What Is Threat Hunting and Why Is It so Important? – Video Blog
Video – What Is Threat Hunting?
Hey folks, I’m Chris Brenton and today I want to give you a working definition of the term threat hunting because there seems to be a lot of confusion around what this is, how it works, what’s it have to do with threat intelligence and so on.
So number one, threat hunting is an active/proactive activity, meaning that this is something we actively do. We don’t wait until something else occurs before this kicks off. So if you think you’re doing threat hunting and your threat hunting step number one is when an alert goes off in our SIEM… we do something else. No, that’s not threat hunting. That’s a responsive. We’re reacting to something occurred that’s maybe more along the lines of forensics.
So with threat hunting, we’re actually going in to see are any of our internal systems, not just desktops, but everything, any of our internal systems showing signs of being compromised. We’re seeing those clear indicators that an internal system created a command and control channel with some system out on the internet. The output of a threat hunt, meaning the results of what we get is a compromise assessment. So a successful threat hunt is, where at the end, we can say with reasonable certainty, all of our systems are in a pristine shape, or all of our systems look good, but we need to do further investigation on these one or two that may be in a compromised state.
So when you think about waiting for alerts off your SIEM, you’d never get up one morning and say, “Hey, I know my network’s safe.” We don’t do that. But with a threat hunt, we’re actively going in and looking for it. That’s what gives us that validity that our network is currently not in a compromised state. So, that’s our definition of threat hunting. Hope to see you again soon.
Video – Why You Need Threat Hunting!
Hey folks, I’m Chris Brenton and in an earlier video, I talked you through a definition of threat hunting. In this video, I’d like to talk to you about why we need it. When you look at existing security tools today, they fall into one of two groups. They’re either protection based, this is how we keep the bad people out or they’re response based, this is how we get the bad people off of our network once they’re there. What’s been missing is that tie between the two of them. How do we figure out our protections have failed and we actually need to go into response mode?
Now you may notice in the response column I have log analysis and there’s a reason for that. The reason for that is we’ve been trying to use log analysis to tie those two together and it just has not been working. There’s multiple studies that show that. The biggest number for me that shows this does not work, is how long it takes to detect a breach when it takes place and how it gets detected. When you look at if an internal system successfully gets compromised, phishing attack or whatever the attack vector may be, multiple studies show it’s more than six months before we figure out the bad guys were on the network. Six months. That’s an eternity.
Further multiple studies show that the way we detect the bad guys got in, is through some third party, not through our own accord. Meaning logging’s just failing us. I think a great example of that is Starwood. Starwood got compromised, people were pulling credit card information out of their environment and they went through multiple PCI data stations, I think like four. Multiple SOC2’s, I think there was an ISO 27001 in there, Hyatt bought them, did due diligence on their network. Nobody caught they were in a compromised state, nobody caught they were having credit card information pulled out.
Again, the processes we’re using today are just not working. This is why we need threat hunting. The Verizon 2019 breach report has a lot of really good data in this area if you need to come up with some ammo to get a decent threat hunting program going within your own environment. And one of the biggest tells for me is shown on the right hand side here. When you look at how are these things detected, an overwhelming majority of the time, it’s by an external third party. Law enforcement comes to you and says, “Hey, we found your data on Pastebin” or fraud detection gets kicked off or something else. When you look at how often does a log analysis actually catch the bad guys on the inside, it’s about two and a half percent. That’s horrible. That means like one out of every 50 times we’ll actually catch something. That’s just not acceptable. So we need something better…and the better that we have today, threat hunting.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.