Threat hunting has become all the craze in the last couple of years. According to a recent poll, 79% of respondents say that threat hunting should, or will be, their top security initiative this year.
Threat Hunting is the act of proactively searching out an adversary on your IT estate, as opposed to the traditional method of waiting for monitoring technology to trip and fire an alert which a human then responds to.
The US Army LandCyber White Paper, hunting is defined as an "internally-focused active defensive measure that detects advanced threats within friendly networks and take appropriate response actions." [emphasis mine]
It was also mentioned in the same paper, "Counter-reconnaissance, or hunt forces, will work within Army networks to maneuver, secure, and defend key cyberspace terrain, identifying and defeating concealed cyber adversaries that have bypassed the primary avenues of approach monitored by automated systems." [emphasis mine]
In essence, this is describing threat hunting as an active defensive measure that detects adversaries that have bypassed automated security systems. We can think of threat hunting then as people actively forming hypothesis of the TTPs that threat actors are making use of in the kill chain cycle, which have bypassed existing security controls, and looking for the trace they have left behind across the entire estate. In many ways, threat hunting is like performing proactive incident response since it begins from the assumption that the organization is already breached. However, unlike incident response which has a more specific scope, threat hunting has a wider scope.
What is different about Threat Hunting?
Threat hunting is not new, but it has become popular in recent years with the pace of innovation growing as successes start being seen by organizations looking for a more effective security approach.
With Threat Hunting, you don't wait for your SIEM, IDS or any other technology to ring the alarm bell, you assume you're already compromised and go hunting for it. You come up with a 'hypothesis' and test it out on your estate. For example, I know that attackers can persist by loading custom password filters into Windows which execute each time a user logs on. I also know that custom password filters show up in the registry linking to a DLL on disk, so my hunt sprint might involve searching the estate, comparing these registry keys across all workstations and picking out the ones that are different from the others for investigation.
Experience shows us that the creative human mind will always find ways around a static defence. Over the last few decades we've seen more and more security technologies pop up, from anti-virus, intrusion detection systems, and now "next gen" versions of many of these technologies. Yet breaches continue to happen. It's not that these technologies are useless, but we cannot expect them to just work every time. Attackers will see what they are doing, and change their behaviour to get around them. What is needed then is for the defenders to do the same thing, presenting more than just a static set of defences.
And this isn't just a case of continued improvement to existing defensive technologies in response to new attacks seen. This is what has always been done, but it remains reactive. Threat hunting is proactive, actively seeking things out and constantly experimenting and innovating. The goal is to find attackers that have gotten in, but before they do any real damage, i.e. while they remain hidden from every day observations.
Effective threat hunting is not about relying on technology to find threats for you, it's about relying on your knowledge of attack techniques to drive and come up with accurate and creative hypothesis. The better you understand the attacker's mindset, the more creative hypothesis you'll be able to come up with to drive your hunting sprints.
Strong threat hunting depends on the people performing it and not the technology.
Threat Hunting technology drives efficiency
Sounds like a lot of work performing all this manual hunting without using automated alerts right? Threat Hunting doesn't mean you can't automate. Once you've come up with a hypothesis, turned that into a hunting technique and it's proved to be effective you can automate that hunt to run at regular intervals and improve efficiency.
So even though threat hunting is a people centric activity, technology is still important. The more capable and flexible your technology is, the quicker and more effectively you'll be and to execute your hypothesis and the more of them you'll be able to execute in the first place.
This can also include helping threat hunters to prioritise the large amount of data they have to work with by identifying things that are known to be suspicious to varying degrees. Many security products focus on finding known bad, and there's no reason you shouldn’t do the same. But unlike with purely automated technology that relies on the level of suspicion being above a certain threshold, humans are able to take a potentially suspicious things and check them out to see if they really are.
Really good threat hunting teams will then be able to feedback what is learnt from these investigations into the technology they use. This could be adding capabilities, streamlining existing capabilities, or identifying specific malicious activities with a more precision, increasing the level of confidence that the technology can flag up in future.