Threat hunting isn’t important for companies, it’s an imperative. I can say that with confidence as a practitioner who has worked in security analysis, threat intelligence, SOC management, security policy, and of course threat hunting in the government and the private sector for the past 15 years. Throughout my journey, what I found is that too many companies think that proactive security like threat hunting is something that is “nice to have” and that real proactive security is unattainable.
This reality has only been reinforced now that I am on the vendor side of things. I have the privilege of sitting in on meetings with prospective customers, and something I keep hearing echoed by SOC management and CISOs is that threat hunting isn’t something that they are concerned with. More surprisingly, I also hear a lot of pessimism around the concept of “proactive security,” with many thinking it is a pipedream instead of being in their pipeline to deliver.
I am here to tell you that not only must every industry start focusing on building, or scaling, up their proactive security, they need to start doing it yesterday. There is good news, however, and that is building it up is wholly attainable for organizations of every size, maturity, and industry.
THE REALITY OF THE “THREAT LANDSCAPE”
The “threat landscape” is a term that is often thrown around carelessly in cyber security marketing circles that refers to all existent cyber threats that could impact an organization. The simple fact for most companies, however, is that in order continue to do business in cyber space, the threat landscape isn’t just a buzzword, it is something that must be contended with, defended against, and dealt with, and the statistics bear this out: there are now more than a billion malware programs and variants known, and more than 560,000 new pieces of malware are detected every single day. The result of this rather staggering number is that data breaches set a new high last year with 1,862 identified breaches, representing a 68% increase from 2020, and surpassing the previous record set in 2017.
PROACTIVE SECURITY FLIPS THE SCRIPT ON ADVERSARIES
The objective of most corporate security programs is to mitigate the risks associated with that threat landscape — like ransomware, nation states adversaries, malware, vulnerabilities, and exploits. The troubling reality, however, is that most of these threats begin their lives as something entirely undetectable by even the most sophisticated modern-day security tools (and by extension the security programs and analysts that monitor them). This is because security tools can only detect the threats they know about. This means that all but the most disconnected of companies are immensely vulnerable when a new threat emerges. Threat hunting, however, flips the script on that paradigm and starts off with the assumption that something got through. Hunt teams, or highly specialized analysts, proactively hunt through your environment looking for telltale suspicious or malicious behaviors by users and programs that might belie a compromise. Once something is identified, they triage, investigate, and respond.
But the benefits of threat hunting don’t end there. When these hunt teams uncover a previously unknown threat, they don’t just respond to it. They also build out sophisticated content that is then deployed in existing security tools to ensure, going forward, that if that threat enters the environment again, traditional security teams will be able to react accordingly. Threat hunting doesn’t just exist to hunt for unknown threats, but they are also directly responsible for the proactive improvement of companies’ overall security posture.
To contend with the explosive growth seen in the threat landscape today, security and business leaders must seek to adopt a proactive approach to security, leveraging practices like threat hunting, to stay ahead of these emerging threats and round out their more traditional defenses.
WITH PROACTIVE SECURITY EVERYONE CAN THREAT HUNT
How do you start threat hunting? The practice of threat hunting is often seen as intimidating for organizations. That is because the perception is that threat hunting demands resources and security maturity that is unattainable for all but the largest companies. That can be true for the highly sophisticated hunt teams found in various military and intelligence agencies, but even a single well-equipped hunter can begin the practice of proactive security for a company.
And by establishing a solid foundation of proactive security, a company can easily see the same benefits of threat hunting that the much larger teams in government agencies do — with only a fraction of the resources. A word of caution, however, is that to establish this foundation, it is important to equip your security teams for success by putting visibility first.
YOU CAN ONLY HUNT WHAT YOU CAN SEE
It is critical to put visibility — at the network and endpoint levels — first to ensure success for proactive security. This is because a hunter is only as good as the data he has to hunt in.
One of the key components to this visibility is at the endpoint level. Using tools like endpoint detection and response (EDR) to record what is occurring on an endpoint, you allow a threat hunter to observe the behaviors of users and code on that system. This enables them to establish a baseline of behavior on a given host, segment, and network and also to identify deviances from that baseline. It is in these deviances that those undetectable threats tend to lie.
Another critical element for visibility is at the network level. Some may ask why network traffic from NDR-like tools is important when EDR records everything that happens on a system? The answer is that not every node on your network will have EDR installed. Things like guest networks, BYOD, IOT, ICS, and even a coffee machine can be networked, and if they reside on a network they can be attacked. Network visibility enables hunters to identify suspicious or malicious communication patterns that might escape the host-based tools like EDR. It is also worth identifying that while north-south visibility is critical, east-west visibility (including between network segments) is also highly valuable — but can be more costly due to the sheer amount of storage it can occupy.
By ensuring your security teams have a maximum of visibility across both endpoints and networks in your environment you maximize the likelihood of success for your security teams generally, but your threat hunters specifically.
PROACTIVE SECURITY IS A LONG GAME STRATEGY
While establishing a threat hunting capability — even if it is just a single hunter — is a great move towards proactive security, it is crucial to understand that threat hunting is a “long game strategy.” It may be that your hunt team discovers something on their first hunt, but like actual hunting there will be many hunts where hunters come back empty-handed. However, these instances should not be looked at as failures, instead, they should be treated as confirmation that an organization hasn’t been impacted by the sought for behaviors yet.
It is also important to realize that the value of threat hunting isn’t just in a single hunt, but iterative and repeatable hunts conducted at regular intervals. Even an unsuccessful hunt should be run continuously over the course of a year to provide regular and ongoing validation that an organization has not been impacted. This process can reassure business and security decision makers, especially during periods of heightened concern new and emerging threats start making the news cycle.
YOU DON’T HAVE TO HUNT SOLO
Proactive security, especially threat hunting, can seem unattainable, especially if you are a medium to large organization with only a small team (or even a single threat hunter). One way to scale a small team, without adding additional costly resources, it to enable them to be more efficient and focus on hunting itself and not the pre-hunt work like research, testing, and validation. This can be done by partnering with a trusted vendor to provide the hunting content that fuels the individual hunts your team carries out.
A vendor whose threat hunters are highly experienced and in tune with your organization’s hunting objectives can provide threat hunting content that is both human-built and validated. This can allow your threat hunters to execute more hunts faster, which can act as a force multiplier for your hunt team.
This is how organizations of any size and maturity can replicate the threat hunting practices of much larger teams. With the right foundation, even smaller, less mature teams can achieve the goal of proactive security.