Threat hunting: When to hunt, and who should do it

Insights from RSA on how to hunt threats in corporate infrastructure

One of the hot topics at RSA 2018 was threat hunting. Experts agree that it’s a necessary practice to counter modern APT attacks. What they do not completely agree on is what threat hunting actually is — which practices it comprises. And so they agreed to use the book How to Hunt for Security Threats, which says that threat hunting is an analyst-centric process that enables organizations to uncover hidden advanced threats missed by automated preventive and detection controls.

By that definition, threat hunting must be performed by a cybersecurity expert; the process cannot be automated. However, after experts search for anomalies, their results will contribute to the improvement of automatic detection systems, which learn to detect attack scenarios that once required an expert human eye.

When to hunt

Experts say the question “are adversaries in your network?” misses the point, because they certainly are. Essentially, those experts say, you should already be hunting. Personally, I hope that’s not always true, but it doesn’t mean you shouldn’t hunt — especially if you have a huge distributed enterprise infrastructure.

However, threat hunting is an advanced security practice that requires certain resources and a certain level of security systems. That is why if you have to choose between organizing a threat-hunting process and employing a mature detection and response system, you should definitely choose the latter.

Mature detection and response systems will not only let you exclude minor threats from the threat-hunting scope, but also provide much more useful information to the expert hunter.

Who should hunt

The main question here is whether a hunter should be an in-house specialist or an external expert. Each direction has its pros and cons. An internal specialist has a unique knowledge of the local network architecture and its specifics, whereas an outside cybersecurity specialist brings a vast knowledge of the threat landscape but will need some time to learn the local infrastructure. Both aspects are important. Ideally, you’ll rotate internal and external experts (that is, if it’s permitted — and if you already have an internal specialist).

Most enterprise networks resemble one another to some extent. Of course, exceptions exist, but they are quite rare. An external expert who regularly performs threat hunts for various companies will be comfortable with slight variations from company to company.

Another aspect of this issue for internal candidates is that constant threat-hunting adds a lot of tedium to their days. Looking at logs to figure out where an adversarial process is hidden is a monotonous occupation that will wear down even enthusiastic IT pros. So it is wise to rotate specialists from your security operations center, rather than have one full-time threat hunter.

As for personal qualities for the candidate, look for someone attentive, patient, and experienced in cyberthreats. However, intuition is no less important. It can be hard to find such a person, because intuition cannot be measured and is rarely mentioned in resumes.

For the function of an external expert, we can propose the services of our own threat-hunting specialists. They can explore your infrastructure to identify any present or historical signs of compromise, or arrange around-the-clock monitoring and continuous analysis of your cyberthreat data. To learn more about Kaspersky Threat Hunting services, visit this page.