You know what really grinds my gears? The fact that seemingly every blog article about the benefits of threat hunting starts by telling people about some major breach, or uses some ridiculously vague statistic about how many cyber-attacks happen every second (the answer is apparently 44 or 39 depending on who you want to scare) and how if you just implement threat hunting, then all your problems will disappear. Well, I’m here to burst that bubble, and say that NO, threat hunting will not solve all your cyber security woes, nor will it cure climate change, solve world hunger, and in still peace throughout all the world. But threat hunting is a good idea, and more organizations need to start looking at it seriously. And I am going to convince you of that in just a few sentences, with no ridiculous statistics or fear mongering.
What is Threat Hunting?
Before discussing the benefits of threat hunting it is important to understand what threat hunting is. Threat hunting is a security methodology that aims to identify threats in your environment that have managed to bypass existing security controls. Specialized analysts, referred to as threat hunters, comb through a wide array of telemetry and log data looking for the suspicious and malicious behaviors that adversaries exhibit in an environment. Threat hunting differs from traditional security analysis in that it is done in a proactive manner – meaning hunters don’t rely on a security control to generate an alert to start investigating. They work off an assumption the adversary is already in the environment and try to either prove or falsify that hypothesis.
Threat hunting is also iterative. This means that hunters are constantly searching for these adversary behaviors. Once they finish up a hunt, they are often already planning and retooling for their next hunt.
Who Are Threat Hunters?
Threat hunting is a job that demands a lot from its practitioners in order for companies to see the benefits of threat hunting. This is because hunters have to have experience, a lot of experience. They need extensive knowledge of various operating systems, attacker methodologies, incident response best practices, an understanding of how to operationalize threat intelligence, and quite a bit more. Suffice to say, threat hunters need a lot of varied experience, which can make them a hard breed to find. If this was a typical corporate blog, I would probably use this point to call out more vague statistics about the cyber security skills shortage. Seeing as how it isn’t, let’s keep going…
What Are the Benefits of Threat Hunting?
So, now that we are on an even footing about what threat hunting is, and who threat hunters are, let’s dive into why you should care about threat hunting and what benefits threat hunting provides, and why you need to start building or maturing your threat hunting program today.
Benefits of Threat Hunting #1: You Are Probably Already Compromised
Now, let’s be clear: this isn’t meant to be fear mongering. I’m not saying that your organization has been compromised by a state actor, and all of your corporate secrets are now in the hands of some shady government. Nor am I saying that you are going to be one of the victims of one of the high-profile ransomware gangs.
What I am saying is that, from my past experience, I can say that if your organization is connected to the Internet, there is a good chance you’ve been compromised by something somewhere.
The very fact that you’ve been compromised means two things:
- That the adversary was able to bypass the security controls you have in place. This could be a simple anti-virus, or multi-million-dollar EDR and XDR tools.
- That if that adversary could get in, someone else could also.
This is where we can see one of the biggest benefits of threat hunting. Threat hunting works from the assumption that you have been compromised already. This means you are just trusting that your security tools are working, you are verifying it as well.
Threat hunting also doesn’t waste time on indicators of compromise that are probably out of date and irrelevant. Instead, it looks for common behaviors exhibited by adversaries or malicious programs, that are much harder to conceal, as they are carrying out their objectives. This means that threat hunters are able to identify malicious activity much more reliably than relying on an IP address or domain that can be easily changed.
And perhaps most importantly, by having a team hunting for these threats, your organization is also able to identify where they came from and how they got in. This means that your organization can start proactively identifying and closing gaps in your security, making sure that no other adversaries can follow their lead.
Benefits of Threat Hunting #2: Threat Hunting Improves Your SOC
A hunt doesn’t end when a hunt team uncovers a new threat that has bypassed your existing security controls. Instead, it is at this point when the hunters go to work understanding the threat. It is this point where we see another one of the key benefits of threat hunting.
If it was an adversary your hunt team uncovered, this might be reviewing all their behaviors. If it is malware, it might be understanding the full capabilities of the malware. And if it was an exploit, it will probably involve reviewing what security controls have recorded the activity.
Armed with this information, the next step involves working with engineering teams to build out detection content that can be deployed in-tool so that should that adversary, malware, or exploit be run in your environment again, that your SOC team can respond immediately. This means that, as your hunters stalk their prey through your environment, you aren’t merely finding and eliminating that threat, but you are ensuring that your SOC is better able to respond to that threat in the future.
If your team is just starting out, or you don’t have the resources for engineering the content, you can also look at threat hunting content platforms that provide you immediate access to hunting content that you can deploy in-tool. You can grab a Community Account on our HUNTER platform completely free, here!
Benefits of Threat Hunting #3: Threat Hunters Blaze a Trail
Threat hunters, much like actual hunters, can’t do their job from the couch. Threat hunters are will often find themselves in the digital wilderness of your environment, blazing a trail that few (if any) have ventured before. This is another one of the critical benefits of threat hunting because in doing their job, your threat hunters will get to know your environment – perhaps even better than those responsible for actually knowing it.
This knowledge isn’t just valuable for hunters, but DFIR practitioners, SOC teams, and the company as a whole. Now, one of the challenges to this benefit that I continue to hear are people saying that they already have some form of inventory system, and that they already know their environment. My simple response to this has always been to review the number of incidents you’ve had in the last year. How many have involved old or out-of-date systems?
A plurality of incidents often involve an Internet-exposed system that someone neglected to patch or decommission. If the inventory system worked as well as some claim, these systems would have been discovered before a compromise (or at least protected), not during or after. Threat hunters can proactively uncover these derelict systems during the course of their activities.
We don’t need to fear monger in order to get the point across that threat hunting is invaluable for organizations. In fact, it is my opinion that that type of advertising can often be entirely counter-productive. However, this isn’t to say that threat hunting isn’t valuable for organizations. Indeed, it is very much the opposite. More organizations need to focus their efforts on threat hunting, to recognize the benefits – some of which we laid out here – that threat hunting can provide for your organization.