Given the dramatic increase in cyberattacks, no agency can afford to feel that its security is impenetrable. Regardless of how thorough agencies believe their defenses are, determined and well-funded hackers can penetrate their networks. Furthermore, many organizations that have already been hacked remain unaware that an intrusion has occurred. This has given rise to a new cybersecurity role -- the threat hunter.
Chief information security officers may understandably be cautious about this development. When security teams are pressed for time dealing with existing alerts, CISOs can find it tough to justify adding threat hunting teams, which could stretch resources. But threat hunting has two real, lasting advantages. First, proactive hunting can find core security issues much faster than traditional reactive methods. Second, a balance between threat hunting and incident response can reduce the overall load on security operations center analysts who must focus on fighting day-to-day fires.
What is a threat hunter?
A threat hunter is a cybersecurity threat analyst who uses proactive methods to uncover security incidents that might otherwise go undetected. Threat hunters may use automated tools, rely on manual methods or use a combination of both.
Threat hunters begin with the assumption that every system has been compromised, so they look at virtually everything in an environment to spot potential indicators. Hunters typically analyze the system to determine everything that is on it, treating it all as a threat until it can be proven otherwise. They may examine processes and tools, as well as network file sharing and commands. Many of the threats that hunters detect would be missed by normal security measures as the threats in themselves do not appear malicious; it may take an experienced hunter to notice that something is unusual or inappropriate. However, without a high level of visibility into networks, threat hunters will not be able to offer a high degree of protection.
What makes a good threat hunter?
Threat hunters enjoy the challenge of matching wits with cybercriminals. They possess creativity as well as critical-thinking skills. Hunters remain current on the latest threats or emerging trends among cybercriminals, and they may also endeavor to think like a hacker to better understand the methods that a criminal might employ to penetrate an agency's defenses. Some hunters pretend they are hackers so that they can join hacker forums and talk with true hackers, learning about their techniques and analyzing their mindsets.
Threat hunters tend to be passionate about security and highly curious. They understand how to use multiple tools and often push those tools to their limits. Hunters excel at forming hypotheses, analyzing divergent information sources and knowing which information provides the best value for their purposes. If they have prior experience in incident response or other security roles, they use that knowledge to identify the tools that will provide the best logs or other insights.
Threat hunters also have a deep understand how an agency normally operates so that they know where to look for signs of potentially malicious behavior and detect anomalies. They may employ endpoint detection tools, review system logs or network packet capture systems. They also investigate unusual activities such as a user who logs in only late at night or a user who has signed in only one time.
However, threat hunters also know that they must do more than search for anomalies. Many attackers take steps to make sure that their actions appear to be those of a normal user. Therefore, threat hunters also look at the "normal" space, even if such hunting produces a large volume of false positives. Hunters ask themselves what threat might be undetectable — and then find ways to detect it.
Which organizations should be hunting?
Any organization possessing data or a network worth protecting should be proactive about threat hunting. Although an effective incident response plan is critical, reacting to a breach is always more expensive than preventing an intrusion. Nevertheless, the results of The State of Incident Response 2017 study from Demisto showed that threat hunting is not being widely practiced. For example, only 12 percent of the respondents reported that they had already automated their threat hunting, even though 47 percent felt that automated threat hunting would be of an immediate benefit to their organizations. Furthermore, fewer than one-third of the respondents stated that they had a tool they could use for aggregating threat feeds; those that did reported that implementing the tool had been problematic, with 46 percent stating that they had spent at least 12 months attempting to implement the tool completely.
Automation allows agencies to collect a great deal of information in a short time, relying on the computer to find relevant information to present to human analysts. Automated hunting may start with agency-specific algorithms before evolving into more complex methods of detection.
Find the hunter within
Threat hunters are still a rare breed. The current shortage of qualified talent is part of the reason for their scarcity. To meet the need, many organizations are developing their own hunters by selecting creative, bright IT employees to receive additional training and to hone their hunting skills on the job. With the right combination of people and technology, any agency can embrace threat hunting -- and make their systems more secure.
This article was first published on GCN: https://gcn.com/articles/2018/01/08/threat-hunting.aspx