If you’ve been paying attention to the media for the last few months, you’ve probably noticed that cybersecurity has re-emerged as a topic of interest. What has changed, however, is that the discussion being had isn’t happening in technical discussion forums or industry publications. Nor is it happening in security operations centers or in CISOs’ offices. Instead, this discussion is being carried out in the headlines and chyrons of major news outlets and publications, and hallowed halls of government, often in response to major ransomware attacks like Kaseya and the Colonial Pipeline Company. Alongside this discussion, increasingly, is also the term proactive threat hunting. But, perhaps frustratingly, the term is often broadly used and loosely defined.
For example, the latest Executive Order on Improving Our Nation’s Cybersecurity (which we covered 👉 here) includes some variant of term “threat hunting” throughout it. However, nowhere in the document is the term defined, despite the government being instructed to perform it. That should trouble anyone who takes cybersecurity seriously. This shift towards framing proactive threat hunting as a sort of panacea for the cyber security community while simultaneously avoiding a concrete definition is only likely to lead to dilution of the term as product teams try and shoehorn it into their product descriptions. To try and combat this growing trend, we’ve put together a picture of what organizations need to achieve if they are to say they are conducting true proactive threat hunting.
The most important distinction that must be made about real proactive threat hunting is that it doesn’t rely on simple indicators of compromise (IOC). True threat hunting, by its definition, looks for unknown threats, while IOCs represent indicators of previous known attacks. Instead, threat hunting looks for specific adversary behaviors in an environment to detect threats that went undetected by traditional security controls.
These behaviours could include things like actions an actor would take on a system, like exploiting vulnerabilities, bypassing UAC, inhibiting system backup or recovery, modifying specific registry entries, or hundreds of other suspicious and malicious actions. If you aren’t detecting behaviors, you aren’t really threat hunting.
This isn’t to say that IOCs don’t have a place in the field of SecOps, but that place is firmly in conventional security analysis.
Let’s just get this out of the way.
There are a lot of technologies on the market today that claim they enable threat hunting. I’m not disagreeing with them, but I do believe that is a bit like advertising an Old Hickory bat as enabling professional baseball. It’s true, but also seems to minimize some pretty critical factors (like my inability to catch a baseball…).
The same is true of threat hunting. Technologies that enable data visualization or other helpful activities can certainly help hunters or save them time, but it cannot do the job for them. Threat hunting is an analytical process that by its nature must be conducted by skilled analysts, hunters, and hunt teams. It cannot be replaced with artificial intelligence, machine learning, and hand-waving.
In the same vein as the previous criteria, organizations do not require dedicated threat hunting platforms to conduct true proactive threat hunting. That may seem a bit contradictory, but the simple reality is that some of the most effective threat hunters leverage SIEM and big data platforms with a powerful query language to conduct their hunts to detect those aforementioned behaviors. While platforms can help the overall process, they are not required to succeed.
Conversely, no technology or platform will enable successful threat hunting if the organization isn’t logging the right data. However, not all logging is created equally, and logging for “compliance” is often very different than logging for true proactive threat hunting.
However, logs only form one half of the proactive threat hunting equation. For logs to be beneficial for proactive threat hunting, organizations need content (or the queries that run in in a SIEM or data lake to detect those suspicious behaviors). This content needs to reflect the TTPs used by adversaries and offensive teams, but it must also incorporate techniques that they might (but don’t currently) use as well. Without this content, SIEMs, data lakes, and EDR/XDR/NDR tools are just another appliance taking up room in a rack.
Almost every definition of threat hunting will use the term “repeatable” somewhere in it. This is because the value of threat hunting isn’t in a single hunt. It is in the ongoing repetition of successful hunts in an environment. This point, however, is sometimes lost in the ongoing controlled chaos of a SOC in favor of detecting new and newsworthy exploits, actors, and activity. It is important to not lose sight of the fact that a hunt should be conducted on a routine basis, whether that is weekly, monthly, or quarterly.
It isn’t surprising that interest in the topic of threat hunting has come to the fore along with the more mainstream discussions around cybersecurity generally. This is especially true as significant supply chain and ransomware attacks continue to increase and impact larger swaths of government, industry, and everyday citizens. Proactive threat hunting in an environment can enable earlier and more rapid detection threats before they reach their objective. However, it is important that the topic of threat hunting be well understood because proactive threat hunting shouldn’t just be a buzzword.