Threat hunting is all the rage in information security with every vendor offering some type of hunting service or product. This development makes sense: Enterprises have accepted that adversaries will eventually infiltrate even the best defended networks and threat hunting offers a way to determine if attackers are already in a network. For security professionals, determining if their company is under attack is becoming more difficult to determine. Adversaries have a seemingly endless supply of attack vectors and the attack surface is constantly growing as companies adopt BYOD, cloud services and IoT, among other technologies. By searching for attackers who are already in a company’s network, hunting lets analysts take a proactive approach to security. Instead of waiting for security tools to issue alerts, hunters pursue the enemy and try to prevent or minimize damage.
But while security professionals see the value in threat hunting, it’s an exercise that remains aspirational for most companies. According to 330 security professionals polled by Cybereason, four out of five said that threat hunting should be or will be a top security initiative. Nearly three quarters of respondents (72 percent) thought that threat hunting improves a security team’s ability to handle advanced threats. However, few security professionals actually hunt threats. When asked approximately what percentage of SOC employees were involved in threat hunting, the average response was around 14 percent. In many cases, only well-funded enterprises with large security teams can hunt on a consistent basis.
Based on Cybereason’s conversations with security professionals, here are the main reasons that prevent companies from running an effective threat hunting program. If you’re already familiar with the obstacles associated with threat hunting, skip to the final section to learn about AI Hunting and how it puts threat hunting within reach for organizations.
Security professionals who conduct hunts are typically experienced L3 analysts. They possess a broad knowledge of adversarial tools and attack methodologies and are very familiar with an organization’s network. They know how to use sets of tools to hunt, a skill they may have picked up in the military or defense agencies. Beyond these technical skills, hunters have strong investigative skills, are innately curious and know what questions will yield evidence of an attack.
People with the right background for hunting are rare finds who command high salaries that may not be in the budget of many companies. Companies that can’t find or afford hunting talent either outsource the exercise or refrain from it. Organizations that can afford hunters may have trouble retaining them. Other companies with deep wallets are likely trying to recruit them to handle their hunts or, in some instances, take a managerial role and run a SOC.
Hunting requires collecting reams of endpoint and network data and sifting through it to connect seemingly disparate events to reveal an attack campaign. But the complexity of modern IT environments in which an organization of hundreds of users will have thousands of endpoints and servers, makes data collection and analysis a time-consuming and complex task for even the most skilled analysts.
For example, consider the hunting process for figuring out if any of an organization’s computers are connecting to malicious domains that were created using DGAs (domain generation algorithms). While a hunter could manually dig through DNS logs and build data stacks, this process is time consuming and frequently leads to errors.
Security professionals can’t hunt for every threat vector because there are simply too many. From using PowerShell to carry out a fileless malware attack to using DLL hijacking to replace a legitimate file with a malicious DLL file, adversaries have many techniques at their disposal. Hunts focus on answering a specific question, such as is FTP being used for data exfiltration. Any data that’s collected needs to help answer that query.
While this focused approach can help organizations determine if attackers used a specific vector to infiltrate their environment, it can’t help them figure out if other threat vectors were used to sneak past perimeter defenses. That requires another hunt.
Covering an attack’s many stages -- privilege escalation, lateral movement, command and control communication, data exfiltration -- also limits a hunt’s scope. Advanced attacks are designed to be persistent and leverage a variety of tools and techniques to remain undetected. Revealing all elements of an attack requires multiple, consecutive hunts, a task that is often too demanding for hunters.
The data hunters use in their analysis is aggregating from a variety of security tools including IDS/IPS platforms, SIEMs or log management tools, firewalls and antivirus software. But these tools were developed to solve other problems and the data they collect is usually limited to a specific security use case.
For example, log management tools / SIEMs capture log data generated by network and endpoint activities, and not the data itself. Log data can be manipulated by the attacker and doesn’t provide visibility into the actual event. Hunters are best served with data that’s closest to the actual event, is captured in real time and is stored with all the information related to it, providing context.
Ultimately, hunting and the benefits it provides appeal to organizations but the resources required to hunt on a frequent basis prevent many businesses from engaging in this exercise.
To make threat hunting more attainable for all organizations, Cybereason developed AI Hunting.
AI Hunting offers the main benefit of threat hunting - the ability to detect adversaries who are already in an enterprise’s network - but at scale. It uses artificial intelligence, machine learning and behavioral analytics to make hunting possible for all security professionals, regardless of skill level.
AI Hunting takes the skills, workflows, and decision making capabilities of the best hunters and places them into an automated platform that analyzes data from an organization’s entire IT environment and identifies malicious activity. Applying artificial intelligence to hunting allows organizations to figure out if they’re under attack without the overhead typically associated with hunting. In addition to allowing enterprises to determine if they’re under attack, AI Hunting also offers these benefits:
AI Hunting was designed to detect cyberthreats and give security teams time to respond to an incident before damage occurs. The AI Hunting platform automatically interrogates any piece of data it captures. The platform performs 8 million queries per second. AI Hunting answers questions that even the most skilled analysts would have never thought to ask. This enables the platform to quickly find the root cause of a security incident as well as related malicious activities.
In an enterprise with thousands of employees and endpoints, the complexity of hunting increases exponentially. By using AI Hunting, an organization’s hunting program can scale as the number of users and endpoints in the company increase. AI Hunting can handle this increase since it is built to support any size of organization.
With AI Hunting, hunters spend less time writing rules and more time resolving attacks and mitigating threats. AI Hunting comes preconfigured with queries covering the complete attack life cycle and a broad variety of attack techniques and tools. AI Hunting also saves analysts time around investigating incidents by presenting them with a complete attack story.
Once AI Hunting detects malicious activity, it pulls together the full attack story and enables analysts to quickly and easily understand and respond to the threat. Analysts can see what attack vector attackers used to infiltrate a network, what machines were compromised and if the adversary moved to other machines.
AI Hunting understands what security analysts need to know about a malicious operation and automatically pulls together the full attack picture and all the attack’s related elements so analysts can quickly understand the situation and respond.
AI Hunting connects all related events to show the impact of an attack on the entire enterprise and allows remediation to take place across an entire organization, not machine by machine. Remediating a threat machine by machine raises the possibility that analysts will miss part of the campaign and fail to completely remediate an attack. Presenting a full attack story and showing how an incident impacts all endpoints allows analysts to shutdown all aspects of an attack.
AI Hunting can proactively determine when malicious activity is occurring and block it without human intervention. For example, AI Hunting can determine if particular endpoint behavior indicates a ransomware attack and suspend the processes carrying out those activities.