Three Cyber Threat Hunting Myths
In my last cyber threat hunting blog, I defined cyber threat hunting and outlined when and why you should use it. Just to reiterate, cyber threat hunting is the process of proactively and iteratively searching through your network to detect and isolate advanced threats that evade existing security solutions.
It is an analyst-centric process, where the analyst proposes a hypothesis and then iteratively proves or disproves this hypothesis using supporting tools, such as threat intelligence, logs, analytics, machine learning, etc. The analyst must often use lateral and creative thinking to discover advanced and persistent threats that have gained a foothold and remained hidden in the organization’s environment.
In this blog, I define three common myths of threat hunting. By defining what it isn’t, I hope to help solidify what threat hunting is.
Myth 1: Threat hunting is a replacement for prevention
Prevention is the moat around your castle; the deadbolt on your door. Firewalls, IPS, password policies, and access controls are what solidifies the barrier of entry and keeps most of the bad guys out. Cyber hunting is the art of finding those adversaries that still got in, despite your defenses.
Conversely, prevention is no replacement for cyber hunting either! By investing in a strong defense posture, you are reducing the number of low-impact security incidents, which can form a distraction for the analyst. This effectively frees up your analyst’s time to hunt for the most advanced and persistent adversaries that work hard on evading detection.
Threat hunting is not a replacement for robust and effective threat detection and alert response. It works alongside them, but does not replace the benefits of good prevention.
Myth 2: Hunting can be automated
Threat hunting is not a reactive activity. It is driven by the curiosity of the analyst, and the recognition that the adversary is human and therefore constantly changing the rules of the game. Although good detection and response tools can help catch an advanced adversary, it is commonly through diligent investigation, manual correlation, and discovery that the advanced threat is fully mapped out, and can ultimately be disabled.
Threat hunting is proactive, hypothesis-based investigations. The purpose of hunting is to find what slips by your preventative security systems. An analyst may use an alert or an anomaly as a starting point of the investigation or to inform a hypothesis, but should then expand the search using knowledge of the IT environment and other context to completely identify the extent of the adversaries reach into your network.
Myth 3: Threat hunting is only for elite analysts
Hunting has been called an analyst-centric process. The skills that make a good hunter typically include knowledge of data visualization, log analysis, and threat intelligence. More importantly, they need to have intellectual curiosity and the ability to think laterally.
While that is true, the right hunting solution can make up for some skills deficiencies and start you on the path of threat hunting. There are many different threat hunting techniques and not all of them take years to master. Many of the same analysis techniques used for incident response, triage, and security forensics are great starting points for threat hunting. The most important skill a hunter must possess is intellectual curiosity!
SteelCentral NetProfiler Advanced Security Module is a full-fidelity network flow solution that watches for changes in behavior. These changes could be new services on a sensitive host, connections to untrusted systems, or unexpected data movement. The network fingerprinting process creates a statistical profile of network connections to identify the abnormal sessions. The hunting process is data- and time-intensive. It can be verbose. Focus is gained by filtering on key assets, unique threat identifiers, or other known aspects in the search. These types of reports are great starting points for threat hunting, and a great way to get your feet wet if you are new to the discipline. Check out 10 Security Reports InfoSec Directors Should Be Monitoring for additional reports that make great starting points for threat hunting.
To learn more about how the Riverbed SteelCentral Advanced Security Module can help you secure your organization, read the rest of the blog series: