For those working in security operations, there's simultaneously great job security and a huge challenge in the fact that some of the bad actors out there are sophisticated, large-scale operations with a litany of tools at their disposal. Even with the most cutting-edge tools and skilled team members, there's an overwhelming pressure to secure and have visibility into every aspect of a network. This is especially true for organizations in sensitive industries or with mission-critical projects.
It's a given that, the more at risk the enterprise, the more sophisticated its security practices should become.
Threat Hunting Defined
For those newly acquainted with the concept, threat hunting means actively seeking out threats in your IT environment. It typically assumes that there has already been a breach, and works by forming and testing a hypothesis. While threat hunting depends on a wide range of tools, it's by nature analyst centric.
Prevention, detection and response should still form the foundation to any organization's security operation. Threat hunting tends to be resource heavy, and should be kicked off only after these crucial pieces are in place.
As Gartner puts it in their recently released report, "For most organizations, hunting becomes the next step after they have implemented their alert triage and detection content development processes, and matured their security incident response functions, but still need to look beyond additional incremental improvements."*
In this blog, we'll share our takeaways from that report and suggest resources for further learning.
Choose Your Hunters, Choose Your Weapons
For teams that are ready to give it a try, know that threat hunting requires not only smart use of tactical tools, but keen senses and a little creative ingenuity that only a highly skilled human can provide. While you won't exactly need a once-in-a-generation chosen one, you may want to train up some of your sharpest analysts until they possess the strength and skill to stand against the forces of darkness—or track down a candidate with a unique set of skills.
Gartner recommends, "technical professionals working in security operations and monitoring should seek people with advanced incident response, security monitoring, threat intelligence, system and/or endpoint knowledge. Also, seek out analysts with creative thinking skills, since threat hunting is an analyst-centric practice."
Additionally, Gartner noted some key characteristics of threat hunting, including, "Ad hoc and creative methodology: Hunting is not about following the rules, but about a creative process and a loose methodology that are focused on outsmarting a skilled human attacker on the other side."* From our perspective, this means you're going to need creative people on your team who can come up with a few novel plans and approaches, and think a few steps ahead.
While people are central to the process, tools are needed for an effective hunt. According to Gartner, organizations have reported the following benefit from threat hunting: "The creation of new and effective detection content for tools such as SIEM, IDS/IPS, endpoint detection and response (EDR) and network detection and response (NDR)."*
Gartner names a few network detection and response (NDR) tools to help identify any anomalies and seek out unwanted lateral movement. Host forensics and threat intelligence tools also play a key role in identifying signs of malicious intent.
Trap Your Prey
If you're up for the challenge, you've got the right tools and some really rock-star people on your team, you may find that threat hunting is the right next step. Sure, it might be a varsity-level tactic, but if you can make the case for it, it may just reap some rewards.
To learn more about threat hunting, check out the Cybersecurity Insiders 2020 Threat Hunting Report