Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

09:10 AM
Anton Chuvakin
Anton Chuvakin
Connect Directly
E-Mail vvv

Threat Hunting Is Not for Everyone

Threat hunting is a sophisticated, advanced technique that should be reserved for specific instances and be conducted only by trained professionals.

I frequently meet cybersecurity leaders who attempt to run before they can crawl, jumping at the chance to implement new technology before mastering the basics. I've noticed this trend especially when it comes to threat hunting, as security leaders attempt to drive Ferraris before they've earned their learner's permit — or before they can even walk.

Sadly, many organizations aren't prepared to hunt, and in some cases, they don't even need to. Hunting delivers value — huge and unique value, in fact. But only under the right circumstances and for the organizations that fit the prerequisites.

Too many companies attempt threat hunting without establishing the right security foundations, which includes both technology (such as a well-managed network segmentation and access control) and mature security operations processes (such as incident response and log collection).

Why the urge to jump in headfirst? Threat hunting has emerged as one of the sexiest aspects of cybersecurity. In a world where severe data breaches and cyberattacks continue to plague businesses, threat hunting promises security leaders a perceived sense of control, a rare commodity especially as there's no power in the position of the victim.

Many teams let this drive for control distract them from the more tactical, yet far more effective, steps needed to strengthen defenses. In reality, a well-executed program of security hygiene can work much better than investing in threat hunting first.

Businesses should assess their need to hunt threats in their environments, and then determine if they have the structure to support it. Most small companies, for example, have neither the need nor the capability.

Here are three factors that security leaders must consider to determine whether threat hunting is for them:

Factor 1: Technology
Enterprises must first have the security telemetry that threat hunters need to track and observe adversaries' activities. At a baseline, hunters need endpoint detection and response (EDR) data or other rich endpoint telemetry, as it's the mainstay for both beginner and advanced hunting operations. To be useful, endpoint data needs to have DNS, DHCP, and user enrichment data attached to it. Others can start with only logs, especially rich endpoint logs, or from network traffic metadata, as some of the original hunting teams did. Data also needs to be saved for a year or so since compromise detection windows are often measured in months.

Hunters will also need tools that can rapidly search over enriched data. A fast, interactive search over clean and structured data (something better than raw text search) can be a good starting point for an aspiring hunt team. But data is useful only if it's digestible and actionable. If you don't have a system in place to search, store, collect, and understand security telemetry, threat hunting is not for you

Factor 2: Detection Process
Today's detection technology often uses rules- and signature-based detection to catch attempted attacks. Threat intelligence matching to logs and other telemetry is also common.

Automated detection should do the majority of the work if planned and executed well, but attackers are always evolving their techniques, rendering some campaigns undetectable by machines. That's when you send the human hunters in to fill the gaps. If attackers see your business' assets as high-value, you'll encounter attackers who use novel methods, which is why you'll want to consider threat hunting.

When that time comes, enterprises should examine the maturity of their detection capabilities first. The idea is to detect well, and then to hunt to fill in the gaps. It's a waste of time for skilled threat hunters to chase after known threats and to do so repeatedly.

Factor 3: People
Threat hunters need the latest intel on advanced malware and threat actors, in addition to deep knowledge of an organization's technology. However, since many in-house security staff members are already performing the job of two people, overindexed engineers don't have time for free-form exploration and deep threat actor research.

This is why some organizations turn to third-party service providers to hunt on their behalf. While some hard-core hunting teams claim that a third party can never understand an environment well enough to hunt (a reasonable claim, to be sure), a service provider can deliver value if it has hunting expertise and a vast amount of threat data.

Balancing Risk vs. Costs
So, how do you make the decision? Security leaders must first evaluate their risk level by asking if the business will likely be the target of a sophisticated attack. Attacks happen for many reasons, including providing access to another, larger, business, but for most organizations, the typical security stack is adequate.

Olympic athletes devote their lives to training for niche sports. But just because it looks cool on TV doesn't mean anyone can jump 20 feet in the air without training. Threat hunters require Olympic-level training, yet we're seeing enterprises lacking infrastructure trying to make the leap from junior varsity to the big leagues. Threat hunting is a sophisticated, advanced technique that should be reserved for specific instances, and it should be conducted only by trained professionals. As organizations consider their 2020 security business priorities, threat hunting shouldn't always be a default line item.

If your business doesn't face targeted or high-profile threats, if you have the right security tools in place, and if you can use a third-party service for hunting, save your time and money and leave the hunting to the experts. Or don't do it at all — other security investments are more likely to deliver value in your situation.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

Anton is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. He is the author of several books and serves on advisory boards of several security startups. Before joining Chronicle, Anton was a research vice president and Distinguished ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/2/2020 | 3:01:44 AM
Re: Agree but disagree
I get your point.  It is rewarding when you hunt.

User Rank: Strategist
1/29/2020 | 10:45:40 AM
Agree but disagree
I do agree that threat hunting is not needed by everyone and the truth be told, a Threat Hunter actually finding something is slim if you have the proper security in place. The real advantage here is that it can keep skills sharp and keep people busy when things are slow. Simple IOC searching from open intel sources like Malware Traffic Analysis, Threat Connect, and Alien Vault can prove fruitful and benefit the company as a whole. Most people assume security products are always working and always catching stuff. Too often you wont know if the DNS logs are actually going to the SIEM until after you really need them. At one company, it was 6 months later. Things break, alerts break, TTPs change. There are alot of factors that are easily overlooked, but by doing Threat Hunting, you can verify things are still working. By simply saying its not needed by everyone is not wise, especially after I find value from it even though, the company doesn't seem to need it.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). A dangerous AT command was made available even though it is unused. The LG ID is LVE-SMP-200010 (June 2020).
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS software before 2020-06-01. Local users can cause a denial of service because checking of the userdata partition is mishandled. The LG ID is LVE-SMP-200014 (June 2020).
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via a custom AT command handler buffer overflow. The LG ID is LVE-SMP-200007 (June 2020).
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via an MTK AT command handler buffer overflow. The LG ID is LVE-SMP-200008 (June 2020).
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 9 and 10 (MTK chipsets). An AT command handler allows attackers to bypass intended access restrictions. The LG ID is LVE-SMP-200009 (June 2020).