Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Buzzword Bingo: Separating Fact from Fiction in Threat Hunting

We all know that cybersecurity is an industry that lends itself to the occasional overuse of acronyms – and sometimes even buzzwords. When it comes to threat hunting, which is one of the most potent weapons an organization has to find and eliminate breaches, it’s important to be able to separate fact from the fiction.

What are the aspect of threat hunting that are really impactful for organizations, and which are not? To get a grounded perspective, we talked with Shawn Kanady, Director of Threat Fusion & Hunt at Trustwave SpiderLabs and former Director of Digital Forensics and Incident Response.

Q:   Are there buzzwords that are creating confusion in threat hunting?

Shawn:   I think when threat hunting started, it was the buzzword. If you go back just 4 or 5 years, it was kind of the “cool” term that was getting thrown around. What’s interesting is that threat hunting, whether it had a name or not, is really as old as cybersecurity itself. It’s really one of the foundational elements of everything we do.

Right now, within threat hunting, there’s a lot of buzzy stuff. And I think there’s a lot of misconceptions, some of which are created by marketing material, others which are just propagated by all the terminology that gets thrown around.

To my mind, the terms that are frequently being used right now that seem like they might be creating confusion include some of the language around machine learning and automation. It’s not that they aren’t valid concepts – they are. But you can’t do effective threat hunting in a completely automated fashion, you need human judgement. More than that, you need the right humans. It’s critically important that you have the staff with the experience and training, especially with threat hunting, because it takes a certain mindset to do it correctly.

Q:   What are the common misconceptions about threat hunting?

Shawn:   One that I see come up a lot is that many organizations think an EDR tool will do the threat hunting for you. But that’s not true threat hunting, that’s just a tool doing what it was designed to do.

Where threat hunters come in, and specifically the way we approach it at Trustwave SpiderLabs, is that we use different telemetries across many platforms through our FUSION portal as well as leveraging EDR technology to get at the raw data. This allows us to hunt deeper and remain independent of tool biases which gives us a true advantage when it comes to identifying a threat vector or worse, compromise of the environment.

Threat hunting is not detection – it’s proactive hunting for adversaries and infiltration vectors they exploit. And it’s not response, which is another misconception I see often. Organizations that have seen some suspicious activity will sometimes think it calls for a threat hunt. That’s not really a hunt, that’s a response. Threat hunting fits in the middle, between detection and response.

Skilled threat hunters are looking for anomalous behavior that tools won’t detect. Once we find that behavior, we feed it into a detection and flip into response mode. We do also have response expertise, even though it’s not necessarily our prime directive, so to speak.

Q:   For organizations, what are some of the unexpected benefits of threat hunting?

Shawn:   At the core of it, what threat hunters really do is use intelligence to build hunting profiles. For example, if we were hunting inside a financial institution environment, we would gather up whatever information we have about those types of environments. Who’s attacking them? What are they looking for? Where have similar organizations been shown to be vulnerable? We would take that intelligence and use it to generate a custom hunt, relying on our field experience to help us find where the attackers typically are, and what tactics they tend to use.

What’s interesting, though, and that many organizations don’t expect at first, is that along the way we usually find a lot of bad behavior in that environment. We’ll find bad IT hygiene, patching gaps, strange password usages – all kinds of stuff that we might not have set out to find. So, we’re able to alert clients to infiltration vectors that they might not have even thought to look for. It’s not something that organizations typically think that threat hunting can help them with.

 


EBOOK

Once and Future Threats: What Security Testing Is and Will Be

To protect organizations from cybersecurity compromises, security testing needs to constantly evolve. This e-book defines some of the most common and lesser known security testing techniques and how they can be used to benefit your organization. It presents some of what Trustwave security experts learned about significant threats that organizations will face in the near future and discusses how best to mitigate those risks.

 

Latest Trustwave Blogs

Mining Operations: Critical Cybersecurity Threats & Trends Revealed

Cybersecurity professionals often point out that threat actors do not differentiate when choosing a victim. To an attacker, a hospital is as useful a target as a law firm or even a mining operation....

Read More

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More