With many vendors offering an array of threat hunting services, security professionals may wonder if hunting can actually benefit a company or if it’s just a fad. But threat hunting isn’t based on flashy technology that will become irrelevant in a few months. It’s a return to one of the basic tenets of information security: reviewing your IT environment for signs of malicious activity and operational deficiencies. Threat hunting uses a hypothesis-driven approach and is often supported by behavioral analytics, going way beyond rule or signature-based detection.
To help bring a little more clarity to the topic, I asked Cybereason's threat hunting team to answer a few of the most common questions that they've been asked recently.
When conducting a pen test, you’re actively trying to circumvent the organization’s defenses to learn what systems an attacker could access and see how far the adversary could advance in your environment. You’re basically trying to infiltrate your defenses from the outside.
Hunting is more of an inside-out approach. The assumption is that the bad guys are already in your environment, despite your best efforts to keep them out. Looking at what’s going on inside your environment, specifically odd behavior, will lead to discovering malicious activity.
Yes. 100%. Security teams can take the threat information gathered during a hunt, determine why they weren’t able to detect these threats and then figure out how they can detect the suspicions in future attacks. Skilled hunters realize that a big part of their job is digging up threat data that can be used to build stronger, better protection mechanisms.
Not at all. Sure, a key goal of hunting is to find existing threats in your environment. But hunts can also increase the visibility you have into your environment and identify potential security issues. For example, let’s say that a financial service company conducts a hunt discovers that it’s environment is clean. However, many employees are using FTP and around 100GB of data are leaving the company each day. Further investigation shows that the FTP use is legit, but the CISO is concerned. FTP was banned to eliminate the possibility that attackers could use ftp.exe for data exfiltration. Without a hunt, the CISO would've continued to operate under a false assumption that could jeopardize the company’s security.
Almost...consider threat hunters as a hybrid: They’re like a white hat version of Boba Fett (a threat could be considered their bounty) and have Indy’s deep knowledge on a particular subject (that’s information security in this case).
Hunters have an amazing amount of knowledge on IT environments, malware attack vectors, and threat actors. They know what Tools, Techniques and Procedures (TTPs) to look for in an environment.
Hunters care about gathering information on the attack, like what information the attackers are after, their overall goals and what systems were infiltrated. They’re not incident responders. Remediation isn’t their job (although they can work with incident response teams. It’s not uncommon for hunters to have government backgrounds. They’ve worked for the military or a three-letter federal agency.