In recent years there has been an increasing need and trend for organizations to engage in an activity known as threat hunting. One key challenge, however, is that there is some confusion about what threat hunting actually is and why it’s important.
According to the Fidelis 2018 State of Threat Detection Report, 63 percent of organizations do not currently employ threat hunting, or they do not know if they do. The Fidelis study was based on a survey of 580 security professionals from around the world.
“‘Threat hunting’ is a term that is often misused by vendors and misunderstood by organizations,” Tim Roddy, vice president of product strategy at Fidelis Cybersecurity, told eWEEK.
Threat hunting is an activity that involves humans with security and data analysis skills, trying to solve a hypothesis based on threat intelligence, suspicions based on experience, known attacks within their industry or red team indicators, according to Roddy.
“[Threat hunting] requires specific expertise along with metadata and the tools to iteratively ad-hoc query, analyze and correlate the data to test the hypothesis,” he said. “It is, as we like to say, the last line of defense because advanced threats as we know can bypass preventive solutions and they can sometimes even evade automated detection methods.”
While there might be some confusion in the industry as a whole about what threat hunting is all about, the Fidelis survey found that 88 percent of respondents view threat hunting as a necessity to help improve cyber-security.
Threat Hunting Tools
There are multiple types of tools that are often used to aid threat hunting activities. While some vendors advocate for the use of SIEM (Security Information and Event Management) logs to help threat hunters, Roddy has a different view.
“SIEMs often don’t provide the content or context to threat hunt and are not easy to query due to performance issues and slow response times,” he said. “To do threat hunting right, you need indexed metadata from both the network sessions and from endpoints that is quick to query and search in real time and retrospectively.”
Roddy added that metadata provides attributes about information and is a critical component of being able to hunt for threats. Endpoint detection and response (EDR) technology is also often considered to be a component of threat hunting, though Roddy also had a differing viewpoint. According to the study, 45 percent of respondents stated that they do not have an EDR technology in place.
“Being able to run cross-session and multifaceted analysis or machine-learning anomaly detection, for example, is imperative and not always possible with just EDR data,” he said.
There are several core elements that are necessary for effective threat detection within enterprises. Roddy said that organizations need visibility across the entire environment, including endpoints, networks, cloud and enterprise internet of things (IoT).
“That visibility needs to cover all ports and all protocols for networks, endpoint activity, lateral movement and data exfiltration covering each stage of the kill chain so that you can ultimately detect advanced threats and stop data theft from occurring,” Roddy said. “Threat hunting is the next stage after threat detection as that last line of defense, and may be done in targeted measures or continuously for more mature security operations.”
Roddy added that having both threat detection and threat hunting in place can help to improve detection, investigation and response skills as well as providing organizations with the ability to transition from a reactive to proactive posture.
“I think that as organizations continue to mature their security programs, more will include threat hunting in their plans,” Roddy said. “There are not many skilled threat hunters out there, so what we see occurring is the increased push for managed detection and response [MDR] services that include a threat hunting capability and having this service used either as a way to augment organizations that already have SOCs or to be that critical service for midsized organizations.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.