The Difference Between Watching Alerts and Threat Hunting

I recently saw a query in a chat channel on our Threat Hunter Community Discord server:

“I’m having trouble finding the difference between threat hunting and just suspicious alert investigation…”.

 

Let’s say you’re living in a country where drinking decaf coffee is illegal. Since you work for the National Caffeination Society, you need to find the perpetrators to bring them to justice. 🙂 Approach 1: monitor all calls for the word “coffee” or “decaf”. Approach 2: Go door to door and check the coffee grounds at each place.

Approach 1 sounds good because it doesn’t involve walking all over town, but it has problems. Not everyone has a phone. We don’t know if someone will mention “coffee” in a call – and if they do, they could talk about brew, mud, espresso, Kombucha, Yerba Mate, Mocha, Latte……

Approach 2 says we’re going to actively go out and look for malicious activity. If we can sort the places to investigate by likelihood of drinking decaf, we should actually find more nefarious actors than we would have by monitoring calls in approach 1.

Back to networks…

Approach 1 is looking at alerts that come in from different sources. There are some real problems with this: Are we getting alerts from all devices in our networks? Are the alerts just based on known attack signatures? Do we have a way of sorting the alerts so we investigate the likeliest alerts first? How do we clear out all the stuff that’s just noise in the logs/alerts? Did malware on the system shut down the alert tool? Even if we have those all answered, how do we know that we parse those alerts correctly?

Approach 2: Threat Hunting. We look at the conversations that happen between our internal hosts and the outside world. We sort these by likelihood that a particular conversation is a threat and start with the most likely. We include the ability to whitelist traffic so we can stop looking at legitimate traffic once whitelisted.

In short; looking at alerts/logs is hoping that something will see malicious traffic, hoping we’ll get an alert on it, and hoping someone sees it in the flood of alerts coming in. Threat Hunting is a systematic search for malicious activity, organized so we consider the most likely traffic patterns first. Monitoring alerts and logs is good for known alert patterns; Threat Hunting is designed to detect unknown traffic patterns.

I work for a company that sells Threat Hunting software, so it’s safe to say I have some bias. 🙂

Please don’t take the above to say that “Watching alerts/working with logs/working with a SIEM has no value”; we need these to be able to search for specific things like “out of disk space”, “kernel panic” and a hundred other things where you know an alert will show up and you know what you’re looking for. The challenge comes when it’s not clear you’ll get an alert on malicious activity in the first place, or don’t know what form that alert will take.