Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/14/2016
06:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

'Threat Hunting' On The Rise

Rather than wait for the adversary to strike, many enterprises are going out actively looking for them

Rather than simply waiting for the inevitable data breach to happen, many organizations say they have begun more actively scouting around for and chasing down bad actors and malicious activity on their networks.

Unlike the usual security approaches, threat hunting -- as some of the industry have taken to calling the trend -- combines the use of threat intelligence, analytics, and security tools with old-fashioned human smarts.

Eighty six percent of respondents in a recent SANS Institute survey of 494 IT professionals said their organizations were engaged in such activity. About 75% said they had reduced their attack surface as a result of more aggressive threat-hunting while 59% credited the approach for enhancing incident response speed and accuracy.

All of this despite the fact that four in 10 did not have a formal threat-hunting program in place, and fewer still had any kind of repeatable process for hunting down threats.

The survey results suggest that while organizations are benefiting from a more aggressive stance, many are still trying to figure out what a formal threat-hunting program needs to look like and how to attract the skills needed to make it work.

“Threat hunting plays a critical role in early detection of an adversary, as well as faster removal and repair of vulnerabilities uncovered during the hunt,” the SANS report noted.  But the results also show that “threat hunting is still in its infancy in terms of formal processes and methods,” it said.

Ben Johnson, co-founder and chief security strategist at security vendor Carbon Black, says what separates threat hunting from the usual security practices is its emphasis on human skills.

Threat hunting, Johnson says, is about “using humans to find bad versus having an alert fire from a piece of technology.”

The concept is not new, he says. “[But it] is only now hitting the main stream because it’s a sexy buzzword and organizations are tired of the long dwell times of the bad guys.”

The emphasis is on the application of the human mind to seek out activity that hasn’t been flagged yet by various detection technologies. “It’s a more open-ended action where hunches, gut-feelings, and general security and risk-based experience drive individuals to places and activity they should analyze,” he says. 

While tools are important, threat hunting is not specific to any technology nor is it dependent on them. Rather it is about knowing when, where, and what signs to look for. “You might not know who’s going to rob a bank or when, but if you see what appears to be a getaway car sitting outside, that might tip you off to go look for a person with malicious intent inside the bank,” Johnson says.

 

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

For the most part, the industry has yet to coalesce around a clear definition for threat hunting, notes Tim Helming, director of product management at DomainTools. “But fundamentally, it's about not waiting to observe the effects of an attack.”

Instead, it’s a strategy that begins with the assumption that the organization has been breached, and working backward from there to either detect the source -- or to make sure there isn’t an attack. “If you start from that assumption, you are more likely to find the evidence you're looking for. Threat-hunting teams bring specific expertise to doing that,” he says.

Getting there fully will take some time for the many organizations that say they are engaged in threat hunting. The SANS survey showed that while organizations see the benefit in taking a more aggressive approach to finding threats on their network, few have allocated the necessary resources to make it happen. A majority of the respondents in the survey still rely heavily on known indicators of compromise and manual analysis, for instance, and did not have the level of automation needed to enable a truly robust threat-hunting capability.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nathanwburke
50%
50%
nathanwburke,
User Rank: Author
4/15/2016 | 10:41:04 AM
Better Suited To Humans.
This is a great example of the type of initiative that skilled cybersecurity professionals could be spending their time on when resources are shifted. To your point:
The SANS survey showed that while organizations see the benefit in taking a more aggressive approach to finding threats on their network, few have allocated the necessary resources to make it happen. 

The problem is that so many cybersecurity teams are overwhelmed with responding to a massive volume of alerts and threats. But if companies were able to use machines to handle the bulk of the work that people are currently doing manually (following alerts, manually investigating machines, re-imaging, etc.), the cyber analysts could instead focus on things like proactive threat hunting.
Threat hunting, Johnson says, is about "using humans to find bad versus having an alert fire from a piece of technology."

I like that line a lot. It flips the current process. Instead of people spending their time taking direction from a system and doing the manual work, they would instead be working in parallel with detection systems and adding much more value. 
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Artist Uses Malware in Installation
Dark Reading Staff 5/17/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...