In my last cyber threat hunting blog, I defined cyber threat hunting and outlined when and why you should use it. Just to reiterate, cyber threat hunting is the process of proactively and iteratively searching through your network to detect and isolate advanced threats that evade existing security solutions.
It is an analyst-centric process, where the analyst proposes a hypothesis and then imperatively proves or disproves this hypothesis using supporting tools, such as threat intelligence, logs, analytics, machine learning, etc. The analyst must often use lateral and creative thinking to discover advanced and persistent threats that have gained a foothold and remained hidden in the organization’s environment.
In this blog, I define three common myths of threat hunting. By defining what it isn’t, I hope to help solidify what threat hunting is.
Prevention is the moat around your castle; the deadbolt on your door. Firewalls, IPS, password policies, and access controls are what solidifies the barrier of entry and keeps most of the bad guys out. Cyber hunting is the art of finding those adversaries that still got in, despite your defenses.
Conversely, prevention is no replacement for cyber hunting either! By investing in a strong defense posture, you are reducing the number of low-impact security incidents, which can form a distraction for the analyst. This effectively frees up your analyst’s time to hunt for the most advanced and persistent adversaries that work hard on evading detection.
Threat hunting is not a replacement for robust and effective threat detection and alert response. It works alongside them, but does not replace the benefits of good prevention.
Threat hunting is not a reactive activity. It is driven by the curiosity of the analyst, and the recognition that the adversary is human and therefore constantly changing the rules of the game. Although good detection and response tools can help catch an advanced adversary, it is commonly through diligent investigation, manual correlation, and discovery that the advanced threat is fully mapped out, and can ultimately be disabled.
Threat hunting is proactive, hypothesis-based investigations. The purpose of hunting is to find what slips by your preventative security systems. An analyst may use an alert or an anomaly as a starting point of the investigation or to inform a hypothesis, but should then expand the search using knowledge of the IT environment and other context to completely identify the extent of the adversaries reach into your network.
Hunting has been called an analyst-centric process. The skills that make a good hunter typically include knowledge of data visualization, log analysis, and threat intelligence. More importantly, they need to have intellectual curiosity and the ability to think laterally.
While that is true, the right hunting solution can make up for some skills deficiencies and start you on the path of threat hunting. There are many different threat hunting techniques and not all of them take years to master. Many of the same analysis techniques used for incident response, triage, and security forensics are great starting points for threat hunting. The most important skill a hunter must possess is intellectual curiosity!
Published with permission from Riverbed.