Definition of Threat Hunting and How it Works
Threat hunting is the process of seeking out adversaries before they can successfully execute an attack. The concept of hunting for threats is not new, but many organizations are putting an increased emphasis on programmatic threat hunting in recent times due to malicious actors’ increasing ability to evade traditional detection methods.
This approach differs from many prevention- or detection-based security methods. Threat hunting is a proactive technique that combines security tools, analytics, and threat intelligence with human analysis and instinct. The threat hunting process typically starts with a hypothesis, developed through a security alert, risk assessment, penetration test, external intelligence, or some other discovery of anomalous activity, that a threat is present in your systems. Threat hunters will explore and test these hypotheses through a variety of investigative, analytical, or offensive activities, searching for latent threats that have not yet triggered detection.
Threat Hunting vs. Threat Detection
Threat hunting is an early stage component of threat detection that is focused on identifying threats at the earliest possible phase of an attack or compromise. Threat detection as a broader term refers to the full set of processes focused on discovering and identifying threats, whether before, during, or after a compromise has occurred. Threat detection tools analyze network, application, data, and user behavior for anomalous activity indicative of a threat.
The Current State of Threat Hunting: Benefits and Challenges
Some threat hunting techniques have been in practice for years, but threat hunting as a dedicated component of enterprise information security programs is still an emerging trend. As a result, threat hunting programs and maturity levels can vary greatly from business to business. The SANS Institute conducted a survey on the current state of organizational threat hunting efforts and found that the majority of respondents reported success from their threat hunting programs. 75 percent of respondents stated that they reduced their attack surface by taking on a more aggressive stance with threat hunting, and 59 percent believed that threat hunting enhanced the speed and accuracy of their company’s incident response. All in all, 52 percent reported finding previously undetected threats via threat hunting.
However, the SANS survey also found that this emerging discipline still has a long way to come in many organizations. Four out of ten of those who responded to the survey didn’t even have a formal threat hunting program in place within their organizations and 88 percent felt that their threat hunting programs need improvements. In addition, 53 percent believed that their threat hunting process was not sufficiently hidden from their adversaries, and 56 percent reported that they’re unsatisfied with the time required to hunt for threats.
Best Practices for Threat Hunting
When creating a threat hunting program it is important to start by developing standardized processes to guide threat hunting efforts. Security teams should outline when and how hunting takes place (whether at scheduled intervals, in response to specific triggering actions, or continuously with the help of automated tools), what techniques are to be used, and which people and tools will be responsible for performing specific threat hunting tasks. Metrics for measuring success should also be developed; SANS recommends evaluating threat hunting performance based on detected threats’ dwell time, lateral movement, and reinfection.
It’s also important to develop baselines for normal network, data, and user activity to enable easier identification of anomalies when threat hunting. The SANS Institute’s survey found that focusing on data sets such as IP addresses, DNS activity, file monitoring, user behavior and analysis, and software baseline monitoring supports successful threat hunting.
As threat hunting programs mature, organizations should expand current threat hunting practices and update them based on the discovery of new threats or lessons learned from previously detected threats. A February 2016 whitepaper from the SANS Institute provides a Threat Hunting Maturity Model that organizations can follow as they gain more experience in the practice and look to improve, automate, and expand their programs.
Considerations for Threat Hunting and Threat Detection
Many enterprises are still trying to find their footing when it comes to implementing and managing effective threat hunting programs. Early detection of threats and identifying any areas of vulnerabilities are crucial for every enterprise, and proactively seeking out potential threats allows organizations the opportunity to implement preventative measures that block threats before they are realized. By following a structured, phased approach, organizations can get started hunting threats with their current resources, then implement processes for data collection, monitoring, and analysis and scale their programs with the right combination of staff and tools.