Before we begin though, a definition of threat hunting is in order.
Generally speaking I would define threat hunting as follows:
Threat hunting is a proactive detection activity in which an organization aims to detect active or dormant cyber security threats to its assets that have evaded existing security controls .
The basic mindset for threat hunting is to assume breach, hypothesise on the threat profiles for the organization, including their specific targets and TTPs and then seek to prove the hypothesis, incentivising improvement and growth throughout the process.
While I believe that the above definition is generally accepted, the interpretation and implementation of threat hunting is split between two main schools of thought:
Intelligence driven threat hunting
Alert driven threat hunting
My rather firm view on this is that the first type was created by security professionals and the second one was created by marketing professionals.
With alert driven threat hunting, the hunters wait for an above-the-threshold event to kick-off a hunt.
Therein lies the problem, as this type of activity lacks the key component of hunting, which is the proactive nature of the hunt. If your prey kicked you in the head and you responded, you weren’t really hunting, you were responding to an incident.
The use of the term threat hunting here is motivated mostly by a marketing positioning strategy, as you can charge more for an add-on module if it has an appealing name.
Another shortcoming of this approach is that it assumes visibility. That is, it assumes you are already collecting all the information you would require to detect your adversaries.
That reality is often very different with limited visibility, even in large, mature enterprises.
Threat actors capitalize on these blind spots, and would often use legacy systems and development servers with no security controls as pivot points..
Intelligence driven threat hunting on the other hand is indeed a proactive activity in which an organization decides to embark on a discovery journey that may be triggered by an emerging threat, an executive decision, or just plain good cyber security habits.
The intelligence aspect of it is that the hunt is driven or modelled around a specific threat or group of threats, and the intelligence that the security community has gathered around that threat.
For example, let’s say that you have heard of a chain of attacks on some of your competitors in the web hosting business. The attacker was aiming for the servers so that they could install crypto mining software, and steal your processing resources.
This could serve as trigger for a threat hunting exercise in which the threat that is modelled is the same or similar cyber crime group, targeting your own servers.
Now that we are aligned on the definition of threat hunting, let’s see what benefits are generally associated with the activity:
In the next post, we will explore the different stages of threat hunting.