As a concept, threat hunting has a somewhat glitzy name and, on the surface, may appear to be a project that an organization can pull off by simply adding a couple of automatic detection tools and then tasking a few security staffers to keep an eye on the results that pour in.
Nothing could be further from the truth. In fact, to be conducted properly, threat hunting requires an integrated team of security specialists using a platform specifically designed for threat hunting.
Gartner defines threat hunting as searching for security threats by looking for traces of attackers, past and present, in an IT environment. Organizations that employ threat hunting use an analyst-centric process to uncover hidden, advanced threats missed by automated, preventative and detective controls.
However, if an organization does not handle threat hunting correctly, the information gathered will be of little use, and the defense put in place will likely be ineffective.
Here are three common ways a threat hunting program goes off track.
As Gartner’s definition states, threat hunting is an analyst or human-driven endeavor. The concept of threat hunting is often incorrectly defined as being centered on security teams simply detecting threats using automated tools. However, a human element must be involved when creating a successful threat hunting team.
Specifically, it’s critically important that an organization have a security staff with the experience and training to conduct threat hunting properly. The task is not something that just anyone can handle. It requires a certain mindset and level of training to do so correctly.
Threat hunting is a proactive activity conducted by security teams that combines automated tools, such as Endpoint Detection and Response (EDR), with analysts using a hands-on approach to parse through the data for adversaries and infiltration vectors they can exploit. The people in the chain must actively search through the data being gathered, looking for anomalous behavior that tools alone won’t detect.
A team cannot simply start “threat hunting.” There are a number of preparatory actions a team must implement before the project commences. First, the team charged with protecting an organization must answer a list of questions that will help create a profile that will guide the defenders during their task.
A good threat hunting team will begin this process when it takes on a project to gather up information on the environments involved, discover what threat actors have been actively attacking such environments, determine what the attackers are looking to accomplish, and where similar organizations have been shown to be vulnerable.
The intelligence gathered through this process is used to generate a custom hunt for that customer, relying on field experience to help find where the attackers typically are and what tactics they tend to use.
Interested in learning what other attributes a good threat hunting program should have? Download our Proactive Threat Hunting Data Sheet below.
People are at the core of threat hunting and central to the practice. Trustwave Proactive Threat Hunting combines human-driven and automated process with supported technologies in your existing environment and our purpose-built threat hunting capabilities to help you get ahead of your adversaries.