Maybe it’s time to consider threat hunting.
Threat hunting is an activity you deliberately plan and regularly carry out to help strengthen your security posture.
It's 1 o'clock and all is well. You're back from lunch, and as the company's senior SOC threat researcher, you've just reviewed your SIEM dashboards for security alerts. Nothing out of the ordinary has caught your attention. A recent automation project has drastically cut the time it takes to do this security sweep, freeing up valuable time that would have previously been spent on manual tasks. So how do you spend this newfound time?
Maybe it’s time to consider threat hunting. Threat hunting involves going beyond what we already know or have been alerted to. Security software only alerts us to the risks and behaviors that we know are malicious. Threat hunting is about venturing into the unknown.
Threat hunting is an active security exercise, with the intent of finding and rooting out attackers that have penetrated your environment without raising the alarm. This is in contrast to traditional investigations and responses that stem from alerts that appear after potentially malicious activity has been detected.
Of course, this scenario could sound somewhat idealized. I mean, who really finds themselves with a free afternoon? There’s always something else that needs doing, right?
The reality is that, most of the time, threat hunting isn’t an activity you do on a whim. Nor is it something you do in an ongoing investigation as the next step in a procedure. Rather, it’s an activity you deliberately plan and regularly carry out to help strengthen your security posture. Essentially, it’s another tool in your security arsenal.
None of this sounds easy when your schedule is packed and your to-do list is as long as your arm. However, there are some key benefits to setting aside time on the calendar to perform threat-hunting activities.
For starters, the identification and eradication of unknown and undetected threats is always a good thing. Even when a particular threat isn’t discovered, threat hunting exercises often identify weaknesses in your environment that you can shore up and set new policies. Ultimately, the fruit borne from regular threat hunting is that it can significantly shrink the attack surface for future malicious actors.
There are also substantial opportunities to build upon what’s learned during a threat hunting campaign. These exercises can identify areas where alerting for malicious behavior could be put in place, as well as where to develop automation to repeat a particular threat hunting scope. From there, you can carry out additional threat-hunting exercises, building up and extending your protections and capabilities.
The goal of this paper is to provide an overview of the threat hunting discipline. We’ll explore the ins and outs of threat hunting, highlight why it’s a worthwhile endeavor, who should be involved, what and where you should look, and when you should do it.
There are also a number of security disciplines with tasks that overlap with threat hunting. We’ll compare and contrast disciplines, showing that while threat hunting is similar to other tasks, it deserves a place in your security arsenal.
Finally, we’ll discuss how you can build out effective threat hunting campaigns within your organization. One of the toughest things to determine is where to start. To assist, we begin with the simple steps you can take to begin to build up your threat hunting posture, strengthening your organization’s security in the process.
