Threat hunting activities can generate tremendous benefit for organizations, and not just in finding hidden active threats in the environment. When done regularly, threat hunting can feed SOC threat detection capabilities with additional detection content and improved telemetry about the tactics, techniques, and procedures (TTPs) of threat actors specifically targeting an organization’s assets.
Often times this long trail of threat hunting ROI can be achieved even with a small investment of time and resources put into an emerging threat hunting program. Contrary to the mystique and misconceptions that have been built up around threat hunting, organizations don’t necessarily need a super advanced program before they start reaping the benefits from running a hunt.
While higher levels of maturity, found in structured hunts, can certainly help threat hunters more regularly find the most advanced threats, every organization can benefit from simple hunts that are possible for a broad range of security teams. In order to battle these misconceptions about threat hunting and encourage more teams to dip their toes in the water, we want to bust three of the most common threat hunting myths prevalent within the security community.
Often times security teams are hesitant to begin threat hunting because they don’t have complete or indefinite visibility into their endpoint assets. While endpoint logs certainly can be very valuable for threat hunting, they are definitely not a prerequisite for a wide range of hunts.
There’s still a very large attack surface that can be detected from network logs, DNS logs, and information collected about network activity. If organizations are taking their first steps into threat hunting, network activity can provide a treasure trove of information to start digging in.
Another common misconception is that threat hunting success depends upon very complex techniques and methods. Many times—often, in fact—simple techniques can detect a wide range of hidden threat behavior that can completely bypass existing security controls. There are some very common malicious techniques that a large body of attacks must complete in order to carry out their entire attack chain.
By focusing on commands and methods that dig up evidence of those common techniques, simple threat hunting activity can reap a lot of beneficial results. An example would be seeking out evidence of suspicious child processes from Microsoft Office tools. Things such as PowerShell, cmd.exe, rundll32.exe, and many others are a great way to look for attackers targeting users with phishing.
One of the big constraints for starting up a threat hunting team is that there aren’t a whole lot of experienced threat hunters available for hire today. But a security team can bootstrap a basic threat hunting program using existing security analysts and a few simple tools.
These kinds of resources are great, and they can accelerate the yields of threat hunting activities, but at the base level, all that organizations really need is a knowledge of what activity looks normal and good on the network. With that solid baseline, it’s possible to get started looking for anomalies, and perfect threat hunting techniques along the way.
The lesson from all of these busted myths should be that threat hunting is not an all-or-nothing affair. Yes, advanced threat hunting does take a higher level of sophistication and investment to achieve. But it’s very worthwhile and beneficial to start getting out there and doing hunts any way that you can.
Don’t stop there, dig deeper in developing effective threat hunting in your organization by reading: Threat Content, Not Automation, Fuels Effective Threat Hunting.