Cyber Threat Hunting — What Is It, Really?
By Josh Campbell at Cyborg Security
Cyber threat hunting is a sub-discipline to threat detection that relies on proactive and iterative searching through data to identify otherwise undetected threats. It does this through a variety of mechanisms and methodologies, typically by looking for statistical outliers (in so-called data-driven hunting) or suspicious and malicious behaviors (in behavioral cyber threat hunting). Organizations conduct cyber threat hunting as a means of identifying odd activity in the environment that might belie an attacker’s actions, especially once they have slipped past an organization’s defenses. Afterall, an adversary needs to be right just once, whereas defenders need to be right every single time.
The simple reality is that while organizations continue to invest in new technologies that can provide them increased levels of visibility internally, most of the effort (and budget) is still dedicated to the perimeter. And despite these unprecedented levels of visibility within organizations’ environments, it is still trivial for many adversaries to evade AV/EDR tools or bypass them all together. And, once an adversary can evade or bypass the internal on-host defenses, it can be harder to detect them and immeasurably more difficult to stop. In fact, they can become a bit of a ghost in the machine.
This is why cyber threat hunting is absolutely vital for organizations of all sizes. With a robust cyber threat hunting program (often called a hunt team) in place, security teams are more likely to detect these apparitions before they can carry out their objectives.
The Methodologies of Successful Cyber Threat Hunting
Cyber threat hunting has largely evolved into two streams:
- Data-driven — Which typically involves using statistical models to identify commonalities in activity, and perhaps more importantly, statistical outliers. This type of threat hunting can be invaluable when a security team is just starting out, or if the hunters are operating in unfamiliar territory. The singular challenge data-driven hunting faces is that it is not trigger-based, so hunt teams can be literally hunting for a needle in a haystack of more needles.
- Hypothesis-driven — Which typically involves those practicing cyber threat hunting to build a semi-scientific hypothesis that can involve new or emerging threats and their observed tactics, techniques, and procedures (TTPs). Unlike data-driven hunting, hypothesis-driven hunting is trigger-based meaning that hunters can deploy hunting content and review the results after a specific period. This makes hypothesis-driven hunting far more efficient than data-driven hunting.
One of the more common mistakes organizations can make when talking about threat hunting surrounds the use of indicators of compromise (also known as IOCs or IoCs). An IOC, typically defined as one or more data points from a compromise (e.g. IP addresses, domains, hashes, URLs, filenames, etc), and represents a known threat. It is because the IOC represents a known threat that IOCs generally do not factor into true cyber threat hunting. Instead, they more commonly fall into the older defense methodologies such as threat protection. It should also be noted that while IOCs can be useful in detecting threats, they are often out-of-date and fragile — because they are trivial for an adversary to “roll” (otherwise known as refreshing or altering).
The Role of Cyber Threat Hunting in a Modern SOC
One of the most common questions asked about cyber threat hunting is the role it plays in a SOC. While new and maturing hunt teams may see cyber threat hunting purely as a means of previously unidentified threat detection, the reality is that as organizations mature, they can realize significant ROI from cyber threat hunting in a variety of ways, specifically:
- Threat Detection Content
- Blind Spot Identification
- Investigative Process Building
Threat Detection Content
The first, and most significant, way that organizations recognize ROI from cyber threat hunting is the role that threat hunters play in the generation of new threat detection content. Threat hunters are often at the front lines of threat detection. This is because, by the very nature of hunting, they are looking for threats that have bypassed existing controls. When hunters identify a previously unknown threat, or a threat that was able to bypass existing defenses, they should be developing “content” that can be deployed in SIEM, EDR, NDR, and XDR platforms that ensure, in the future, that the threat can be more easily handled by traditional security resources.
Blind Spot Identification
As a by-product of the activity, research, and preparation for cyber threat hunting, one thing that hunters can be invaluable for is blind spot identification. This type of identification often occurs leading up to complex threat hunts as hunters determine what data sources will support their upcoming hunts. During this process, it is not uncommon for hunters to notice that their existing logging may be incomplete or misconfigured, or that their security controls don’t have the ability o collect the required data. This information can be invaluable for security engineers and organizations that often only discover this kind of issue during a crisis.
Investigative Process Building
Like threat detection content creation, threat hunters are uniquely positioned to help SOCs mature their security investigative and incident response processes. This is because cyber threat hunters are often intimately familiar with malware and adversary TTPs, and if this knowledge can be documented and built into dedicated processes for threats, security teams will close the gap on both investigation and remediation.
Managed Cyber Threat Hunting? Or In-House?
Another very common question organizations can face is whether to in-house their cyber threat hunting, or to look to many of the managed detection and response (MDR) or managed security service providers (MSSPs). The answer to this question is that it entirely depends on the organization.
This is because many organizations can face unique challenges when starting the process of cyber threat hunting.
The most common challenge organizations face with threat hunting is a human one. Successful cyber threat hunting requires highly specialized knowledge wrought from years of experience and (often very expensive) training. This means that there simply aren’t a lot of threat hunters to go around, and organizations may struggle to fill positions. Equally, because of the high demand and low supply, threat hunters often don’t come cheap. For both reasons, many organizations turn to MDR or MSSPs to enable proactive threat hunting and to take advantage of the extensive, cross-industry, economies-of-scale these organizations offer.
However, equally many organizations also chose to in-house their cyber threat hunting. Typically, these organizations begin by hiring a handful of resources to stand up the threat hunting capability. Initially, these resources may be double-hatted, and will often focus on data-driven hunting to start. As this team gains more exposure to the environment, and builds out their processes and procedures, they will typically move into more complex hunts.
Where to Get Started Threat Hunting?
The next question managed providers and organizations alike will typically ask when they are building out a threat hunting practice is “where do we get started?”
Threat Hunting Content Platforms
This is a common question because, for large organizations or service providers, starting this type of process can seem daunting. One of the best resources these organizations can have is a threat hunting content platform. These are affordable platforms that provide hunt teams hundreds of pre-built, updated, validated, and documented hunts. This allows hunt teams to reduce the time they need to dedicate to pre-hunt activities such as research and documentation, saves engineering efforts to test and deploy the hunts, and results in hunt teams that can get hunting faster and more reliably.
Cyber threat hunting enables organizations to more effectively protect their environment through proactive detection of undetected threats. While establishing a cyber threat hunting program can seem challenging, the reality is that it is wel within the reach of most security teams.
Want access to FREE threat hunting content? Sign up for a Community account on the HUNTER threat hunting content platform!