Hunting must also extend beyond the manual effort to assist in moving security teams to a proactive defense methodology. Newly designed threat hunting platforms will also incorporate automation and a form of AI to provide ongoing detection of similar threats without user intervention, automate response actions on detection, and continuously optimize the platform to learn from previous threats.
The act of threat hunting will drastically increase the understanding of how information, technology and infrastructure are being used within the network, while propelling the security team into an adaptive defense methodology. Additional benefits of threat hunting include:
- Improved security posture by continually reducing attack surface area
- Visibility into insider and external threats
- Actioning internal knowledge to improve defenses
- Identification of security policies being evaded (GPO, etc)
- Ability to perform internal gap analysis
- Highlighting focus areas for security planning
- Quantitative data to build a case for additional technology based on real data.
Who Has the Time for Threat Hunting?
The growing volume and level of complexity of security incidents have made it nearly impossible for security teams to hunt for new threats – let alone investigate and remediate those already identified by existing security technology. This has created a divide amongst security teams, those who are fortunate enough to employ dedicated threat hunting staff, those who outsource threat hunting, and others who need to ‘find the time’ to do their own threat hunting. Well, until now that is.
To level the playing field, Secdo has created a single platform that not only enables advanced threat hunting, but also incorporates AI to automatically investigate every security alert—cutting the time required for alert triage and incident response to mere seconds. This, in turn, allows for incidents to be investigated at least 10x faster, freeing up valuable time to perform critical tasks in the security workflow, like threat hunting. Security teams with dedicated threat hunters will be unburdened by other activities, those that outsource can free budget and insource because no one knows your network better than your own team, and teams who need to ‘find the time’ will now have at least 10x more availability.
More information on how Secdo can assist in other areas of security operations can be found here.
Types of Threat Hunting
Not all threats are created equal, and therefore, not all threat hunting techniques are performed equally. Many depend on the purpose and the information available prior to the hunting, varying in type, such as:
Lead-based (tip-based) threat hunting
This is the most-common type of threat-hunting exercise – where the hunter has received a clue about a potential threat before looking for it. Whether the lead is from threat intelligence, a new indicator of compromise (IOC) that was found, a tip from someone within the organization, or sheer suspicion, the complexity of tip-based threat hunting will depend on the tip’s level of detail. Secdo is built on an open platform with direct integration with multiple threat intelligence providers, the ability to manually import artifacts or IOCs from different standards, and an easy-to-use search that allows results to be obtained instantly.
Lead-less threat hunting
A close second in terms of common approaches to threat hunting where the hunter uses his own or sought-after knowledge of how a computer, application, user, data or network is meant to be used and aims to identify anomalous or abnormal use. This type is typically referred to as advanced threat hunting as it is commonly left to the most experienced team members who, until the introduction of Secdo, employ several techniques such as data carving and analytics to achieve results. Secdo simplifies this process by incorporating the techniques of advanced threat hunters into the system, allowing hunters of any experience level to achieve the same results without relying on scripts, other tools or learning a new query language.
Outcome-based threat hunting
Describes the practice of looking into the attack methodology of a quarantined alert, completed investigation or any other resolved threat to find any activity that may reveal a variant of the threat, a potential new threat, or an open attack vector. The common ‘set-it-and-forget-it’ approach that does not take the time to analyze the threats that were quarantined or completed will very often leave a risk gap that may be used in a future threat. Secdo incorporates outcome-based threat hunting directly into the workflow of security alert and incident handling to ensure that lessons learned from every investigation are constantly applied to close identified attack vectors and optimize the platform.
Compliance-based threat hunting
In order to ensure an organization is remaining compliant with internal, industry, and government policies, threat hunters may perform routine searches for activity that may put them at risk of non-compliance, such as sensitive data stored in unauthorized systems or abuse of privileges by admin users. While some systems, like Secdo, can be configured to alert security analysts of this type of activity—allowing them to further investigate the alert, much like with outcome-based threat hunting—some don’t, making compliance-based threat hunting just as important as any other type.
Automated threat hunting
Applied-learning systems, like Secdo, allow security analysts to easily configure their platform so results from their manual threat hunting activity (e.g., a rogue IP, corrupted file, malware signature, unauthorized action, bad behavior, etc.) can be automatically and continuously hunted for as activity on the enterprise is monitored and investigated. We call these behavioral indicators of compromise, or BIOCs, which not only reduce the surface area of risk but continually optimize the Secdo platform. Their time-saving benefits are the new nirvana of threat hunters.
The Importance of Visibility for Accurate Threat Hunting
Visibility plays a critical role in threat hunting. The accuracy and effectiveness of all threat hunting efforts will be directly related to the depth and breadth of visibility the hunter is given to look for threats across the enterprise.
Most professionals in the security space concur: network data doesn’t provide enough visibility into enterprise activity, making endpoint-based visibility a must for threat hunters. However, some security systems, like various SIEMs and network and endpoint-based tools, will limit access to the activity they monitor from each device, restricting threat hunting capabilities. Other analytics-based solutions don’t even collect their own data; they rely solely on information fed to them or that is freely available. These different types of solutions will maintain focus on the data for which they do provide visibility, sparing you from wasting time on seemingly irrelevant data. But it is in this very seemingly irrelevant data where security threats can easily hide. Therefore it is crucial to have visibility that is not restricted to a specific threat type, but rather incorporates data for internal, external, application, user and behavior-based threats.
Agent-based products, like most endpoint security tools, add another dimension to visibility-based on where they operate. If the agent sits in user space, its visibility will be limited to the applications that run on top of the operating system, keeping threat hunters from finding rogue activity that operates in the kernel space. Kernel-space agents provide the threat hunter with significantly more visibility, but at the expense of endpoint performance, user experience, or productivity so it’s important to test these solutions before implementing them.
An additional factor in agent-based products concerns how they operates. Most agents gather data at the process level while only one (Secdo) can gather data at the thread-level. Thread-level visibility is the most granular view of endpoint activity and is gaining great importance due to the rise of file-less attacks and memory-only malware. Thread-level visibility is the ability to distinguish the source of one instruction from another within the same process and automatically reveal the root cause of an attack. However, visibility limited to the process level bundles all instructions within the same process, making it impossible to determine the root cause of a file-less attack.
(You can learn more about user, kernel, and thread-level visibility here.)
Without the proper depth and breadth of visibility into activity on the enterprise, a threat hunter’s job will be severely handicapped, leaving organizations at risk. Secdo utilizes a minimal-resource agent that uniquely operates at both the user and kernel levels, recording all activity at the thread-level for over 100 hundred days ensuring that information is available well beyond industry-average dwell time.
Popular Misconceptions About Threat Hunting
Despite the increasing popularity of threat hunting, many organizations have not been able to put in place an effective threat-hunting practice due to a number of reasons. Some of the misconceptions that have kept security teams from engaging in threat hunting are:
Myth #1: Threat hunting is time consuming
As it requires significantly more active interaction from already-taxed security professionals, the act of threat hunting can be seen as daunting and extremely time consuming. This is where tools like Secdo provide superior value. By automating the investigation and root cause analysis of incoming security alerts, security teams can benefit both from considerable time savings as well as from the wealth of information automatically made available for them. Secdo also helps save useful time by expediting alert triage, incident response, and remediation while allowing security teams to optimize the platform by implementing learnings from previous incidents—freeing up even more time and making future threat-hunting efforts faster, more effective and easier to conduct.
Myth #2: Only seasoned experts make for good threat hunters
Sure, seasoned security experts can perform their jobs with much more acumen, but that doesn’t mean that those who are still building up their security resume will struggle with threat hunting. When the accuracy and effectiveness of your security posture relies heavily on the expertise of your security staff, your operational costs will skyrocket. But when your security tools take on the hard work and lower the learning curve of otherwise complex tasks, your investment will yield high returns—especially in an industry where securing top-notch talent can be both hard to find and cost-prohibitive. Platforms like Secdo were built from the ground up with user experience in mind. Secdo can be used by security professionals at all levels of expertise, enabling advanced threat hunting to be performed with ease and all without the need for a proprietary query language.
Myth #3: Threat hunting is limited to finding malware
While threat hunting efforts most commonly result in identifying the presence of malware in the enterprise, they are not limited to just that. Bad behaviors, such as a sequence of actions that reveal rogue user activity, stolen confidential files, and intruders lurking in unauthorized locations can also be found while hunting for threats, making the practice even more critical for security teams. Secdo focuses on monitoring and recording all activity on the endpoint so any threat can be identified, not just the ones relating to processes or external threats.
Myth #4: Hunting for Behaviors (BIOCs) or TTPs is difficult
There are two popular models by which a threat hunting practice can rate its effectiveness. The first is known as the Pyramid of Pain1 which rates the type of artifacts used in detection based on the relative amount of ‘pain’ it causes the attacker to evade detection. For example, detecting a known bad hash is easy for an attacker to circumvent, but identifying an attack behavior (Tool, Tactic or Procedure – TTP) means an entirely new attack-delivery mechanism needs to be found. The other model is the Hunting Maturity Model2 which rates the ability to operationalize and automate hunting, where routinely collecting data to augment the SIEM is considered HMM1, and automating detection is the hardest to achieve at HMM4. By combining advanced BIOCs with thread-level visibility and automation, threat hunting practices using Secdo are immediately rated at the highest levels of both models and actually go beyond the definitions by incorporating AI to continually optimize and improve platform and network defenses.
Myth #5: Vendor-based threat hunting is better than internal threat hunting
A popular trend is to purchase threat hunting services from endpoint vendors. These services aim to provide customers with some peace of mind having an experienced hunter dedicated to their network for a period of time. However, this is rarely the case. These hired hunters are looking at volumes of data often spanning multiple customers and simply charging multiple customers to automatically share lessons learned while using that information to improve their software tools. Moving to an in-house threat hunting practice that incorporates automation actually empowers your security team, increases internal knowledge, allows a uniquely customized defense and improves operational processes from alert triage to incident response, drastically increasing productivity and ROI. Secdo is one of the few threat hunting platforms that couples the benefits of an in-house threat hunting practice with ease of use to lower the skill level requirement of threat hunting and ensure that any security team can move to a proactive defense model.
Shopping for a Threat Hunting Tool? Here’s What to Look For
Threat hunting tools vary widely, but—like with most technology categories—they can be arranged in two groups:
- Tools that operate as focused, threat hunting, point solutions.
- Platforms that feature threat hunting capabilities as part of their cybersecurity workflow.
However, unlike other technology categories, threat hunting rarely makes sense as a point solution. When it is part of a streamlined platform that includes other capabilities such as prioritization of all security alerts, automated investigation, surgical response, and scalable remediation, threat hunters will not only increase the success of their hunting techniques, but also take quick action to mitigate anything they find. The key relies in ensuring that all the necessary features and toolsets that map to the most advanced level of techniques in a threat hunting maturity model are indeed included in the platform.
The following checklist offers an overview of the key criteria that buyers need to take into consideration when evaluating the threat hunting capabilities of a platform or solution: