June 07, 2018
June 07, 2018
Contributor: Jill Beadle
Organizations ready to take the next step in threat detection tools and methods should explore the emerging practice of threat hunting as a way to improve their security and monitoring operations.
IT security teams are constantly on the lookout for the next hack or vulnerability. As attacks become more advanced and pervasive, the concept and practice of threat hunting has emerged.
To hunt for security threats means to look for traces of attackers, past and present, in the IT environment. Organizations that employ threat hunting use an analyst-centric process to uncover hidden, advanced threats missed by automated, preventative and detective controls. The practice is distinct from threat detection, which relies heavily on rules and algorithms.
“If you can simply write a rule, write a rule,” said Anton Chuvakin, vice president and distinguished analyst at Gartner, during the 2018 Gartner Security and Risk Management Summit in National Harbor, MD. “But then you don’t need to hunt.”
While threat hunting includes the use of various tools and processes, people are at the core. These rare IT security professionals are highly and uniquely skilled, are known as threat hunters, and the best ones have a combination of systems, security, data analysis and creative thinking skills.
To understand what threat hunting is and how it works, familiarize yourself with the characteristics central to the practice.
Threat hunting is suitable for well-resourced security organizations facing persistent and stealthy threats. Those who hire a threat hunter or team of hunters have typically maximized their alert triage and detection content development processes and matured their security incident response functions.
The following questions will help you to determine whether or not you need to hire a threat hunter or team of hunters:
If your answers indicate that you should undertake threat hunting:
Organizations can get started with a consultant, vendor or an existing employee — someone who occasionally conducts ad-hoc hunting activities, but has not yet been formally made a hunter.
Chuvakin noted that while outsourcing options do exist, few vendors have the required capabilities. Many are managed security service providers (MSSPs), not managed threat hunting (MTH) providers.
Join your peers for the unveiling of the latest insights at Gartner conferences.
Recommended resources for Gartner clients*:
How to Hunt for Security Threats by Anton Chuvakin.
*Note that some documents may not be available to all Gartner clients.