To begin, let’s clarify what threat hunting is:
Threat hunting is the human-driven, proactive and iterative search through networks, endpoints, or datasets in order to detect malicious, suspicious, or risky activities that have evaded detection by existing automated tools.
3 Myths about Threat Hunting:
1. Hunting can be fully automated
Hunting is not a reactive activity. If the main human input in a hunt is remediating the result of
something that a tool automatically found, you are being reactive and not proactive. You are
resolving an identified potential incident, which is a critically important practice in a SOC, but not
hunting.
Hunting requires the input of a human analyst and is about proactive, hypothesis-based
investigations. The purpose of hunting is specifically to find what is missed by your automated
reactive alerting systems. An alert from an automated tool can certainly give you a starting point
for an investigation or inform a hypothesis, but an analyst should work through an investigation
to understand and expand on the context of what was found to really get the full value of hunting.
2. Hunting can only be carried out with vast quantities of data and a stack of advanced tools
Though it may seem like a new term, security analysts across a variety of sectors have been
hunting for years. Basic hunting techniques can still be very useful and effective in helping you find
the bad guys (e.g. you can perform basic outlier analysis, or “stack counting”, in Microsoft Excel).
An analyst who wants to begin threat hunting should not hesitate to dive into some of the basic
techniques with just simple data sets and tools. Take advantage of low hanging fruit!
Of course, having purpose-built tools like a Threat Hunting Platform can help you hunt at scale and
simplify the more advanced hunt procedures.
3. Hunting is only for elite analysts; only the security 1% with years of experience can do it
Threat hunters are in short supply today, which is one of the biggest constraints to starting up a team. With a few simple tools and existing security analysts, a security team can bootstrap a basic threat hunting program.
Threat hunting activities can be accelerated with the help of these types of resources. It is still critical for organizations to know what activities appear normal and appropriate on their networks at the base level. Once you have a solid baseline, you can start searching for anomalies and perfecting threat hunting techniques.