capable, human attacker - a fair assessment given their nature as static or machine-driven security controls.
Given this assumption, a different approach is required to hunt down an attacker already on the network. This is where threat hunting comes in.
2. Who needs to do it?
If an organization meets any of the following criteria then it should consider adopting a hunting approach as part of its security posture:
• Holds data of significant value to a sophisticated threat actor (e.g. intellectual property or personal information)
• Has a business model that relies upon availability (e.g. oil and gas, manufacturing or logistics) which a threat actor can leverage for ransom)
• Can be leveraged for direct monetary theft (usually limited to financial services)
• Is considered either critical infrastructure or part of the fabric of society - and thus a geopolitical target
3. How to hunt
Despite security vendor claims, threat hunting is a process rather than a technology, and often takes the following sequence of events, that feedback in a loop.
Stage 1: Generate hypotheses
An example of this might be "A threat actor may be using Microsoft Office templates as a persistence mechanism on my network"
How would we come up with this as a hypothesis?
It might be the modus operandi for a spate of recent attacks in your industry, or it might be a new attack that has recently been researched and you want to check whether it has been used (or is being used) against your organization.
The most proactive threat hunting teams will be constantly researching new attack techniques and hypothesizing these in their environments to stay abreast of attack capabilities.
Stage 2: How can I check my hypothesis?
The only way to do this effectively is with data from your estate. Not with alerts that a security tool has generated, or the output from machine learning / AI tools, but with the raw data itself. Anything else is a machine-filtered view that may remove the very data we need to determine our hypothesis.
We need to determine what data we require, and from where, in order to check our hypothesis. It might be that this data is being logged already by an existing security tool, in which case you can start hunting straight away. In many cases the data will not exist, and something like an EDR tool, network capture or enhanced logging will be required depending on the hypothesis.
Stage 3: Make it repeatable
If the data collected enables us to confidently generate high fidelity alerts on our hypothesis, then this can be automated and the hunt team can move on to another hypothesis. If the confidence from the data is low, then the hunt team could work on applying additional data along with machine learning and correlation techniques to improve the confidence in automating this hunt. If the nature of the attack is such that automation is difficult to apply with confidence, then the hunt can be scheduled into the manual workflow as required.
Stage 4: Move into live response
In the event of an attack being identified, then hunt teams should be able to remotely assess attacker capability and gain visibility of actions to date and the potential targets, in order to degrade, contain, shepherd and ultimately remove an attacker. Learnings from the attack - such as additional actions taken by the attacker either side of the action hunted for, can then be hypothesized.
4. What are the skills required in a hunt team?
The best hunters are those who can hypothesize attacks with an attacker mindset. Experienced pentesters can make great hunters, asking the question 'what would I do', and 'how would I catch myself'? Pentesters understand that an automated security control represents a static target that can be worked around by an attacker, and are able to hypothesize the forms that this attack might take.
Equally, an understanding of real-world incident response is of benefit as it presents an understanding of how security controls were bypassed and what the attacker activities and behavior were in order to blend in with usual network activity. In addition, incident response skills are beneficial in effecting a live containment response once an attack has been identified.
5. Common challenges
Proving value in a traditional security reporting framework
Threat hunting is not without its challenges. SOC and MSSP reporting metrics are often based on numbers of events, and KPIs around escalation through the tiers in the SOC. Threat hunting doesn't translate well into any of these metrics, and so it can be hard for a hunt program to prove its value to the business. This is particularly true if early hunting activity does not reveal attack behavior, and so buy-in from multiple stakeholders is usually a pre-requisite to a successful hunting program.
Trying to do too much too soon
Spinning up a 24*7 hunt team is ambitious and requires a blend of attack expertise, incident response, and significant budget to arm your experts with the tooling required to collect and interrogate your estate data for any given hypothesis. Outsourcing hunting while you build your own capability is one option if your business is at risk of targeted attack today. Alternatively, starting with low-hanging fruit and slowly building a hunting approach into your business-as-usual security activities can also work well.
Threat hunting may be our greatest weapon against targeted attacks from sophisticated actors. As such, the term has been adopted by the security industry at large, with AI, threat intelligence and next-generation controls all being labelled as 'threat hunting'. The principles outlined above will enable you to ask informed questions of vendors in this space, while providing a high-level overview for those of you looking to build your own hunt teams.