Attack vs data: What you need to know about threat hunting
While the definition of threat hunting may be straightforward – proactively hunting for threats – the reality of implementing a threat-hunting programme is a bit more complicated, as there are different threat hunting methodologies to choose from.
In order to optimise an offensive approach like threat hunting, it helps to first know the granular ins and outs of your IT/security stacks so you can ensure they're producing actionable information. Once a plan is in place, you should be able to quickly identify signs of compromise across networks, systems and application environments.
A solid threat-hunting programme usually begins by generating a hypothesis and noting aspects like:
- Programme name;
- Programme purpose; and
- Expected analysis techniques for the hunt.
For example, if your goal is to identify anomalous user-agent strings, documentation might state: “Looking for abnormally short or long user-agent strings or known bad strings.” These actions will help spur deeper thinking and insight as to what your team wants to accomplish with its threat-hunting programme. Mitigating threats then occurs by conducting searches against plan criteria, reporting the findings and launching a plan to secure environments with the help of any and all stakeholders.
Management should weigh some key criteria when deciding if a threat-hunting programme is right for them and worth the money and time spent. If an organisation resides in a high-risk or heavily regulated industry, it is likely to be at least a semi-regular target for threat actors. And, allocating personnel or specialists to this task will be an area of heavier investment.
However, this doesn’t have to be a time-consuming process. For example, managed detection and response (MDR) services from Rapid7 will perform wide-ranging threat hunts on behalf of an organisation. It also frees up resources by letting someone else – a trusted partner – deal with threat alerts.
Restating the importance of the planning phase, it’s of paramount importance to be clear on your objective. In this way, teams will ultimately know if enacting a threat hunt is necessary and/or if they have the technological capability from an equipment or personnel perspective to successfully launch. From here, more insight will follow on the ability to scale the programme. How frequently are hunts needed? Are there extenuating circumstances that may require off-plan hunts? And, perhaps the most important question, do automation capabilities exist and, if not, how can they be acquired and implemented?
But what exactly does attack vs data hunting mean? It might not make sense in any other context, but there are benefits to both attack-based hunting and data-based hunting. Perhaps the biggest advantage attack-based methodologies have is that they can be automated. This is primarily possible because this method is based on indicators of compromise (IOC), such as known bad IP addresses.
Thus there are “landmarks” on which to map the hunt. However, IOCs do tend to become quickly less relevant, so attack-based hunting mostly relies on data from the past month. Teams might want to perform a hunt of this nature if there’s been a recent large-scale breach that could have global implications.
Data-based hunting is a process that incorporates lots of filtering, sorting and visualisation. It’s a human-curated methodology that primarily looks at more historical trends and anomalies. Teams will usually extrapolate insights from data reaching as far back as six months.
For a deeper exploration of threat hunting, how to quickly stand up a hunting programme, speak to our Rapid7 Business Unit Manager, Nicholas Applewhite firstname.lastname@example.org or find us on Linkedin:cybersecuritysouthafrica