In early August we presented a comprehensive webinar on threat hunting. In this post, we expand on that presentation to explore the use of the term “hunt,” and why threat hunting is more than just a buzzword.
The use of the term hunt has skyrocketed within the cyber security community, but we would argue that its true meaning has often been obscured by conflicting and self-serving definitions. By allowing the concept of adversary threat hunting to be relegated to a marketing buzzword, we risk missing out on an important development in network security operations and cyber security.
This discussion introduces what we suggest is a more useful and lasting definition of hunt, outlining the mindset, approaches, and technologies that support its implementation.
What Hunt Really Represents
Hunt is any concerted effort to discover the attackers inside your network that everyone else missed. This definition is not prescriptive; it does not say how hunt is accomplished. Instead, defining hunt as a concerted effort gives us the flexibility to introduce concepts such as discussing an organization’s ongoing hunt operations undertaken by their hunt team, or the effectiveness of a single hunt engagement. The most important point is assuming that other efforts have failed, allowing undiscovered attackers to undermine your cyber security.
Existing defenses, no matter how robust, will fail to prevent or detect some subset of attackers. This assumed breach mindset is the motivation behind hunting, and underpins nearly every hunt activity. It enables hunt to proactively search out and destroy threats for which existing security controls were not enough. Adopting this mindset does not mean that traditional defense methods should be ignored. Rather, improving an organization’s ability to prevent attacks is important to eliminating less sophisticated threats, and leaves hunt with only the most serious and difficult attackers.
Given the fact that determined attackers can hide on a network for days, weeks, months, or even years, the need for a focused effort to discover them is very real. Putting forth a specific endeavor to discover attackers even one day sooner gives you more control over the situation and can help minimize damage.
Taking a Threat-centric Approach
Operating under the premise that attackers are already on the network, hunters should follow a threat-centric approach to find and contain them. Cyber attackers’ methods are generally well-understood by security professionals, and have been organized in various models and frameworks. Hunting takes the attackers’ methodologies and turns the tables. Every action, skill, and capability involved in hunting follows directly from the need to discover and counter an adversary’s action, skill, or capability. Taking a threat-centric approach aligns hunting practices with the tactics and techniques of the offensive world.
For example, the MITRE ATT&CK matrix provides a useful tool for developing and assessing hunt operations and capabilities. This matrix precisely describes the “Adversarial Tactics, Techniques, and Common Knowledge” that hunt teams must know. Most importantly, this matrix focuses only on the actions that adversaries take once they are already on the victim’s network, which is the primary interest for hunters. Any investment into hunt capabilities or training should fall along this matrix.
By now it is clear that technologies that enable threat hunting must discover attackers already inside the network. In many cases, this means hunt capabilities and tools that pinpoint internal network traffic and indicators of compromise on the endpoints, but that’s not always the case. These tools should allow analysts to query data, dive deeper, and ask questions. These steps may involve the proactive use of capabilities traditionally associated with incident response. For some mature organizations, hunt technologies may be virtually indistinguishable from existing capabilities. What matters most is the manner in which those capabilities are employed.
How to Determine Internal Hunt Capabilities
Hunt exists on a spectrum; therefore, the sophistication of its capabilities varies by each individual organization. For instance, in an organization with few or no existing security operations, any proactive searches for undiscovered attackers may be considered hunting. In these cases, hunting has been accomplished using little more than Excel, PowerShell, and the Sysinternals Suite.
On the other end of the spectrum, organizations with mature security operations have more advanced data analytics and endpoint sensors to use. Regardless of the toolset, hunting should represent organizations’ most cutting-edge capabilities employed by their highest caliber people, even if it’s just PowerShell.
Hunt is Not a Silver Bullet
Hunt is not a technology or product of its own. Most products claiming the hunt label border on marketing gimmickry to imply advanced or cutting-edge. Yes, it’s true that some of these products may find previously undiscovered threats. They may even boost your hunt operations. However, true hunting requires that you assume that those systems have failed as well. Putting your trust in a silver-bullet hunt capability leads to complacency. Attackers are only getting better, and the cutting-edge defenses of today will quickly be rendered inadequate tomorrow. Assuming a breach mentality means that hunt is never accomplished and no security appliance can avoid that.
What is hunt’s most critical capability? People. Hunt is ultimately an investment in bringing in and empowering the right kind of people. Analysts. Operators. Hunters. Whatever their titles, they should be technically competent and given ample time to focus on hunting. These people do not merely monitor and check boxes for compliance. They engage, actively search for, track, and eliminate threats from the network.
Go Out and Hunt
Now that we’ve cleared up what hunt represents to your cyber security operations, how can your organization get started? Simple: make a serious commitment to finding attackers that you may have missed. Hire or build a technically competent team. Give them time, access, and the following mandate: assume an attacker is already on our network, become offended, and start doing something about it. You can start with two USB sticks and the free Sysinternals toolset.
If your team is serious, the results will begin to trickle down to your regular security operations as your hunt efforts push the boundaries of what your organization is capable of detecting and eradicating.
View our hunt webinar, “Ignorance Isn’t Bliss: Why Hunting Attackers Is Critical to Network Security.”
Andrew Cook is the incident response and hunt capability lead for Delta Risk and manages the company’s ActiveResponse services.