Threat hunting is a human-led, machine-assisted initiative, where hunters look at datasets and patterns to determine whether there’s malicious activity or an active adversary in the network.
As companies try to stay ahead of the latest, ever-evolving threats, it’s a practice that has become increasingly important to help monitor and manage what’s happening on the network, detect unknown threats and respond appropriately to protect the business.
To put it simply, it’s a complicated process. There are understandably many misconceptions.
As a result, misdirection and misunderstanding are lulling people into a false sense of security and leaving businesses exposed.
Here, we’ll take a closer look at three common misconceptions about threat hunting and uncover what you really need to know to ensure a productive hunt.
Misconception #1: Threat hunting can be automated.
The idea that threat hunting can be fully automated is the most disingenuous misconception out there. While parts of the process can be automated, the reality is that the human touch is necessary for any successful threat hunt. End-to-end, from identification to response, it’s not possible to automate the entire process.
Automation plays an important role in threat hunting, from data gathering to detecting known knowns. In an automation-initiated hunt, something might get flagged as suspicious via an automated rule. But, once that happens, you need a threat hunter to look at those clues and perform a strategic analysis. A machine can raise potential flags, but can’t make an intelligent decision about whether something is malicious or benign. There are a lot of things that happen in the grey area, where it’s difficult for a trained model to make the right judgment call. Human expertise is required to decipher those grey areas.
For example, if you see PsExec running on your network, it’s not necessarily immediately clear whether it’s malicious or harmless. It’s an admin tool that’s used for legitimate purposes, but it’s also often used by malware and attackers trying to do something nefarious. How do you know whether you’ve come across a malicious or benign case? Human expertise can provide context around the intent of that command, and evaluate whether it was malicious.
Misconception #2: Having endpoint detection and response (EDR) means that you’re doing threat hunting.
Threat hunting and EDR aren’t the same thing. If you’ve purchased an EDR product, you’re not necessarily doing threat hunting. EDR, at its core, is a rich dataset that can be used to investigate or query information. But, while EDR is an essential tool in a threat hunter’s arsenal, it gives you only part of the story.
There are a number of other sources of information that are extremely valuable in the hunt. Endpoint data is important, but so is network traffic. Threat hunters will look beyond EDR data at networking logs, firewalls and intrusion detection and prevention system logs to get a more complete picture of the landscape. Pulling in any third-party data, like active directory information, Office 365 data, or data from any other applications in use, can enrich the dataset, and a rich dataset allows you to identify more complex threats.
Misconception #3: You can add data into a SIEM and start threat hunting.
SIEMs do provide a useful service, in that it’s a place where we can input a lot of information and start asking questions of that data. But, one of the biggest challenges with SIEM is that it’s difficult to keep data consistent. And, unsurprisingly, poor data quality usually means a hunt will be unproductive.
The definition of quality data may be subjective, but at its core, ensuring that data from disparate systems is normalized and that data attributes (where possible) are standardized, will go a long way.
Quality data is critical for a few reasons:
- It increases the productivity of a threat hunt, making it easier for team members to query large sets of data and retrieve consistent results
- When data attributes are normalized, threat hunters can avoid joining different sets of data during a threat hunt, while allowing for richer context to identify more complex threats
- Having a good understanding of the quality of your data allows for the threat hunting team to have clear objectives on data they CAN analyze and set expectations on what CAN NOT analyze. This allows for projects to be coordinated and prioritized to increase overall quality.
If you want to find out whether a device is talking to a certain IP address, for example, you can query the network logs, endpoint logs and anything else that might have that data attribute. When the data quality is consistent, the results of that query are more trustworthy. Ensuring consistency of the data coming into your platforms is something that’s often overlooked.
In addition to the automation-initiation threat hunting discussed earlier, there are two other types of threat hunting that both require rich datasets. In a lead-driven hunt, the threat hunter knows that an actor uses a certain technique, for example, and checks to see if that information is present in the dataset. A lead-less hunt, on the other hand, starts with a threat hunter asking a question or presenting a hypothesis – perhaps, “Base64 encoded content run on an endpoint is a common tactic used to obfuscate malicious activity” – and then looking in the data for supporting information.
Good data allows threat hunters to identify complex threats quickly and more accurately. When a threat hunter knows the data they’re working with is solid, they can be more effective and more efficient.
The bottom line
The data is just the beginning of the hunt. What’s more important is how you apply that data to find the initiation point of the threat. Making the data useful and making the data work for you: this is what machines can’t automate. In fact, if it could be fully automated, MDR (managed detection and response) as a category simply wouldn’t exist.
A hypothesis about the threat, a method, good data and the critical thinking of a talented hunter, are the key ingredients to successful threat hunting. When suspicious activity occurs within the grey area, threat hunters can apply strategic analysis to decipher intent, and whether or not a response is needed to protect the business.