Expectation vs Reality: Debunking 5 (More) Myths About Threat Hunting
By Josh Campbell at Cyborg Security
If you’ve been paying attention to the cyber security industry, you’ve probably noticed the term “threat hunting” or “threat hunters” coming up an awful lot. The question you should ask yourself is: “why?”
The answer, like most things in the cyber security industry, depends. Some organizations are interested in maturing their security operations. Others are looking to improve their overall threat detection strategy. Still others just think the term “sounds pretty cool.” However, regardless of the motivation, there are a lot of misconceptions surrounding threat hunting.
To enable security teams and aspiring hunters to cut through the noise, I’ve sat down with some of our threat hunters to put together a list of some of the most common misconceptions and myths folks have about threat hunting and what the reality really is.
EXPECTATION: THREAT HUNTERS SPEND MOST OF THEIR TIME THREAT HUNTING.
Reality: This one will likely surprise a lot of folks: especially because “threat hunter” is literally the job title. But the reality is that a lot of other preparatory work — I call it “pre-hunting” — goes in to building a hunt plan. This can involve fun things like research, testing and exploitation, but it also encompasses the more mundane work like getting approvals, developing documentation, or convincing engineering teams that adding a new log source really is important. All this is to say that a lot of a threat hunter’s time isn’t spent threat hunting but preparing for the hunt.
But the fun doesn’t end there. Even after the hunt — I’ll call it “post-hunting” — threat hunters will likely be documenting their hunt, presenting their findings to management, and building threat detection content and playbooks for their SOC. So, while threat hunters do hunt, most of their effort is often dedicated to pre- and post-hunting activities.
EXPECTATION: THREAT HUNTERS USE IOCS TO FIND MALICIOUS ACTIVITIES.
Reality: Let’s just get this out of the way right now: threat hunting does not use IOCs (or indicators of compromise, like IPs, domains, and hashes). Instead, threat hunting looks for suspicious outliers, anomalies, and most importantly, behaviors. For example, a threat hunter doesn’t really care if the attachment you received has a hash that was previously observed on malware reporting sites and is flagged by 16/54 antivirus engines.
What they do care about, for instance, is that when you opened that same attachment, it spawned a child process “cmd.exe” which further launched PowerShell.exe, and that attempted to create a network connection. These are the behaviors that threat hunters look for to identify malicious activity.
EXPECTATION: THREAT HUNTERS NEED DEDICATED PLATFORMS TO HUNT.
Reality: If you’ve been to a (virtual) trade show in the last 24 months, you have probably seen companies offering so-called threat hunting platforms. Seeing this, you would be forgiven for believing that you need such a platform to conduct threat hunting. The reality, however, couldn’t be further from the truth.
While hunting can be carried out using threat hunting platforms, they are not required. In fact, the most advanced form of hunting — so-called behavioral hunting — is typically carried out using traditional technologies like SIEM, EDR, and NDR tools. This isn’t to say that these “platforms” can’t be useful, especially for their visualization capabilities, but these can often be achieved using free tools like gnuPlot.
EXPECTATION: ORGANIZATIONS NEED EDR, NDR, XDR, OR <INSERT TOOL OR CAPABILITY> TO THREAT HUNT.
Reality: Threat hunting is often described as a game of visibility. Afterall, you can only hunt what you can see on the endpoint and network. However, that isn’t to say that organizations need any specific technology to carry out a successful hunt. Instead, organizations need to take stock of their existing logging to see what data they can use right away and try different analysis methodologies, like frequency, volume, clustering, grouping, or stack counting. For more information on these methodologies, check out our free Threat hunting Framework, here!
EXPECTATION: PEN TESTERS AND RED TEAMERS MAKE THE BEST THREAT HUNTERS.
Reality: A common misconception is that offensive security professionals make the best threat hunters. This is because, the logic goes, as the ones acting like threat hunters, they are uniquely qualified to understand real adversaries. The reality though is that threat hunters come from a wide variety of backgrounds, with many originating from the DFIR and security engineering space.
This is because threat hunters don’t just need to understand their adversaries, they also need to understand the environment and what it looks like, from an evidentiary perspective, when an adversary interacts with it. Having a background in security engineering, especially SIEM engineering, can also help tremendously when it comes time to build reliable hunting and detection content.
Threat hunting continues to be a topic garnering a considerable amount of attention in the industry. With all this attention, a lot of misconceptions have cropped up around the profession, especially about what threat hunters do. One great way that organizations can jump start their threat hunting capability is to leverage Cyborg Security’s threat hunting content platform, HUNTER. HUNTER provides organizations access to hundreds of pre-built threat hunting packages, saving threat hunters a lot of that pre- and post-hunt time, work, and effort, and allowing them to focus on the hunt itself. Sign up for your free Community Access HUNTER account today and see!