Moving the Needle Forward on Threat Hunting
By Josh Campbell at Cyborg Security
If you’ve been paying attention to the cyber security media and blogosphere throughout 2020 and 2021, you’ve heard the term “threat hunting” being used a lot. You’ve probably heard the definition, and about how it helps security teams, and how if you don’t have it, you’re behind the proverbial cyber-8 ball, and how every vendor’s product will somehow mysteriously enable it. In fact, the other day I was looking at an intelligence collection vendor that claimed you could “threat hunt” using its platform. To be clear, this is a platform that scrapes OSINT from various online sources and displays it on a dashboard. That isn’t threat hunting.
Despite this, many companies have continued to misuse the term, attempt to redefine it, or worse: come up with entirely fictional “types” of threat hunting. I wanted to go over some of these to try and clear the air around what threat hunting is, and perhaps more importantly, what it isn’t.
The Definition of Threat Hunting
Before we get into the weeds on the misused or redefined types of threat hunting, it probably would help to give the quick and dirty definition of threat hunting. For our purposes, we will define threat hunting as:
“… a proactive method for detecting unknown threats in an environment by observing non-obvious behaviors and patterns, that have bypassed existing security controls and processes, in an iterative and repeatable fashion.”
If you would like a deeper and more nuanced look at the types of threat detection, you can check out this article. For now, let’s look at some of the misused, redefined, or concocted types of threat hunting.
IOC “Hunting,” or Security Analysis?
This is perhaps the most common misuse of the term ‘threat hunting.’ The proponents of the term typically define it as “hunting” across and environment for a given indicator of compromise (IOC) that they have acquired. These IOCs are usually broken down into IP addresses, domains, full URLs, filenames, and hashes — admittedly there are more, but these are typically the most common. When an organization gets a hold of these IOCs, they will often search through their environment to see if they have previously been observed, and depending on the reliability of the indicator, they may deploy it into one or more of their security platforms for future detection.
Now, proponents of the term will often describe IOC hunting as a less mature version of data-driven or hypothesis-based threat hunting. The problem with this concept is the data that IOC hunting relies upon, namely indicators of compromise. These are defined data points from a confirmed compromise — in other words a known threat, whereas true threat hunting is looking for unknown threats. Now, the first and probably most relevant objection some will have with this interpretation is “what about less certain IOCs such as IPs?” These less certain IOCs may belong to common hosting providers, or a domain from compromised infrastructure that an attacker used during a compromise. The IP or domain could host hundreds of legitimate sites and pages and only one malicious one, therefore it may not be malicious, and thus demands that analysts hunt for it and analyze it, right?
Well, it is a legitimate scenario, but it is anything but threat hunting. In fact, it is the epitome of traditional security analysis, and it is a reality security analysts deal with every single day. Therefore, IOC hunting really isn’t any different than regular security analysis except for identifying what generated the alert: the latter has the former is generated from a human search while the latter is from a security control. Therefore, I typically refer to IOC hunting as a type of ‘threat detection,’ but not threat hunting.
External Threat Hunting, or Reconnaissance and Vulnerability Assessment?
Another one of the more curious “redefinitions” of the term threat hunting is that of ‘external threat hunting.’ It is an interesting case because even the term itself is used for multiple practices, none of which are threat hunting.
The first use of the term I have seen relates to “hunting” the perimeter of a network using a combination of vulnerability assessment and reconnaissance tools and combining that with data from the likes of Shodan or one of its clones. The objective is to find possibly vulnerable systems, misconfigurations, or anomalies. The belief, its supporters will often say, is that it proactively allows them to find vulnerable systems, either after (or hopefully before) an attacker can make use of them. So, the focus is on the proactive nature of this “type” of threat hunting.
However, much like IOC hunting, while this is a needed process, and one that more companies should adopt, it isn’t threat hunting as it is focused on identifying vulnerabilities. Now, while it is true that during threat hunting hunters may identify vulnerabilities, misconfigurations, or anomalies, the reality is that these are by-products of hunting and not the true objective. This practice of identifying vulnerable or misconfigured systems should really fall into the realm of vulnerability assessment and penetration testing (VAPT) or similar fields. It is definitely not threat hunting.
External Threat Hunting, or Data Visualization and Enrichment?
The second use of the term ‘external threat hunting’ is perhaps even more curious. This use of the term describes the function of specific tools to connect relationships between IOCs, leaked credentials, and a Hodge Podge of additional data, information, and refined intelligence, usually with a visual element to allow for easy mapping. Typically, these tools do not ingest data from an environment, but rather require a manual transfer of the data, which it then enriches and provides additional contextualization such as WHOIS looks up, passive DNS or similar.
These visualization and enrichment tools are without a doubt useful. However, the function that they serve, equally without a doubt, is not threat hunting.
First, they almost universally operate exclusively on IOCs fore known threats. So, for the same reason that IOC hunting is not threat hunting, neither are these tools. Additionally, these tools are most often used by cyber threat intelligence analysts during their work to establish the connective tissue between seemingly unrelated indicators or events. This is an important element of the broader practice of security operations, and intelligence analysis, but it also definitely isn’t threat hunting.
One of the most important takeaways from this blog is, simply, that just because these things aren’t “threat hunting” shouldn’t trivialize them. Quite the opposite, all of these are practices that every organization should have in place. However, it is equally true to assert that none of these are threat hunting. Now, you may ask why that matters?
Simply put, the cyber security industry has, in the past, had issues with language when terms, that are on their way to becoming buzzwords are continuously redefined and broadened through a process that often makes them seemingly undistinguishable from any other “thing” in cyber security. This often results in a situation that can be likened to the adage: “if everything is x, then nothing is,” which can be destructive for the individual term, as well as to cyber security as whole. Instead, I want to ensure that we avoid that fate, and that at every opportunity we move the needle forward with threat hunting.