The Low Down on Threat Hunting

Wednesday, November 14, 2018
Threat Hunting

Recently we announced our 2018 State of Threat Detection survey results  and we picked up on some interesting trends around the subject of threat hunting. But what exactly is threat hunting? Who's doing it? And how can you do it too? Find out the answers below: 

What is threat hunting?

Threat hunting is a buzzword du jour, but it’s often misused and misunderstood. While organizations are varying in their definitions of threat hunting, ultimately it is a proactive way to find advanced threats that have been designed to evade traditional preventive defenses, as well as automated detection capabilities. Consider it the last line of defense before data exfiltration occurs. From PII to intellectual property, cyber criminals want what you have and be assured, are looking for a way to get it. Threat hunting is different than monitoring, since it is carried out by a human analyst, despite relying heavily on automation and machine assistance. The analyst’s true goal is to determine an initial threat or indicator to hunt for and how that type of malicious activity will be found within the environment.

Who’s doing it?

For our recent State of Threat Detection report we interviewed over 580 security professionals from around the globe and found that 63% of all respondents said they do not threat hunt or do not know if they do. We know the adoption rate of threat hunting has been increasing in the last few years – but it’s still nowhere near where it should be. It’s also surprising that the adoption rate among very large organizations is not higher as just over half (51%) of organizations with 5000+ employees state that they threat hunt.

Why are many organizations not hunting threats?

The reasons why organizations are unable to adopt this proactive measure is unsurprising - nearly half of the professionals who participated in the study noted they didn’t have the time to threat hunt, and a third cited lack of skills as a barrier. But almost all of them - 88% - believe threat hunting is a necessity. This means that despite identifying that threat hunting is critical for a robust security posture, security operations teams are struggling underneath the weight of the resource drought – both in terms of skill and capacity. And these organizations don’t appear to see a light at the end of the tunnel as 53% of organizations said that they don't see themselves starting to hunt within the next year.

How can organizations get in the hunt?

To overcome these limitations, organizations should consider solutions and services that can elevate existing teams with the provision of the right data and automated workflows to speed up the detection and response process and facilitate threat hunting capabilities.

Tap into the resource of Managed Detection and Response Service Providers

The skills shortage is taking its toll on proactive detection, especially where threat hunting is concerned. Threat hunting requires experienced analysts who have a very specific set of skills. It’s difficult to find threat hunters, let alone afford them. Generally, having an analyst with these skills is a luxury only 3-letter agencies or the fortune 500 can afford but this doesn’t mean threat hunting isn’t achievable for everyone else. It absolutely is if you outsource detection and response to an MDR. Whether you have an existing SOC and want to augment it to facilitate threat hunting, or would prefer to outsource this function entirely, tapping into the talent of technology providers who can fine tune and use high level technology in their sleep (not literally, but they are monitoring 24 hours), is a great way to go. 

Leverage the right technology to make Threat Hunting less time intensive

Threat hunting takes time. That’s a fact. With some technology solutions running a search can take hours, if not days – and we won’t even mention the open source tech, that’s a whole other story. You can make threat hunting more viable for your team if you have solutions in place which can speed up the workflow. Here’s what to look for in a technology to assist this:

  • Context: A solution that collates related alerts that occur on the same endpoint/IP address over time and analyzes this content to provide context can make the process of developing realistic IOCs much faster.
  • Rapid search: Solutions using rich, indexable metadata provide search speeds that far outperform those that don’t - we’re talking seconds and minutes, not hours or days.
  • Metadata: If a solution breaks down sessions into metadata, you are able to ask much richer questions, and prove or disprove your hypothesis much faster.
  • Evidence: If you are unlucky enough to prove your hypothesis correct, you need to act quickly and deliberately in response. A solution that enables you to pivot immediately between network and endpoint to isolate a machine is invaluable. Not to mention – you want the evidence at your fingertips, so you can make informed decisions. Make sure your solution enables you to pull files and artifacts instantaneously.

To sum up – in order to better protect organizations from the good, the bad and the ugly, they need to be considering proactive threat detection tactics such as threat hunting. Lack of resource and skills are valid barriers, but they can also be overcome – and MDR is an excellent place to start.

Read the full State of Threat Detection report here:

https://www.fidelissecurity.com/threat-detection-report-2018

Register for the webinar here:

https://www.fidelissecurity.com/resources/webinar/state-threat-detection-2018

 

- Rae Jewell
MDR Manager