The year has very nearly come and gone, and some fads that we saw throughout 2018 are going with it. Fidget spinners are collecting dust in cubicles, the mannequin challenge is something only seen in department stores, and the Nae Nae is becoming extinct on dance floors across the country.
It’s no different in the cybersecurity community; trending tools and buzzwords come and go as quickly as viral internet memes. However, one capability that it’s here to stay is threat hunting, a proactive approach to discovering and mitigating threats. The term and practice of threat hunting has actually been around for quite some time, but it is becoming more of a household concept throughout security operations centers (SOCs), governments and private sector companies around the world. This is largely due to studies around the benefits of the practice and real-world use cases that are rapidly emerging.
In the past year, we learned about the pros and cons of this approach, what it is, what it isn’t and everything in between. Let’s break down some of the lessons we learned about threat hunting in 2018.
Invest in Training and Methodology Before Technology
When a new security capability gains momentum in the industry, most companies’ first investment is in the tools to get them started. The same is true when it comes to investments in threat hunting, where an emphasis on methodology and tradecraft is paramount.
A key finding from the SANS 2018 threat hunting survey revealed that the No. 1 investment area for threat hunting is still technology, although respondents indicated that the lack of trained staff in numerous areas was an important reason why they did not perform threat hunting or why they did not perform it as effectively as they should. The tools are only as good as the trained professional. This is as true with threat hunters as it is with construction workers, and it should not be forgotten.
Training and hiring the right people is especially important since threat hunting requires individuals with a knowledge of intelligence analysis and an understanding of the technical aspects of the SOC. Currently, threat hunting falls within a skills gap, which means finding a trained threat hunter to use the tools that a company has invested in is like finding a unicorn.
Going into 2019, organizations that practice threat hunting should take a holistic look at their programs and, if it’s lacking, assess whether it’s the fancy tools or the lack of trained cyberthreat hunters that is the issue. Similarly, organizations that are new to the threat hunting game should evaluate the threat hunters they have or plan to hire before pulling the trigger on the latest tools.
Threat Hunting Is Only as Effective as Your Intelligence Framework
To launch an effective threat hunting program, you also need access to the right data. In terms of efficiency and accuracy, this should consist of internal data from the company mixed with external deep web, dark web, open source and third-party threat intelligence that provides context about threats manifesting through global cybercrime networks.
The SANS survey showed that a solid blend of internal, self-generated intelligence augmented with a combination of external data sources can reduce overall adversary dwell times across organizations’ networks. But it is more than just the access to the data itself; an organization could have access to all the data feeds in the world, but if it lacks the ability to provide context and formulate actionable hypotheses, then the data is next to useless.
In the counterterrorism community, we always said that intelligence drives operations. Yes, we needed access to the right data, but more importantly, we needed the ability to fuse all sources of data and develop actionable advice for operators. It’s the same with threat hunting: Data is key, but there needs to be a way to ingest, fuse and analyze data to formulate hypotheses about threats.
Threat Hunting Is Here to Stay in 2019
Going into 2019, the cybersecurity community will continue to learn about the world of threat hunting and how organizations can implement an effective threat hunting program. Just like the fads that will inevitably come and go in 2019, there will be new cybersecurity tools, methodologies and lessons in the new year. Due to the tangible benefits that organizations are seeing after implementing threat hunting programs, it’s apparent that the practice is not just another security fad.
As organizations train analysts on methodology before technology — and explore how to close the threat hunter skills gap, get access to the right data and generate actionable hypotheses to uncover threats — we will continue to learn how effective a threat hunting program can be when properly implemented.
Read the SANS 2018 threat hunting survey