The process is a difficult one, and everyone who regularly hunts for threats develops a personal approach. It shouldn’t be surprising that misconceptions have grown about how it works and what it accomplishes. Here are ten myths that get in the way of understanding threat hunting and doing it effectively.
1. “It’s a basically manual process.”
Finding threats in a network requires going through a huge amount of data. Trying to do this without powerful tools would be hopeless. Expert hunters rely on analytic tools that show changes from baseline activity and present information in an easy-to-view form. They review reports generated by SIEM software to identify issues that are suspicious but don’t rise to the level of an alert.
Intelligence-driven tools sift through threat intelligence data to find the hostile techniques and tactics that are most applicable to an organization’s situation. Banks have a different set of security priorities from hospitals, which have different priorities from retail sites, and so on. Threat hunters use this information to form hypotheses relevant to their networks and figure out what to look for when testing them.
Educated guessing is an important part of the process, but without the right tools, the guesses won’t be educated.
2. “It can be automated with artificial intelligence.”
At the other extreme, some people think that an AI system can do the work of threat hunters with equal or better results. Someday this may be true, but it hasn’t happened yet. The hardest task for AI is figuring out human psychology. Understanding the motives and plans of intruders is a key part of threat hunting, and people do it best.
Analysts can look at their network, consider its assets and public visibility, and ask, “If I wanted to break into this system, what would I be after and how would I do it?” People can do that better than software.
3. “It’s an ad hoc, seat-of-the-pants process.”
This myth is a different way of running to the opposite extreme. Threat hunting involves guesswork, but it requires structure and discipline. Analysts run their tools regularly, compare the results with previous ones, and go through lists of threat intelligence data.
There’s a definite methodology for investigating possible threats. The first step is formulating a hypothesis based on the situation. An investigation follows, looking for data that will confirm or contradict the hypothesis. If it’s confirmed, specific identification and remediation follow. If it turns out to be mistaken, a record is entered to avoid redundant investigation.
4. “It’s a replacement for IDS or SIEM.”
This myth is a dangerous one. The majority of attacks use known methods, and software can catch them faster and with less effort than human investigators can. Tools such as firewalls, intrusion detection systems (IDS), and SIEM (security information and event management) are a network’s primary defense.
Threat hunting is supposed to spot exploitation of the gaps in a network’s defense. Ideally, there are no gaps, and the search will come up empty. In reality, there are always weak spots, but the attacks focusing on them are few compared with the overall spectrum. They’re the most dangerous attacks, though, and analysts should be able to focus on them while the software handles the more routine ones.
5. “It’s a one-time activity.”
No one who understands cybersecurity thinks one round of threat hunting will take care of the problem for all time, but making it a regular part of the process and budget could take some pushing. A period of hunting that doesn’t turn anything up might create the impression that it’s not accomplishing anything.
Threat hunting is a long-term commitment. The people who practice it get better over time as they test hypotheses and learn where software is most likely to miss problems. Catching just one threat that would otherwise have gone undetected can save a company millions. Dry periods aren’t a reason to drop it. New threat intelligence shows up every day, and if possible, analysts should do a round of threat hunting every day.
6. “Penetration testing is better.”
Penetration testing, and more recently the better Defensible Penetration Test is a valuable technique for discovering weaknesses in one’s own network. It has some features in common with threat hunting. It takes a theory about weaknesses and puts it to the test. People with experience in one area will have an advantage when they try to learn the other.
But it’s not an either-or choice. Penetration testing has the advantage of showing that a weakness exists and demonstrating how it can be exploited. However, it can’t tell whether actual hostile activity is taking place. Finding weaknesses before they’re exploited is best, but finding exploits in progress is urgent if they exist. Discovering and fixing weaknesses using simulated attacks means the threat hunter has less to do, but it doesn’t eliminate the need for the task. Having both provides a defense in depth.
7. “It’s basically a hacker vs. hacker game.”
Like many myths, this one has a bit of truth to it. The defender has to anticipate the attacker’s thoughts. Some threat hunters even find their way onto criminal discussion boards to discover their current schemes. But that description makes the job sound a lot more adventurous than it is.
It helps to “think like a criminal” when forming hypotheses, but the process from there is entirely different. The goal isn’t to exploit a weakness but to remove a threat. It isn’t just to find a vulnerability but to close it. It’s challenging work, but not the James Bond stuff which some imagine.
8. “It’s only about discovering active penetration.”
Discovering malware and compromised accounts is important, but it’s better to discover a penetration attempt in progress before it can do any harm. Discovering ongoing attempts and footholds that haven’t yet done damage is important, too. Many threats rely on the downloading of additional malware and lateral movement to other systems before they give their creators anything of value.
Threat hunting may turn up previously undiscovered weaknesses that haven’t been exploited yet. Whatever it finds is an opportunity to fix a problem and make the systems safer.
9. “It’s something any tech person can pick up.”
This claim isn’t entirely false. Anyone with decent IT skills can do some threat hunting and may find hostile activity that needs remediation. Doing it well, though, is a specialized skill that requires education and practice. A skilled hunter knows what to look for and is familiar with the tools,
Analytics and SIEM systems bring a huge mass of information down to a comprehensible set of data. It takes practice to get the most out of them. It takes the ability to go through threat intelligence digests and extract the information which is relevant to their situation. It takes forensic skills to proceed from a general idea to the discovery of the data that will confirm or reject it.
10. “It isn’t worth the time and effort.”
It’s true that cyber threat hunting is a labor-intensive process that won’t turn up problems as regularly as automated processes do. This might seem better to put the entire cybersecurity budget into making software protection as robust as possible. This mindset doesn’t consider the fact that the most advanced and dangerous attacks are the ones that bypass existing defenses. The people who go to that much trouble are interested in a serious return on their investment.
Threat hunting may not discover as many issues as monitoring, SIEM, and IDS do. However, if those systems miss an attack vector, they’re missing something important. We can’t rely entirely on machines to keep us safe from devious penetration schemes. Human understanding has to be part of the defensive plan. This is why we include Threat Hunting in our Gold tier of SOC as a Service.