The Hurdles of Threat Hunting
By Josh Campbell at Cyborg Security
The last few years have seen a massive explosion of interest in threat hunting. Security-conscious organizations, seemingly across every industry, are setting aside resources, and actively planning on building out their hunting capabilities. However, as any seasoned infosec veteran can tell you, this building process is often fraught with challenges and struggles. I’ve compiled a list of the “Top 6” conundrums that threat hunting teams face to help organizations plan for them before they become a problem.
Challenge #1: Budget Constraints
Let’s face it, we all knew #1 was going to be budgetary constraints.
Threat hunting is often poorly defined and understood — particularly by senior leaders. It’s often unclear how it fits into compliance and best practice frameworks. As a result, threat hunting is often ‘last in line’ for budget, receiving only a fraction of the resources given to traditional blue and red teams.
The other elephant in the room is that threat hunters are often a highly in-demand and scarce resource. This means, inevitably, they tend to be very expensive resources, which means organizations can’t afford many of them. This means that most hunting teams are still extremely low on skilled FTEs.
Additionally, the perceived “uncertainty” around the ROI of a hunt team can also prove challenging for security organizations.
Challenge #2: The Skills Gap
The skills gap affects all areas of cybersecurity, but few as keenly as threat hunting. There are few people worldwide who call themselves threat hunters, and even less with a full skillset. As a result, most teams are low in headcount and can’t run nearly as many hunts as they would like.
Challenge #3: Lack of Dedicated Resources
The SANS 2020 Threat Hunting Survey found 75% of organizations with a threat hunting capability use staff who have other roles — usually in a SOC and IR team. This is preferable to no threat hunting but makes it hard to define consistent, repeatable processes and build effective hunts.
Many SOC and IR analysts are fully capable of developing threat hunting skills. However, threat hunting is a different profession often with few official certifications and vaguely defined qualifications. When forced to split their time between both functions, there is very little remaining for analysts to develop their skills and obtain the necessary experience.
Worse still, most SOC and IT teams are already challenged with unmanageable workloads. When forced to split their time, the organization’s security posture is compromised, as issues will be missed.
Challenge #4: Threat Intelligence is Not Geared to Threat Hunting
Most organizations with a threat hunting capability have a Cyber Threat Intelligence (CTI) team in place. However, unless the CTI team is fully mature, it won’t include personnel with the broad skill sets needed to produce behavioral and TTP-related intelligence to inform threat hunts.
For instance, a core capability needed to inform threat hunting is security research skills — like reverse engineering. A full understanding of what malware does and how it works is essential to develop a hunt for the TTPs it uses. However, this is an extremely uncommon skill set that most CTI teams can’t retain.
Sandboxes are a common attempt to solve this problem, but lots of malware can evade this approach — leaving threat hunters without adequate intelligence to inform their hunts.
Challenge #5: The ‘Legitimacy Gap’
As IT environments grow more complex, so do behaviors observed in them. This causes a growing knowledge gap of what is legitimate, even among skilled threat hunters. A hunter might observe behavior that appears unusual, but due to changing architecture, it could be legitimate. This is a challenge for threat hunting teams, which must continually keep abreast of evolving internal conditions and behaviors.
Challenge #6: Confused Terminology
Across the industry, there’s a lack of consistency in the meaning given to ‘threat hunting.’ For clarity’s sake, here are the three activities most commonly described as threat hunting:
- IoC “hunting”
- Unstructured threat hunting.
- Structured threat hunting.
We have already given clear definitions on what structured and unstructured hunting are — you can check them out here. What we do want, however, is to clear up a misunderstanding.
There is discussion on whether hunting originating from an IoC qualifies as threat hunting. It doesn’t.
By definition, threat hunting searches for unknown threats. Threat hunters search for previously undetected activity tied to malicious artifacts and behaviors that cannot be found by detection capabilities or alerts.
IoCs relate to known threats. If a threat is known, it falls under the parameters of protection and alerting capabilities — not threat hunting.
Security teams everywhere have certainly seemed to have caught the threat hunting bug, with organizations scrambling to get a hunt capability in place. However, with the rush to hunt, many organizations also find the path fraught with stumbling blocks. But, if organizations remain aware of these potential challenges, they can often avoid them altogether.
If you want to increase the speed of your hunts, and super-charge your threat hunting by as much as 5X, check out Cyborg Security’s threat hunting content platform — HUNTER. HUNTER allows security teams to deploy behavioral hunting content to detect the adversary tactics, techniques, and procedures, as well as the latest exploits and malware. Use promo code ‘CONUNDRUM’ to claim your exclusive HUNTER Community Edition account now!