BlogCan you run a 7-minute mile? Neither can I, but it's not an unreasonable goal to set.
In the same way, not every organization can launch a formal threat hunting program right now, but there are steps you can take to get faster and more proactive about identifying advanced threats.
If I want to reach my 7-minute mile goal, it would help if I started exercising daily. Similarly, many IT organizations can more quickly mature their security posture by patching holes in their defenses—disabling vulnerable protocols, such as SMBv1, for example—than by looking around for the bad guys.
With that in mind, some organizations really should begin formal threat hunting programs as soon as possible, especially larger organizations with valuable assets to protect (defense agencies, for example). Those that already have are seeing positive results. According to a survey by the SANS Institute, organizations that have implemented threat hunting initiatives have seen those efforts pay off—91 percent of respondents improved the speed and accuracy of their response due to threat hunting, while 88 percent were able to reduce dwell time (the period from initial infection to detection).
What Is Threat Hunting, and Why Is It Needed?
The recent buzz around threat hunting is a tacit admission that the security products meant to stop attacks at the perimeter are not keeping out all the threats. Yes, you need firewalls and endpoint protection, but attacks are still making it through—and likely always will. For those active threats that make it through and establish a presence inside your environment, you need to hunt them yourself.
Threat hunting emphasizes the hunter, not the tools used.
Threat hunting emphasizes the hunter—the security professional that knows the environment and potential weaknesses in a way that no security product can. While important, the tools come second and serve to make the threat hunter more efficient in their investigations, enabling them to answer questions faster: "What suspicious behavior is going on?" "Are my network segments really segmented?" "Who is using service accounts and what are they doing with them?"
How Does Machine Learning Fit?
Machine learning can help the threat hunter by continuously sifting through large datasets to identify suspicious patterns or outliers that deserve further investigation. But for now, the human element is still key. In fact, the combination of humans and machines has been proven to outperform either humans or machines alone.
Garry Kasparov, the chess world champion who famously lost to IBM's Deep Blue, introduced the concept of Centaur Chess where a human player teams with a machine to play against another human-machine team. What chess enthusiasts have found is that a human-machine combination will consistently win against a human or machine in isolation. Similarly, machine learning technology can serve as a force-multiplier for human analysts, enabling them to cover more ground, faster than they would be able to do on their own.
How to Get There
You may be doing threat hunting informally today. Perhaps you have a security analyst who is thinking creatively about how attackers might get in, and manages to spend some extra time looking to see if any bad guys had the same idea. Or, maybe you're a security-minded sysadmin that schedules some time to review your firewall logs for suspicious behavior.
Filtering on ".ru" quickly narrows down DNS request transaction records from Russian domains.
Starting with the human resources you have now, you can employ analytics platforms such as ExtraHop to make the time your threat hunters spend more productive. We recently published a white paper about how you can use the ExtraHop platform to speed up threat hunting. The paper provides three examples of how ExtraHop answers questions in just a few clicks:
- "What files did this user access last month?"
- "Which other clients have accessed this malware-infected URI?"
- "Are there any clients making DNS queries to Russian FQDNs?"
Download ExtraHop's white paper, Threat Visibility for Cyber Hunters , to learn more.
