In part 1, we discussed some of the definitions of “hunting” I had encountered, but what about sources outside of my own personal experience? What does the Internet have to say about the definition of hunting? As you may have guessed, there doesn’t seem to be a concise, agreed upon definition.
For example, one article defines threat hunting as, “… the process of seeking out adversaries before they can successfully execute an attack.” That’s not the first time I’ve seen a definition focus on detecting something before it’s successful, but I’m not sure why that distinction is made. Security controls and signatures exist to defend against or alert you to activity in real time (or at least close to real-time). Just because an attacker has already compromised the organization, that means we don’t want to find them ASAP?
A different article defines a threat hunter itself as the following: “A threat hunter, also called a cybersecurity threat analyst, is a security professional or managed service provider (MSP) that proactively uses manual or machine-assisted techniques to detect security incidents that may elude the grasp of automated systems.”
Let’s look at an example to think through these. Fileless malware is difficult to detect using traditional methods but it is trivial to create such an attack, which makes it more common than you probably think. If someone identifies fileless malware attacks while manually searching through their network, it is likely (unless the attack is stopped by something in the security stack) the attack was already successful. Does that mean that you weren’t hunting? It’s certainly still important that you know that you have an infected device on your network that requires remediation. It’s also important that you see the attack whether it was successful or not so that you can tune your detection/prevention methods and respond effectively.
It Doesn’t Matter What You Call It, Just Do It
I mostly subscribe to the definition that hunting is “anything you proactively investigate that your current detection methods don’t catch.” But seriously who cares what I think. The important point here is that it doesn’t really matter what you call it. What matters is that you have capabilities for discovering and remediating risk. In short, it doesn’t matter what you’re calling it, just that you’re doing it.
It’s also important to note that hunting is, or at least should be, a continuous improvement process:
- If you discover some method that produces results, make it repeatable and add it to your normal automated detection methods.
- If you find yourself repeating the same workflow and it produces results without a lot of false positives, then automate it if possible.
For instance, during a hunt, if you find that there is SMB file access of a certain size, followed by an upload over TLS using PowerShell that ends up being exfil, then have your tools inform you every time this happens.
Of course, the feasibility or difficulty of doing something like this will depend on the tools you have at your disposal. The kind of hunting you do in your SOC will depend on many factors, including your acceptable risk and what your security stack and staff looks like. Choose whatever definition makes sense to you, as long as you’re covering your assets.
Now that we agree that it doesn’t matter how you define ‘hunting,’ but rather, that you’re doing some form of hunting to improve your security posture, let’s discuss how we can make it better and more accessible.
The challenge historically has been that signatures and other automated forms of detection traditionally have to be simplistic in order to be compatible with the detection tools being used. It also logically follows then that since traditional detection methods are more simplistic, that must mean hunting is more complex and difficult. Think about the most complex signatures you’ve seen. Are they able to ask questions like, “is there any traffic coming from a script that follows encrypted email access?” or “after a download over TLS, is that data then transferred laterally over some other protocol (like SMB)?” It is hard to imagine a detection engine capable of digesting questions like those, and its hard to provide answers if you don’t understand the question. But the questions themselves are not hard to ask in plain English, even if you are not that much of an expert.
So, we are in a situation today where hunting is a “game of skill and chance” (hence all the differing definitions that focus on complexity) since the underlying technology does not center around enabling the analyst. Thus, only the most experienced and sophisticated analysts can partake – it’s all tribal knowledge and tricks. However, I think everyone *would agree* that security teams would be best served if all analysts could hunt, regardless of skill level. And if our tools could, however, take some of that complexity away, then perhaps that would indeed be possible.
These are the things that I have the privilege to focus on here at Awake – making advanced expertise less of a barrier for truly securing your environment. This is also what I think the industry should focus on as a whole.
By Troy Kent