Certain security challenges get a lot of airtime: lack of visibility, lack of qualified analysts, no one hunting the kill chain for adversaries, and detection and investigation taking too long. Threat hunting is one of the most effective ways to address the last two challenges, and recent research confirms that “…performing threat hunting…is considered critical for protecting your infrastructure.”
At Nuspire, we answer the question “What is threat hunting?” by describing it as playing offense instead of defense. Why wait for someone to tell you that you’ve been attacked or breached? Instead, be proactive to find and stop threats trying to get inside your company or already inside. Being proactive can make a big difference in protecting whatever is valuable in your network.
Whether you are starting or improving a threat hunting program, the answers to the following questions should serve useful to advance your program.
- What do you need to identify a threat? Too often we rely on technology. Threat hunters with technology are more effective if they understand that every threat actor has intent, capability and opportunity. Intent involves the adversaries’ goals and motivations, such as financial gain, publicity or destruction. Capability is the ability of adversaries to breach your organization successfully and achieve their goals. Attackers case their targets, so do the same by researching tactics, techniques and procedures. Opportunity is timing – when an attacker makes a move based on favorable conditions such finding organizational vulnerabilities or exploiting a pandemic with phishing.
- What is the best way to staff a threat hunting program? Threat hunting is a full-time job, so a dedicated person or team is preferred to part-time resources. A threat hunter should have security experience, along with the curiosity and persistence necessary to find needles in haystacks. Bottom line, “persistence”.
- What do you need to start hunting? Threat hunters need data to analyze. Data can come from your assets and other sources such as forums, code repositories, syslogs, threat intel, original research, social media and the dark web. There are numerous public and private sources. Also think about passive and active defense. Passive defense is security control systems that don’t require consistent human interaction. Active defense involves analysts who monitor, respond to and learn from adversaries and feed data to threat hunters.
- Where in the kill chain can you catch threats? The short answer is anywhere in the cycle. Any catch is a win. But after you catch something, what’s next? Be sure you have a clear, documented incident response plan and remediation plan that states who does what throughout all stages of incident response.
- How should you approach hunting? Start with the end in mind, meaning your incident response plan. It needs to be buttoned up before you start threat hunting, so containment and mitigation go smoothly. Escalate threats based on the process defined in your incident response playbook. What you learn from an incident can be fed back into threat hunting intelligence. And supply threat hunters with other information such as anomaly detection, notifications from community or global threat intelligence sources, internal security reports and analysis of crown jewels.
The threat landscape changes continually as adversaries fine tune their intent, capability and opportunity. Businesses are operating in a new normal, in which it’s reasonable to assume that some parts your networks are compromised. The best strategy is Zero Trust, with multiple layers customized to your company and industry requirements. Threat hunting is an essential layer. If you don’t have in-house resources to devote to it, then partner with a managed security services provider (MSSP) who already has the right people, processes and technology.
Want to learn more? Watch our on-demand webinar, in which, together with SentinelOne’s Steven Overko, Solution Architect, we discuss how to effectively apply third-party threat intelligence to proactively threat hunt.
Cisco Cybersecurity Report Series 2020, CISO Benchmark Study: Securing What’s Now and What’s Next.