Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

09:10 AM
Anton Chuvakin
Anton Chuvakin
Connect Directly
E-Mail vvv

Threat Hunting Is Not for Everyone

Threat hunting is a sophisticated, advanced technique that should be reserved for specific instances and be conducted only by trained professionals.

I frequently meet cybersecurity leaders who attempt to run before they can crawl, jumping at the chance to implement new technology before mastering the basics. I've noticed this trend especially when it comes to threat hunting, as security leaders attempt to drive Ferraris before they've earned their learner's permit — or before they can even walk.

Sadly, many organizations aren't prepared to hunt, and in some cases, they don't even need to. Hunting delivers value — huge and unique value, in fact. But only under the right circumstances and for the organizations that fit the prerequisites.

Too many companies attempt threat hunting without establishing the right security foundations, which includes both technology (such as a well-managed network segmentation and access control) and mature security operations processes (such as incident response and log collection).

Why the urge to jump in headfirst? Threat hunting has emerged as one of the sexiest aspects of cybersecurity. In a world where severe data breaches and cyberattacks continue to plague businesses, threat hunting promises security leaders a perceived sense of control, a rare commodity especially as there's no power in the position of the victim.

Many teams let this drive for control distract them from the more tactical, yet far more effective, steps needed to strengthen defenses. In reality, a well-executed program of security hygiene can work much better than investing in threat hunting first.

Businesses should assess their need to hunt threats in their environments, and then determine if they have the structure to support it. Most small companies, for example, have neither the need nor the capability.

Here are three factors that security leaders must consider to determine whether threat hunting is for them:

Factor 1: Technology
Enterprises must first have the security telemetry that threat hunters need to track and observe adversaries' activities. At a baseline, hunters need endpoint detection and response (EDR) data or other rich endpoint telemetry, as it's the mainstay for both beginner and advanced hunting operations. To be useful, endpoint data needs to have DNS, DHCP, and user enrichment data attached to it. Others can start with only logs, especially rich endpoint logs, or from network traffic metadata, as some of the original hunting teams did. Data also needs to be saved for a year or so since compromise detection windows are often measured in months.

Hunters will also need tools that can rapidly search over enriched data. A fast, interactive search over clean and structured data (something better than raw text search) can be a good starting point for an aspiring hunt team. But data is useful only if it's digestible and actionable. If you don't have a system in place to search, store, collect, and understand security telemetry, threat hunting is not for you

Factor 2: Detection Process
Today's detection technology often uses rules- and signature-based detection to catch attempted attacks. Threat intelligence matching to logs and other telemetry is also common.

Automated detection should do the majority of the work if planned and executed well, but attackers are always evolving their techniques, rendering some campaigns undetectable by machines. That's when you send the human hunters in to fill the gaps. If attackers see your business' assets as high-value, you'll encounter attackers who use novel methods, which is why you'll want to consider threat hunting.

When that time comes, enterprises should examine the maturity of their detection capabilities first. The idea is to detect well, and then to hunt to fill in the gaps. It's a waste of time for skilled threat hunters to chase after known threats and to do so repeatedly.

Factor 3: People
Threat hunters need the latest intel on advanced malware and threat actors, in addition to deep knowledge of an organization's technology. However, since many in-house security staff members are already performing the job of two people, overindexed engineers don't have time for free-form exploration and deep threat actor research.

This is why some organizations turn to third-party service providers to hunt on their behalf. While some hard-core hunting teams claim that a third party can never understand an environment well enough to hunt (a reasonable claim, to be sure), a service provider can deliver value if it has hunting expertise and a vast amount of threat data.

Balancing Risk vs. Costs
So, how do you make the decision? Security leaders must first evaluate their risk level by asking if the business will likely be the target of a sophisticated attack. Attacks happen for many reasons, including providing access to another, larger, business, but for most organizations, the typical security stack is adequate.

Olympic athletes devote their lives to training for niche sports. But just because it looks cool on TV doesn't mean anyone can jump 20 feet in the air without training. Threat hunters require Olympic-level training, yet we're seeing enterprises lacking infrastructure trying to make the leap from junior varsity to the big leagues. Threat hunting is a sophisticated, advanced technique that should be reserved for specific instances, and it should be conducted only by trained professionals. As organizations consider their 2020 security business priorities, threat hunting shouldn't always be a default line item.

If your business doesn't face targeted or high-profile threats, if you have the right security tools in place, and if you can use a third-party service for hunting, save your time and money and leave the hunting to the experts. Or don't do it at all — other security investments are more likely to deliver value in your situation.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

Anton is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. He is the author of several books and serves on advisory boards of several security startups. Before joining Chronicle, Anton was a research vice president and Distinguished ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/2/2020 | 3:01:44 AM
Re: Agree but disagree
I get your point.  It is rewarding when you hunt.

User Rank: Strategist
1/29/2020 | 10:45:40 AM
Agree but disagree
I do agree that threat hunting is not needed by everyone and the truth be told, a Threat Hunter actually finding something is slim if you have the proper security in place. The real advantage here is that it can keep skills sharp and keep people busy when things are slow. Simple IOC searching from open intel sources like Malware Traffic Analysis, Threat Connect, and Alien Vault can prove fruitful and benefit the company as a whole. Most people assume security products are always working and always catching stuff. Too often you wont know if the DNS logs are actually going to the SIEM until after you really need them. At one company, it was 6 months later. Things break, alerts break, TTPs change. There are alot of factors that are easily overlooked, but by doing Threat Hunting, you can verify things are still working. By simply saying its not needed by everyone is not wise, especially after I find value from it even though, the company doesn't seem to need it.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-02
An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.
PUBLISHED: 2020-04-02
get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.
PUBLISHED: 2020-04-02
pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params.
PUBLISHED: 2020-04-02
strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the '_nginxCmd()' function.
PUBLISHED: 2020-04-02
jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument.