Threat hunting is one of the toughest security challenges that we face today. It's the process of proactively and iteratively searching through security data to find threats that have evaded your security solutions.
You're essentially chasing down the “unknown unknowns”. No alarm has gone off. No trigger has occurred that makes it easier to hunt. It’s the stuff that is running silent and running deep. And that makes it difficult, and expensive.
A common fallacy about threat hunting is that it is the same thing as incident response. Threat hunting is “before”. Incident response is “after”. They are not the same thing. If you are threat hunting, you are proactively looking for a sign of an incursion or anomalous activity in your network as part of prevention and detection. If you find something, you need to escalate it so the appropriate IT or IT security person can take action. That action, which follows the threat hunting activity, is incident response.
But what separates the elite threat hunting teams from the rest? Here are the five habits of highly effective threat hunting teams:
1.) Don't succumb to chasing the threat of the day
Elite threat hunters don't get derailed by the latest high-profile exploit in the mainstream media. They trust their process and don't chase after every shiny object that comes their way. They stay focused on the track and run it hard. That means having a thoroughbred process with blinders on, so you don't get distracted.
2.) Work in conjunction, not in isolation
Your threat hunting team is not an island working in an ivory tower all to itself. It should be integrated with IT operations so that what's found can be fixed and can be avoided in the future. The content management teams that are keeping track of the threats that are out and about, and the automation teams that can help with automating the activity. No man is an island. No threat team is an island.
3.) Visibility is key
You can't catch what you can't see. Elite threat hunting teams are always asking, are we getting the right data from the right assets at the right time in the right manner? If you have it, then you have some ability to sift through it, to pivot from indicator to indicator, from field to field as you try to catch these elusive threats. But if you can't see it, then it's much less likely that you're ever going to be able to catch it.
4.) Baselining is difficult
Maintaining an adaptive baseline is technically quite a difficult task. But if you don't know what is normal, then how are you going to catch what is out of ordinary? Networks change, data has seasonality. Do you know what's normal at this time of day, on this day of the week, in this month of the year? Elite threat hunters do.
5.) Hypothesize early and often
A proactive hunter gets no clues from an indicator of compromise. The people that are chasing down Iogs are really alert responders, not threat hunters. This is the lower level of the pyramid of pain as described by David Bianco. An elite threat hunter hypothesizes based on their feelings, their understanding of the network, and what else they have seen happen around the industry. They then perform hunts with these hypotheses. Logs have their place, but for an elite team, they're something that they use during the hunt, not as a trigger.
You Don’t Have to Go at it Alone
Building an effective threat hunting team is not an easy task. It requires significant investment in time, resources, and talent, as well as access to advanced security tools and technologies.
For MSPs, building a threat hunting team may not always be feasible, as they may not have the necessary resources or expertise to do so. In addition, even if an MSP can build a team, it can be challenging to keep up with the fast pace of the threat landscape.
This is where a Managed XDR solution like Netsurion can be highly beneficial. By leveraging the expertise and tools of a Managed XDR provider, MSPs can access a comprehensive, proactive, and scalable approach to threat hunting. Managed XDR providers can provide MSPs continuous threat hunting, enhanced visibility, threat intelligence, and automated threat response capabilities, freeing up their resources to focus on other aspects of their business.
Being an elite threat hunting team requires a lot of time, money, and talent. But if you follow these five habits or take on the assistance of a Managed XDR provider, you can significantly increase your chances of catching the elusive threats that are running silent and running deep.