After my first-ever RSA Conference experience, I returned to Boston with a lot of takeaways — not to mention a week’s worth of new socks, thanks to generous vendors that had a more functional swag approach than most. I spent the majority of my time at RSAC 2019 at the Master Threat Hunting kiosk within the broader IBM Security booth, where I told anyone who wanted to listen about how we use methodologies and tools from the military and intelligence communities to fight cyberthreats in the private sector. When I wasn’t at the booth, I was scouring the show floor on a hunt of my own — a hunt for the true meaning of threat hunting.

Don’t Believe the Hype: 3 Common Misconceptions About Threat Hunting

At first glance, the results of my hunt seemed promising; I saw the term “threat hunting” plastered all over many of the vendors’ booths. Wanting to learn more, I spoke with the booth personnel about their threat hunting solutions, gathered a stack of marketing one-pagers and continued on my separate hunt for free socks and stress balls.

After digesting the information from booth staff and digging into the marketing materials from the myriad vendors, I was saddened to learn that threat hunting is becoming a full-blown buzzword.

Let’s be honest: “Threat hunting” certainly has a cool ring to it that draws people in and makes them want to learn more. However, it’s important not to lose sight of the fact that threat hunting is an actual approach to cyber investigations that has been around since long before marketers starting using it as a hook.

Below are three of the most notable misconceptions about threat hunting I witnessed as I prowled around the show floor at RSAC 2019.

1. Threat Hunting Should Be Fully Automated

In general, automation is great; I love automating parts of my life to save time and to make things easier. However, there are some things that can’t be fully automated — or shouldn’t be, at least not yet. Threat hunting is one of those things.

While automation can be used within various threat hunting tools, it is still a very manual, human-led process to proactively (and reactively) hunt for unknown threats in your network that may have avoided your rules-based detection solutions. Threat hunting methodologies were derived from the counterterrorism community and repurposed for cybersecurity. There’s a reason why we don’t fully automate counterterrorism analysis, and the same applies to cyber.

2. Threat Hunting and EDR Are One and the Same

This was the most common misconception I encountered while searching for threat hunting solutions at RSAC. It went something like this: I would go into a booth, ask to learn more about the vendor’s threat hunting solution and come to find that what’s actually being marketed is an endpoint detection and response (EDR) solution.

EDR is a crucial piece of threat hunting, but these products are not the only tools threat hunters use. If threat hunting was as easy as using an EDR solution to find threats, we would have a much higher success rate. The truth is that EDR solutions need to be coupled with other tools, such as threat intelligence, open-source intelligence (OSINT) and network data, and brought together in a common platform to visualize anomalies and trends in the data.

3. Threat Hunting Is Overly Complicated

All of the marketing and buzz around threat hunting has overcomplicated what it actually is. It’s not one tool, it’s not automated, it’s not an overly complicated process. It takes multiple tools and a ton of data, it is very much dependent on well-trained analysts that know what they’re looking for, and it is an investigative process just like counterterrorism and law enforcement investigations. Since cyber threat hunting mirrors these investigative techniques, threat hunters should look toward trusted tools from the national security and law enforcement sectors.

What Is the True Meaning of Cyber Threat Hunting?

Don’t get me wrong — I am thrilled that threat hunting is gaining steam and vendors are coming up with innovative solutions to contribute to the definition of threat hunting. As a former analyst, I define threat hunting as an in-depth, human-led, investigative process to discover threats to an organization. My definition may vary from most when it comes to how this is conducted, since most definitions emphasize that threat hunting is a totally proactive approach. While I absolutely agree with the importance of proactivity, there aren’t many organizations that can take a solely proactive approach to threat hunting due to constraints related to budget, training and time.

While not ideal, there is a way to hunt reactively, which is often more realistic for small and midsize organizations. For example, you could conduct a more in-depth cyber investigation to get the context around a cyber incident or alert. Some would argue that’s just incident response, not threat hunting — but it turns into threat hunting when an analyst takes an all-source intelligence approach to enrich their investigation with external sources, such as threat intelligence and social media, and other internal sources of data. This approach can show the who, what, where, when and how around the incident and inform leadership on how to take the best action. The context can be used to retrain the rules-based systems and build investigative baselines for future analysis.

The Definition of Threat Hunting Is Evolving

Cyber threat hunting tools come in all shapes and sizes, but the most advanced tools allow you to reactively and proactively investigate threats by bringing all your internal and external data into one platform. By fusing internal security information and event management (SIEM) data, internal records, access logs and more with external data feeds, cyber threat hunters can identify trends and anomalies in the data and turn it into actionable intelligence to address threats in the network and proactively thwart ones that haven’t hit yet.

Behind the buzz and momentum from RSAC 2019, threat hunting will continue to gain traction, more advanced solutions will be developed, and organizations will be able to hunt down threats more efficiently and effectively. I’m excited to see how the definition evolves in the near future — as long as the cyber threat hunting roots stay strong.

Read the “SANS 2018 Threat Hunting Results” report

More from Threat Hunting

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

RomCom RAT Attack Analysis: Fake It to Make It

The RomCom RAT has been making the rounds — first in Ukraine as it went after military installations, and now in certain English-speaking countries such as the United Kingdom. Initially a spear-phishing campaign, the RomCom attack has evolved to include domain and download spoofing of well-known and trusted products. In this piece, we’ll break down current RomCom realities, dive into the problems with digital doppelgangers and offer advice to help secure software downloads. RomCom Realities Despite the name, there’s no…

A Perfect Storm: 7 Reasons Global Attacks Will Soar in 2023

In 2023, the global annual cost of cyber crime is predicted to top $8 trillion, according to a recent Cybersecurity Ventures report. This seemingly enormous figure might still be a major underestimate. In 2021, U.S. financial institutions lost nearly $1.2 billion in costs due to ransomware attacks alone. That was a nearly 200% increase over the previous year. If we continue at that rate, next year could see global costs approaching $16 trillion. Why might costs be so high? Here…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…