“Do I need to threat hunt my network?”

I heard this question a lot. You’ve deployed one or more firewalls, intrusion detection systems, locked down your servers and desktops, deployed anti-virus and you review logs on a regular basis. So why add threat hunting to the list?

Each of the above technologies is a preventive measure against known attack patterns. For example firewall’s keep the outside world from connecting to services you do not wish to expose while intrusion detection looks for signatures of a known threat pattern. None of these technologies answer the question “Did one or more of my protective measures fail?”. While it can be argued that log review may be able to answer this question, again it typically needs to be a known vector. For example you may detect an external IP address connecting via SSH because you know what to look for. You may completely miss a buffer overflow that provides high level access to a server because you have not seen this attack pattern in the past.

Threat hunting is the active exploration of your network in order to determine if one or more of your preventive measures has failed. Imagine you have a room full of secrets. You have locks on the door, motion sensors in the hallways, infrared around the building, and a host of other technologies straight out of your favorite spy movie. While all of these measures would be designed to keep people out or detect attempted entry, threat hunting would be actually checking the room to see if a perpetrator has made it in side. So think of threat hunting as being the ultimate integrity verification. Without it you are simply hoping that your preventative measures are working as expected.

So how do you get started with a threat hunting program? We’ll jump into that in future blog entries.