Threat hunting is a critical discipline that more organizations are using to disrupt stealthy attacks before they become mega breaches. In many organizations, threat hunting becomes the last, best line of defense, leveraging human knowledge, experience and intuition to detect threats that carefully crafted, automated layers of defense cannot.
While threat hunting is a straightforward exercise, it can be challenging to staff properly. Effective threat hunters come with years of experience and battle scars from regular engagements with their adversaries.
However while there is a skills shortage in cybersecurity, skilled hunters don’t come cheap and can be difficult to retain. Managed threat hunting services are tailor-made to fill this critical gap for organizations of all types as they make up a small but important part of the managed security services market.
With managed threat hunting, sometimes called “managed detection and response” (MDR), you are engaging a team of expert threat hunters for a simple, but important task: to continuously sift through your enterprise security data, looking for faint signs of the most sophisticated attacks.
Is This Just Another MSSP?
Onboarding a managed security service provider (MSSP) can be a daunting project. Organizations who have experienced challenges using MSSPs for security monitoring in the past might rightfully ask the question, “Does managed threat hunting make sense for me?” Managed threat hunting has some key features that make it easy to deliver quick wins for organizations of all types:
- Organizations are unique. The adversaries and their TTPs (tactics, techniques and procedures) are not. Many times, when a managed security service project fails to deliver value, it’s because of the massive complexity involved in communicating and integrating two disparate security organizations. Threat hunting is a much simpler, more constrained problem. A well-equipped threat hunter can be very effective at identifying and communicating about threats without needing a deep, encyclopedic knowledge of your enterprise or a full company org chart.
- Skills make a difference. Security monitoring is labor intensive but remains a relatively low-skilled task. An analyst can be trained and effective within weeks, which makes it feasible for many organizations to perform this in-house. Truly effective threat hunting, on the other hand, requires deep and broad expertise. Hunters can benefit from knowledge of topics such as forensics, Windows, Linux, Mac, foreign languages, network-based intrusions, host-based intrusions, and many others. Building depth in these skills can take months or years. Managed threat hunting services deliver immediate value and instant maturity without lengthy hiring and training cycles.
- Staff retention matters. Hiring a strong staff is only the beginning; keeping them engaged, challenged and interested in staying with your company must also be a constant focus. A quality managed threat hunting service is able to bring to bear tactics that less focused MSSPs can’t. They are able to invest in custom tooling and automation to make their rock stars as efficient as possible. In addition, they can offer the rewarding experience of direct observation and interaction with a wide range of today’s most advanced threats, creating the perfect conditions to attract and retain the most skilled hunters.
Separating the Good from the Indifferent
The world of managed security services is broad and confusing, and sometimes it’s difficult to sift through the buzzwords. The most important thing is that you have a clear understanding of what you should be looking for in a potential service provider.
The first port of call is whether a human is reviewing your data, and if so, how often. If the answer is “once,” then you are looking at a one-time investigation service, not managed threat hunting. “Weekly” or “monthly” are of little value. Your attackers don’t take the weekends off and neither should your threat hunting service. Threat hunting is a continuous, 24-7 operation.
Now that you know who or what is looking after your security, it’s time to know how they identify what leads they are looking for. Every threat hunt begins with a lead, or a hypothesis. The simplest kind of threat hunts start with known bad IOCs (typically IP addresses, hashes, and domains), and searches through historical data looking for matches. In this kind of hunting, the human hunter is providing little added value in the process.
IOC-based hunting is easy to automate and doesn’t require a skilled analyst to drive it. Your managed threat hunting service should begin with the most current TTPs in use by today’s adversaries.
Alert triage is another type of service that is often confused with threat hunting, but provides a very distinct value proposition. These types of services merely provide prioritization and context around alerts from other security products. When used most effectively, threat hunting is focused on your visibility gaps. It reveals the threats you are least likely to uncover without expert help.
Consider also what happens when your service detects a stealthy, targeted threat. An alert without context and recommendations is merely more noise in your daily queue. A quality threat hunting service will not just throw alerts over your cubicle wall. Your managed threat hunting service partner should not only alert you to emerging threats quickly, but also guide your response, coaching you on context and the most effective response actions.
Finally, it’s critical to leverage the insights gained from threat hunting to better understand your own defenses, and to strengthen them. Successful threat hunts shine a bright light on gaps in your security architecture and provide valuable insights for future improvements. Too few organizations make effective use of these observations; world-class threat hunters drive continuous improvement by smartly solidifying defenses. Hunting down a threat once is a win; hunting it down a second time is a sad waste of human capital.
Done right, managed threat hunting can deliver instant maturity to your security operations center, uncover the most sophisticated threats, and do it at a low cost.