The cybersecurity threat landscape is becoming increasingly complex and crowded, and with security teams around the world largely understaffed and facing burnout, experts are looking for the most efficient way to combat cybercrime.
One approach that has gained significant momentum of late is threat hunting – the proactive searching of threat indicators within an environment to sniff out highly advanced cyber threats. In threat hunting, security analysts search their environment for known indicators of compromise (IoCs) and adversary tactics, techniques, and procedures (TTPs) – if any of these are found, there’s a good chance that an attack is underway.
While threat hunting is a key element of a robust cybersecurity strategy, many organizations rely too heavily on this approach. A narrow focus on specific IoCs and TTPs paints an incomplete picture of the threat environment and means that the attacks that don’t bear these hallmarks will get missed.
In this evolving threat landscape, enterprises can’t just rely on threat hunting to keep their environments secure – they must broaden their cybersecurity approach, assessing security environments in a more holistic way to better detect advanced and stealth attacks.
Why threat hunting has become so popular
Threat hunting has recently become a major buzzword in the security industry in large part because it connotes a cooler, more technical and more skilled approach to security. As a result, security experts are gravitating toward it for career-building opportunities and advancing their security approach.
While threat hunting might be overhyped, there are also genuine benefits to the practice (when done correctly) that help explain why enterprises are so ready to adopt it. Threat hunting helps refocus security teams on emerging threats, since existing security technologies tend to address things we already know about.
Actively looking for emerging threats can mean identifying threats that might be lurking in the environment – reducing dwell time and tackling threats before they escalate and turn into full-blown security breaches.
In addition, adopting threat hunting tactics often leads to discovering visibility gaps in your current security approach – for example, your S3 buckets might not be configured properly or perhaps some firewall rules got changed, or maybe you’re able to identify an employee or group within your organization that is violating a security policy. Uncovering these poorly managed security solutions is a useful byproduct of threat hunting.
The downfalls of threat hunting
However, many organizations rely too heavily on threat hunting as they are unable to invest in the required infrastructure, resources and expertise to continually analyze all activity for possible threats. Often, this threat hunting is provided by third-party security companies, as many enterprises either lack the skills and resources entirely or are only able dedicate their in-house teams to a few days of threat hunting a year.
With the major talent gap facing cybersecurity, most enterprises simply cannot find or afford to hire professionals with the required level of expertise. As a result, many are turning to managed services offered by security companies to help close the gap. According to Gartner, by 2024, 25% of organizations will be using MDR services, up from less than 5% today.
Threat hunting services often focus almost exclusively on threats posed by splashy, sexy attack groups – whether it is notable criminal APTs or nation state groups. A strong security program focuses on risk management, and one of the most important things security teams can do is accurately identify the risks that they are susceptible to, which for many enterprises isn’t a nation-state attack.
While threat-hunting addresses the attacks that everyone is talking about, the reality is that many enterprises should be equally – if not more cognizant – of commodity threats. While sophisticated threats exist and are important to defend against through threat hunting, the majority of threats facing enterprises are better addressed through good security hygiene.
Over-investing in threat hunting can lead to an incomplete and irregular picture of the risks enterprises face. In fact, a singular reliance on threat hunting alone means that many types of attacks will get missed if you’re not specifically looking for them.
Taking a holistic approach
By over-rotating on big name threats, security teams leave open the possibility that they are going to miss the obvious. In this threat environment, security teams can’t afford to drop the ball on the basics – a recent ESG survey of enterprise cybersecurity leaders revealed that more than three-quarters (76%) believe that threat detection and incident response is more difficult today than it was just two years ago.
To ensure a strong security posture, enterprises should take a comprehensive, multi-faceted approach that goes beyond threat hunting. As they build out a holistic approach, they should be sure to:
- Collect data on everything they can. Often when investigating a breach or incident, security teams find that they don’t have any evidence because they aren’t collecting and retaining the right data – it’s usually the exception when there’s sufficient logging for an incident. With living off the land attacks increasing (many of which fly under the radar of traditional logging), it’s ever more important that teams don’t skimp on data collection, as relying on a mixture of sources is more likely to help you detect threats early and prevent bad actors from getting in unnoticed.
- Use multiple security tools and strategies. We’ve recently seen a trend toward new technologies like AI and machine learning across security programs. It’s important to layer these tools and strategies as they each have their strengths and weaknesses. To maximize effectiveness, use a mixture of tools, methodologies and frameworks that integrate multiple attack and adversary considerations such as MITRE ATT&CK as well as simple IOCs, rule-based detection, statistical models, linguistic models, and machine learning models – and then correlate with global threat intelligence, validating and augmenting with human expertise.
- Don’t underestimate the importance of humans. The human side of the investigation is critical. There is no better computer for detecting, recognizing and responding to threats than the human mind. While automated systems have helped advance the security industry significantly, a true “eyes on glass” approach to threat detection requires years of experience and the corresponding intuition of knowing when something is amiss.