There has been a lot of hype around threat hunting and up into recently it has been a program more likely found in companies that have been heavily targeted or in high tech, military or government and telecommunication industries We are starting to see the capabilities slowly trickle down to small and medium enterprises (SME) but the available resources (people and expertise) to perform the hunts are currently limited.
In short Threat Hunting is the methodology to search for compromises and threats that have already bypassed traditional prevention security controls, no matter how thorough their security precautions might be. Prevention systems alone are insufficient to counter focused human adversaries who know how to get around most security and monitoring tools. The threats are often identified as advanced persistent threats (APT’s) because of their ability to initiate and maintain long-term operations against targets.
Threat Hunting is not a replacement for alternative approaches like Endpoint Detection and Response (EDR) or Digital Forensics and Incident Response (DFIR).
A threat hunter is someone who searches for traces that attackers leave behind, usually before any alerts of their activities are generated by traditional security devices. Larger organizations employ several dedicated cyber hunters on a team that are not waiting to respond to alerts or indicators of compromise, they are actively searching for threats, to prevent or minimize the damage.
Organizations that do not have larger budgets generally rely on their SOC analysts do some basic forms of threat hunting or incident response. For most organizations, threat hunting will occur based on a security event that an analyst gets alerted to within an environment, mostly on an ad-hoc basis.
The SANS 2017 threat hunting survey of 306 IT security professionals that are doing mainly SOC-based hunting posed the question:
What activities would initiate an active threat hunt in your environment? The top answers included
- Alerts or alarms from monitoring tools (eg. SIEM, log analysis)
- Anomalies picked up in our environment
- New Vulnerabilities found in our environment
- Items or events we’ve read or heard about through our peer groups and the media
- Custom Intelligence from third-party threat intelligence providers
How deep an organization goes into threat hunting depends on what makes the most sense for the organization. The 2017 Ponemon Institute report showed how quickly an organization contained a data breach had a direct effect on the financial impact. The cost of a data breach was nearly $1 million lower for organizations that could contain the breach in less than thirty days.
The challenges for most organizations, is the investment in the security infrastructure that is needed to run the threat hunting tools. As well as requiring dedicated and empowered security threat hunters who know what the adversaries are capable of, so they can identify them as early as possible.
For an organization to see the full value of this program they will be to make the process achievable and repeatable so that it can be followed for future hunts.
ChannelSOC provides Security Operation Center Services which includes compromise assessment which follows the MITRE attack model to enhance our visibility and pro-actively search through networks and datasets to detect threats that evade existing controls. Rather than wait for alerts, our threat hunters proactively look for anomalies and where you have been compromised.