I frequently meet cybersecurity leaders who attempt to run before they can crawl, jumping at the chance to implement new technology before mastering the basics. I’ve noticed this trend especially when it comes to threat hunting, as security leaders attempt to drive Ferraris before they’ve earned their learner’s permit — or before they can even walk.
Sadly, many organizations aren’t prepared to hunt, and in some cases, they don’t even need to. Hunting delivers value — huge and unique value, in fact. But only under the right circumstances and for the organizations that fit the prerequisites.
Too many companies attempt threat hunting without establishing the right security foundations, which includes both technology (such as a well-managed network segmentation and access control) and mature security operations processes (such as incident response and log collection).
Why the urge to jump in headfirst? Threat hunting has emerged as one of the sexiest aspects of cybersecurity. In a world where severe data breaches and cyberattacks continue to plague businesses, threat hunting promises security leaders a perceived sense of control, a rare commodity especially as there’s no power in the position of the victim.
Many teams let this drive for control distract them from the more tactical, yet far more effective, steps needed to strengthen defenses. In reality, a well-executed program of security hygiene can work much better than investing in threat hunting first.
Businesses should assess their need to hunt threats in their environments, and then determine if they have the structure to support it. Most small companies, for example, have neither the need nor the capability.
Here are three factors that security leaders must consider to determine whether threat hunting is for them:
Factor 1: Technology
Enterprises must first have the security telemetry that threat hunters need to track and observe adversaries’ activities. At a baseline, hunters need endpoint detection and response (EDR) data or other rich endpoint telemetry, as it’s the mainstay for both beginner and advanced hunting operations. To be useful, endpoint data needs to have DNS, DHCP, and user enrichment data attached to it. Others can start with only logs, especially rich endpoint logs, or from network traffic metadata, as some of the original hunting teams did. Data also needs to be saved for a year or so since compromise detection windows are often measured in months.
Hunters will also need tools that can rapidly search over enriched data. A fast, interactive search over clean and structured data (something better than raw text search) can be a good starting point for an aspiring hunt team. But data is useful only if it’s digestible and actionable. If you don’t have a system in place to search, store, collect, and understand security telemetry, threat hunting is not for you
Factor 2: Detection Process
Today’s detection technology often uses rules- and signature-based detection to catch attempted attacks. Threat intelligence matching to logs and other telemetry is also common.
Automated detection should do the majority of the work if planned and executed well, but attackers are always evolving their techniques, rendering some campaigns undetectable by machines. That’s when you send the human hunters in to fill the gaps. If attackers see your business’ assets as high-value, you’ll encounter attackers who use novel methods, which is why you’ll want to consider threat hunting.
When that time comes, enterprises should examine the maturity of their detection capabilities first. The idea is to detect well, and then to hunt to fill in the gaps. It’s a waste of time for skilled threat hunters to chase after known threats and to do so repeatedly.
Factor 3: People
Threat hunters need the latest intel on advanced malware and threat actors, in addition to deep knowledge of an organization’s technology. However, since many in-house security staff members are already performing the job of two people, overindexed engineers don’t have time for free-form exploration and deep threat actor research.
This is why some organizations turn to third-party service providers to hunt on their behalf. While some hard-core hunting teams claim that a third party can never understand an environment well enough to hunt (a reasonable claim, to be sure), a service provider can deliver value if it has hunting expertise and a vast amount of threat data.
Balancing Risk vs. Costs
So, how do you make the decision? Security leaders must first evaluate their risk level by asking if the business will likely be the target of a sophisticated attack. Attacks happen for many reasons, including providing access to another, larger, business, but for most organizations, the typical security stack is adequate.
Olympic athletes devote their lives to training for niche sports. But just because it looks cool on TV doesn’t mean anyone can jump 20 feet in the air without training. Threat hunters require Olympic-level training, yet we’re seeing enterprises lacking infrastructure trying to make the leap from junior varsity to the big leagues. Threat hunting is a sophisticated, advanced technique that should be reserved for specific instances, and it should be conducted only by trained professionals. As organizations consider their 2020 security business priorities, threat hunting shouldn’t always be a default line item.
If your business doesn’t face targeted or high-profile threats, if you have the right security tools in place, and if you can use a third-party service for hunting, save your time and money and leave the hunting to the experts. Or don’t do it at all — other security investments are more likely to deliver value in your situation.
Anton is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. He is the author of several books and serves on advisory boards of several security startups. Before joining Chronicle, Anton was a research vice president and Distinguished … View Full Bio