Threat Hunting (or TH in short) is quickly emerging as a ho trend in cybersecurity. The onslaught of data breaches we’ve been experiencing, each bigger than the last, proved to organization that they should assume compromise and seek ways to reduce the Dwell time. Dwell time is defined as the number of days that a threat stayed latent before discovery and eradication. In 2016 it was 98 days for financial services firms, and 197 days for retailers on average.
So organizations now “Hunt’ for threats instead of looking for alerts to notify them regarding potential breaches.
The term “threat hunting” was probably coined by security analyst Richard Bejtlich, who wrote in 2011: “To best counter targeted attacks, one must conduct counter-threat operations (CTOps). In other words, defenders must actively hunt intruders in their enterprise.” The SANS Institute defines threat hunting as follows: “Threat hunting is a focused and iterative approach to searching out, identifying and understanding adversaries that have entered the defender’s networks.”
Even the analyst firm Gartner covers this activity (although not defined as a market segment yet).
Threat Hunters and their data sources
But is Threat hunting even a separate cybersecurity practice category, and if so, does it require specialized tools? In most organizations today, Threat Hunters (“Hunters” for short) are experienced analyst, mostly at Tier 3, that search for threats on a daily basis and is also involved in forensic investigations, reverse engineering, and incident response. More often than not these hunters are conducting this activity in addition to their roles and responsibilities, and often have to rely on existing tools and data sources. Threat hunting can be executed through a large number of information sources that exist within the organization: logs of IT systems and security systems, the data regarding the Internet communication between the organization and the outside world, analysis of files stored in end units and analysis of user behavior patterns. Threat hunting can also utilize external threat intelligence data in order to enrich the information available and “incriminate” specific activities by regarding them as suspicious activities.
Assuming that the indicators of compromise are already present in the data the organization collects and stores, it is now up to the Hunter to make sense of this data and identify a breach.
Threat Hunting Tools
So we finally come to the crucial aspect, the one that will determine if Threat Hunting will become a product category of its own- do Hunters really need dedicated tools to conduct their operations? According to a recent SANS Survey:” Most organizations are utilizing existing tools to understand their environment. Slightly more mature organizations are writing scripts to enhance their capabilities, and very mature organizations are utilizing third-party tools”. 87% of respondents are using existing tools (such as SIEM, IDS/IPS) to aid in finding, tracking and catching the adversary, while less than 50% are specific source threat-hunting tools (from responders who actually conduct Threat Hunting)
Here things get really complicated, because we’re entering the marketing realm. Many vendors state that their products are TH products, but few actual offer dedicated tools (that facilitate TH and nothing else)- most tools are subsets of other platforms or products such as network analysis tools, EDR, SIEM or NTA.
Dedicated Threat Hunting tools
Several companies, most of which are early-stage startups, have billed themselves as Threat Hunting platforms: Cyphort, E8 Security, Sqrll, Jask, Niddel, Nuix, Infocyte. This segment of the market is so young it’s impossible to estimate if it will gain enough traction and establish itself as a real product category.
Network analysis as Threat Hunting tools
Since threat hunting is mostly about sifting through communication data, it’s no wonder that network traffic analysis tools are offered as Threat Hunting tools. Companies with a deep understanding of network traffic behavior, Packet capture and analysis capabilities and network visibility all offer Threat Hunting as a by-product of their platform: Darktrace, Vectra, ss8, Bricata , flowtraq.
Machine learning tool for Threat Hunting
Although not specifically labeled as a TH tool, SecBI’s ML algorithm that analyzes network traffic from syslogs enables expert and novice analyst to engage in threat hunting, since it’s clustering mechanism automatically detects patterns that could indicate a compromise, and present the full scope of the incident to the analyst.
Threat hunting or EDR?
Endpoint Detection and Response products have great overlap with threat hunting tools, since they are able to detect and analyze whatever happens on the endpoint. As such, EDR companies (who are under a great stress to differentiate) now offer “Hunting Modules” to complement “regular” EDR functions: Endgame, Crowdstrike, Carbon Black, Cybereason.
Threat Hunting or SIEM Next Gen?
SIEM (or its shortcomings) is likely the reason that customers need Threat Hunting tools in the first place. As a centralized platform, SIEM should have all information logs “hiding” indicators of compromise. Yet regular SIEM systems are not flexible enough to conduct true hunting operations, the exception being Splunk (which allows analysts to build any type of complex query from any data source) and Exabeam (which recently started to offer Threat Hunting as an added capability to their SIEM automation platform.
Or as a service?
Many people argue that Threat Hunting is not about technology but about people. Very skilled and very experienced people. And since these people are nowhere to be found (about a million professionals missing worldwide, it seems like a lucrative upsell for Manages services companies. And indeed, SecureWorks, Accenture and Endgame , Capgemini and others are now offering Threat Hunting as a service. Since Threat Hunting requires intimate knowledge of both the organization and the perpetrators it remains to be seen if this offering is indeed valid.
The future- is regulation in sight?
The Israel Cyber Authority recently published the “Organizational Cybersecurity Doctrine” document, which includes recommendations for threat hunting. The section of that document dealing with proactive cybersecurity states (translated from Hebrew): “This document recommends that threat hunting be implemented by setting forth a structured, cyclic program of monitoring the organizational activity longitudinally (organization – outside world) and laterally (inside the organization), along with such other sources as external intelligence, hunting of potential threats by analyzing and correlating information, and responding to the threats, whether they were actually spotted in the context of the threat hunting activity or as a preparatory measure for blocking even before they occurred.
It is interesting to see if other regulatory bodies will follow suit. ENISA has addressed this in it’s “Actionable information for security incident response” paper but has yet to release any official document requiring proactive threat hunting.