How to Hunt For Security Threats

IT security teams are constantly on the lookout for the next hack or vulnerability. As attacks become more advanced and pervasive, the concept and practice of threat hunting has emerged.

To hunt for security threats means to look for traces of attackers, past and present, in the IT environment. Organizations that employ threat hunting use an analyst-centric process to uncover hidden, advanced threats missed by automated, preventative and detective controls. The practice is distinct from threat detection, which relies heavily on rules and algorithms.

“If you can simply write a rule, write a rule,” said Anton Chuvakin, vice president and distinguished analyst at Gartner, during the 2018 Gartner Security and Risk Management Summit in National Harbor, MD. “But then you don’t need to hunt.”

While threat hunting includes the use of various tools and processes, people are at the core. These rare IT security professionals are highly and uniquely skilled, are known as threat hunters, and the best ones have a combination of systems, security, data analysis and creative thinking skills.

Key characteristics of hunting

To understand what threat hunting is and how it works, familiarize yourself with the characteristics central to the practice.

• Proactive. Hunting is  about looking for an intruder before any alerts are generated. Proactive in this context refers to taking action before the intrusion alerts, not before intrusions occur.

• Clues and hypotheses. Hunting focuses on following clues and ideas, not "cooked" conclusive alerts from tools and rule-based detections. However, hunting informs outputs that can later become rules.

• Analyst-centric. The practice is analyst-centric. The tools used by hunters play an auxiliary role in helping them see hidden threats.

• Breach assumptions. Hunters assume that a breach or traces of, however subtle, have been left by the attackers in your IT environment.

• Interactive and iterative. Although hunting involves a process of following an initial lead or clue, there will likely be many pivots and "side quests"— all in pursuit of intruder evidence.

• Ad hoc and creative methodology. Most experts agree that hunting is not about following the rules, but rather a creative process and a loose methodology focused on outsmarting a skilled human attacker.

• Knowledge-reliant. Threat hunting relies on both advanced threat knowledge and deep knowledge of the organization's IT environment. Organizations then learn more about their IT environment and find the places where attackers hide.

Do you need a threat hunter?

Threat hunting is suitable for well-resourced security organizations facing persistent and stealthy threats. Those who hire a threat hunter or team of hunters have typically maximized their alert triage and detection content development processes and matured their security incident response functions.

The following questions will help you to determine whether or not you need to hire a threat hunter or team of hunters:

• Are you targeted by stealthy advanced threats?
• Do you have a legitimate need to push threat response time to before the time of the first alert?
• Are you worried about residual risk after security controls are deployed and matured?
• Had incidents not started by an alert?

If your answers indicate that you should undertake threat hunting:

• Are you able to hire and retain top-notch security personnel?
• Have you already improved and optimized detection and response controls and processes?
• Do you have a mature security operations center?
• Do you have enough visibility over your environment?

Organizations can get started with a consultant, vendor or an existing employee — someone who occasionally conducts ad-hoc hunting activities, but has not yet been formally made a hunter.

Chuvakin noted that while outsourcing options do exist, few vendors have the required capabilities. Many are managed security service providers (MSSPs), not managed threat hunting (MTH) providers.