The Threat Hunting Conundrum: Challenges Security Teams Face
By Josh Campbell at Cyborg Security
It’s pretty undeniable that threat hunting, as a topic, has captured the imagination of cyber security (and marketing) professionals all around the globe. And why wouldn’t it?
Proactive hunting has the opportunity to help uplift and mature security operations, while causing an unbelievable amount of grief to cyber adversaries all at the same time. So it is no surprise that many organizations have set aside a plethora of resources build their hunting capability and to make sure their efforts start off on the right foot. Despite this, however, many organizations will face a number of very substantial hurdles in building a threat hunt team.
We’ve put together a list of the top 6 challenges security teams face in order to help organizations circumnavigate them early in their process!
Challenge #1: Budget Constraints of Threat Hunting
Hunting is often poorly defined and understood — particularly by senior leaders. It’s often unclear how it fits into compliance and best practice frameworks. As a result, threat hunting is often ‘last in line’ for budget, receiving only a fraction of the resources given to blue and red teams. Most of this budget is spent to maximize headcount, but most hunting teams are still extremely low on skilled FTEs.
Challenge #2: The Hunting Skills Gap
The skills gap affects all areas of cybersecurity, but few as keenly as hunting. There are few people worldwide who call themselves threat hunters, and even less with a full skillset. As a result, most teams are low in headcount and can’t run nearly as many hunts as they would like.
Challenge #3: Lack of Dedicated Resources for Threat Hunting
The SANS 2020 Threat Hunting Survey found 75% of organizations with a threat hunting capability use staff who have other roles — usually in a SOC and IR team. This is preferable to no threat hunting but makes it hard to define consistent, repeatable processes and build effective hunts.
Many SOC and IR analysts are fully capable of developing hunting skills. However, hunting is a different profession with its own certifications and qualifications. When forced to split their time between both functions, there is very little remaining for analysts to develop their skills and obtain the necessary certifications.
Worse still, most SOC and IT teams are already challenged with unmanageable workloads. When forced to split their time, the organization’s security posture is compromised, as issues will be missed.
Challenge #4: Threat Intelligence is Not Geared To Hunting
Most organizations with a hunting capability have a Cyber Threat Intelligence (CTI) team in place. However, unless the CTI team is fully mature, it won’t include personnel with the broad skill sets needed to produce behavioral and TTP-related intelligence to inform threat hunts.
For instance, a core capability needed to inform hunting is malware analysis — like reverse engineering. A full understanding of what malware does and how it works is essential to develop a hunt for the TTPs it uses. However, this is an extremely uncommon skill set that most CTI teams can’t retain.
Sandboxes are a common attempt to solve this problem, but lots of malware can evade this approach — leaving threat hunters without adequate intelligence to inform their hunts.
Challenge #5: The ‘Legitimacy Gap’
As IT environments grow more complex, so do behaviors observed in them. This causes a growing knowledge gap of what is legitimate, even among skilled threat hunters. A hunter might observe behavior that appears unusual, but due to changing architecture, it could be legitimate. This is a challenge for hunt teams, which must continually keep abreast of evolving internal conditions and behaviors.
Challenge #6: Confused Terminology
Across the industry, there’s a lack of consistency in the meaning given to ‘threat hunting.’ For clarity’s sake, here are the three activities most commonly described as threat hunting:
- IoC “hunting”
- Unstructured threat hunting
- Structured threat hunting
For more clarification on structured vs unstructured threat hunting, you can check out our blog 👉 here. There is also discussion on whether hunting originating from an IoC qualifies as hunting. It doesn’t.
By definition, hunting searches for unknown threats. Threat hunters search for previously undetected activity tied to malicious artifacts and behaviors that cannot be found by detection capabilities or alerts.
IoCs relate to known threats. If a threat is known, it falls under the parameters of detection and alerting capabilities — not hunting.
It is true that proactive hunting has become a key topic for security teams in 2021. It is also true that organizations are beginning to recognize the value that hunting can bring to them, and as a result are setting aside resources to ensure their hunting efforts are set up for success. Despite these two facts though, organizations continue to face substantial challenges. By understanding these challenges, it allows organizations to steer clear of them and make sure their threat hunters are poised for success.