Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

09:10 AM
Anton Chuvakin
Anton Chuvakin
Connect Directly
E-Mail vvv

Threat Hunting Is Not for Everyone

Threat hunting is a sophisticated, advanced technique that should be reserved for specific instances and be conducted only by trained professionals.

I frequently meet cybersecurity leaders who attempt to run before they can crawl, jumping at the chance to implement new technology before mastering the basics. I've noticed this trend especially when it comes to threat hunting, as security leaders attempt to drive Ferraris before they've earned their learner's permit — or before they can even walk.

Sadly, many organizations aren't prepared to hunt, and in some cases, they don't even need to. Hunting delivers value — huge and unique value, in fact. But only under the right circumstances and for the organizations that fit the prerequisites.

Too many companies attempt threat hunting without establishing the right security foundations, which includes both technology (such as a well-managed network segmentation and access control) and mature security operations processes (such as incident response and log collection).

Why the urge to jump in headfirst? Threat hunting has emerged as one of the sexiest aspects of cybersecurity. In a world where severe data breaches and cyberattacks continue to plague businesses, threat hunting promises security leaders a perceived sense of control, a rare commodity especially as there's no power in the position of the victim.

Many teams let this drive for control distract them from the more tactical, yet far more effective, steps needed to strengthen defenses. In reality, a well-executed program of security hygiene can work much better than investing in threat hunting first.

Businesses should assess their need to hunt threats in their environments, and then determine if they have the structure to support it. Most small companies, for example, have neither the need nor the capability.

Here are three factors that security leaders must consider to determine whether threat hunting is for them:

Factor 1: Technology
Enterprises must first have the security telemetry that threat hunters need to track and observe adversaries' activities. At a baseline, hunters need endpoint detection and response (EDR) data or other rich endpoint telemetry, as it's the mainstay for both beginner and advanced hunting operations. To be useful, endpoint data needs to have DNS, DHCP, and user enrichment data attached to it. Others can start with only logs, especially rich endpoint logs, or from network traffic metadata, as some of the original hunting teams did. Data also needs to be saved for a year or so since compromise detection windows are often measured in months.

Hunters will also need tools that can rapidly search over enriched data. A fast, interactive search over clean and structured data (something better than raw text search) can be a good starting point for an aspiring hunt team. But data is useful only if it's digestible and actionable. If you don't have a system in place to search, store, collect, and understand security telemetry, threat hunting is not for you

Factor 2: Detection Process
Today's detection technology often uses rules- and signature-based detection to catch attempted attacks. Threat intelligence matching to logs and other telemetry is also common.

Automated detection should do the majority of the work if planned and executed well, but attackers are always evolving their techniques, rendering some campaigns undetectable by machines. That's when you send the human hunters in to fill the gaps. If attackers see your business' assets as high-value, you'll encounter attackers who use novel methods, which is why you'll want to consider threat hunting.

When that time comes, enterprises should examine the maturity of their detection capabilities first. The idea is to detect well, and then to hunt to fill in the gaps. It's a waste of time for skilled threat hunters to chase after known threats and to do so repeatedly.

Factor 3: People
Threat hunters need the latest intel on advanced malware and threat actors, in addition to deep knowledge of an organization's technology. However, since many in-house security staff members are already performing the job of two people, overindexed engineers don't have time for free-form exploration and deep threat actor research.

This is why some organizations turn to third-party service providers to hunt on their behalf. While some hard-core hunting teams claim that a third party can never understand an environment well enough to hunt (a reasonable claim, to be sure), a service provider can deliver value if it has hunting expertise and a vast amount of threat data.

Balancing Risk vs. Costs
So, how do you make the decision? Security leaders must first evaluate their risk level by asking if the business will likely be the target of a sophisticated attack. Attacks happen for many reasons, including providing access to another, larger, business, but for most organizations, the typical security stack is adequate.

Olympic athletes devote their lives to training for niche sports. But just because it looks cool on TV doesn't mean anyone can jump 20 feet in the air without training. Threat hunters require Olympic-level training, yet we're seeing enterprises lacking infrastructure trying to make the leap from junior varsity to the big leagues. Threat hunting is a sophisticated, advanced technique that should be reserved for specific instances, and it should be conducted only by trained professionals. As organizations consider their 2020 security business priorities, threat hunting shouldn't always be a default line item.

If your business doesn't face targeted or high-profile threats, if you have the right security tools in place, and if you can use a third-party service for hunting, save your time and money and leave the hunting to the experts. Or don't do it at all — other security investments are more likely to deliver value in your situation.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

Anton is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. He is the author of several books and serves on advisory boards of several security startups. Before joining Chronicle, Anton was a research vice president and Distinguished ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
2/2/2020 | 3:01:44 AM
Re: Agree but disagree
I get your point.  It is rewarding when you hunt.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...