The information security community is fundamentally no different from any other industry. Whenever a certain feature, concept, or buzzword bubbles to the top of the underlying conversational froth, entities (trying to make money) will attempt to appropriate this idea in some fashion to show that their product ‘fits’ the current zeitgeist.
So is the case with ‘threat hunting’, an operational concept mostly (if not solely) applicable to an organization’s procedures (as opposed to its technology) that fills a critical gap between known, obvious security events and the status quo. The concept of threat hunting has been around for some time, but only appears to have come into fashion in the last few years. As a result, vendors and security solution providers are attempting to hop onto the hunting ‘bandwagon’ to show that their product fits the current concept of interest.
Unfortunately, threat hunting is a process implemented within the organization, and not something that can simply be bought. Vendor solutions might facilitate hunting through visualization, presentation, or correlation, but ultimately hunting is more a frame of mind for a security team than a mere product.
There are multiple definitions in the wild, but the one that has stuck with me – and which I helped implement in DOE – relies on a fairly simple formula: develop a hypothesis, then investigate and explore available data based on the hypothesis. From the results, determine if any of the hypothesized threat activity took place, and if the ‘hunt’ proves productive or useful, search for ways to either automate or integrate into continuous monitoring moving forward.
In this fashion, hunting becomes an exercise rooted in questioning and exploration – rooted in the development of testable hypotheses – with an end goal of producing repeatable, future-oriented results (by repeating the ‘hunt’ in the future through automation). At its core, threat hunting shouldn’t be alert or anomaly ‘whack-a-mole’, but a systematic means of exploring possible threat vectors and then integrating them into alerting and monitoring when hunts have proven (conceptually) successful.
Recent vendor proclamations of automated or facilitated hunting activities not only cheapen the message of threat hunting, but actively damage network security practices by imbuing a sense of achievement when the opposite holds. By trumpeting a gelded version of threat hunting, vendors willfully and deliberately undermine the security posture of customers – an act of malfeasance and betrayal of near-fiduciary duties.
Ultimately, organizations must look to vendor solutions to facilitate hunting operations – but never to actually conduct or automate them for the organization. Hunting is a mindset established within the security organization to actively look for and root out threats – attempting to provide a technical solution to this cultural problem only dulls security operations and renders organizations less able to respond and combat threats.
When determining what technical solution best fits their needs or will move the organization forward, decision-makers should look for solutions that provide the means to facilitate and enable hunting: data correlation; playbook design and development; and the ability to record and track operational knowledge over time. In this fashion, a security solution can assist the organization’s hunting efforts, instead of making the false promise of automating such tasks with the resulting failure of poor execution.
Equally important, asset owners and operators must own up to the responsibility of inculcating a hunting mindset within their organizations, rather than expecting some third party to magically handle this situation on their behalf. A true and effective threat hunting organization begins (and in many cases ends) with its people – individuals who know how to formulate hypotheses, pursue them and evaluate data, and develop justifiable conclusions based off of evidence. All of this requires investment in people and the time they spend on their activities. Any entity seeking to do this ‘on the cheap’ or through some magical method of automation condemns themselves to being blind.
In closing: the practice of computer network security demands that practitioners actively seek out (or hunt) threats. Thinking that such practices can be abstracted away or repeatedly outsourced only results in an organization being blind and dependent upon others for visibility and response. A true threat hunting mindset requires moving beyond simple, atomic responses such as “see IOC, search for IOC” to formulating structured hypotheses such as “adversaries may pursue intrusions following these TTPs, search for artifacts of such activity and, if successful, devise means to automate searches moving forward”. External entities may help guide or push you in this direction; but if you’re relying on others to do this for you, you’ve outsourced a very fundamental aspect of internal network monitoring and hygiene.
