So, you want to know what threat hunting is
Threat hunting emerged as a new way to proactively identify threats in your environment. For high-performing SOCs, it’s a must-have activity that can mean the difference between a malicious hack or a normal, uneventful day. With the stakes so high, it’s time to look at what is threat hunting – the history, what it looks like today, and the future of threat hunting – particularly as adversaries become more advanced every day.
The ghost of threat hunting past
Just over a decade ago, security analysts shared information on malicious code among themselves only – no public announcement of a breach, and certainly no public reckoning. Instead, you would receive information about a threat from a colleague or friend, conduct an investigation to determine if the compromise occurred in your environment, and then adjust your security posture to prevent similar compromises. This system inspired a new industry paradigm for SecOps across the globe. A handful of vendors began to offer threat intelligence, and eventually, a whole slew of security providers developed threat intelligence for the industry as well as for different verticals.
Once these tools became widespread, SecOps needed to subscribe to threat intelligence to enrich detection tools, which is a failsafe approach to looking for future threats. But threats seldom appear in real time, so you need a robust historical log to search for past threats as well as potential future ones. In addition, detection tools don’t catch all intruders, inspiring the need for a proactive way of finding threats that break through your defenses.
Today, many organizations rely on SIEM tools for hunting, which offer a single pane of glass view into security events and gives you a method of broadly enriching data – a far cry from manually analyzing events.
What’s hindering threat hunting growth
Make no mistake: threat hunting has come a long way in the last ten years. But then again, so have adversaries. These days, the specter of modern attackers keeps CISOs up at night. To get a good night’s sleep, you should have access to all data, live, and you shouldn’t have to restore backups or manually insert other data sources that weren’t being logged. You need full, complete visibility without restriction. But, there are a few barriers to entry for achieving what today’s ideal SOC looks like:
Growth of the attack surface. Business expansion has created an almost incomprehensible number of users, applications, and endpoints that serve as attack vectors for breaches. This means that while SIEM became the norm for collecting historical security data, evidence of attackers can now be found in all available data, not just security data. SIEMs can no longer handle the volume of structured and unstructured data available to the SOC, and the landscape is changing. In other words, all data is security data.
Live data is more necessary than ever. Without live, hot data available to search, you need to search months of data in a data lake; this process can take hours, and it requires an exact search and syntax criteria that’s unlikely to happen without a data scientist present at all times. This data lake approach is much too time-consuming when data breaches can take mere seconds.
TCO was prohibitive, until now. The cost for centralized log management solutions to log all data can be astronomical based on the high levels of machine data digital businesses are generating. To keep costs in check, businesses generally keep one or two weeks of historical data in their logs, and back the rest up to tape or another backup storage type. The problem? You can’t threat hunt tape. However, security analytics tools today deliver full capabilities at a much lower cost, so you don’t have to let cost constraints compromise your security.
The future of the SOC and threat hunting
Unfettered visibility is important, yes. But you must also hone skills to combat the next phase of how our adversaries are targeting us: through artificial intelligence and machine learning. Attackers are beginning to dynamically shift on the fly; they no longer require an employee to click a phishing email to gain access to data. Next generation attacks can execute from previews, shut off antivirus systems, escalate privileges, and even disable logs to hinder detection.
What should I do?
I’m glad you asked. Continue to improve your organization’s security posture with full data visibility and robust threat hunting and intelligence. Understand that malicious adversaries are hiding in plain sight – such as in Windows Powershell designed for sysadmins – so threat hunting must evolve to look for tactics, techniques, and procedures (TTP), instead of focusing purely on static indicators of compromise. But, don’t leave old rules behind, either: static information like hashes are still a relevant part of security. It’s all about developing the right mix.