In Cyberspace, It’s Always Hunting Season
The practice of cyberthreat hunting traps elusive prey lurking inside networks.
A new paradigm afoot in cyberspace helps security analysts better manage manpower and technologies to defend networks against the quotidian volley of intrusions taxing global enterprises.
The confluence of cyber defense and offense has given rise to the practice of threat hunting: aggressively seeking adversaries rather than waiting to learn that they have breached network security perimeters. The technique has gained traction after a lackluster start short on focus and structure, says Monzy Merza, director of cyber research and chief security evangelist for Splunk.
A few years ago, Merza says, information technologists might have been working a network trouble ticket one moment only to switch to threat hunting the next, often without a clear target. “They thought hunting was cool. They wanted to do the next level thing, and it was the new sexy. The general vernacular around threat hunting used to be: ‘What are you looking for?’ ‘I’ll know it when I see it,’” he says.
But missions suffered, and organizations wasted resources. Security managers began implementing formal training programs for staff, adopting automation technologies and setting parameters to clearly define adversaries: who they might be, what they might want and what to do when discovered, Merza relates. “You don’t go hunting for a bear and prepare for it the same way that you would go hunting for a deer or a rabbit,” he says.
And so the field of threat intelligence was born. According to a recent report by cybersecurity research firm DomainTools, 42 percent of more than 550 global security professionals and information technology executives say they use some sort of threat intelligence platform. “With devious hackers leveraging various tactics and threat vectors, it’s clear there is no one-size-fits-all approach to protecting the network,” Tim Helming, director of product management at DomainTools, said in the report. “What’s interesting about our new global survey data is to see the actual connection between hunting threats and secure networks.”
Effective threat hunting should not be a shot in the dark. Knowing whether a target is a hacker working from a basement or a nation-state with access to high-level experts and sophisticated technologies matters, Merza says. It could mean the difference between hunting for an insider threat looking to exfiltrate data using a USB stick or applying analytics to scour social media platforms for threats lobbed against an organization’s top executives. “If you’re trying to track a bird, you’re not going to look for footprints necessarily on the ground,” Merza submits.
After hunting down threats, organizations with formal methodologies must take the correct steps to address adversaries, he continues. “I use the term ‘address’ and not ‘mitigate’ because [some] have allowed or enabled an adversary to persist in their environment for a significantly long period of time, even after discovering the adversary is there. The reason: They want to study the adversary,” Merza says.
In other words, keep your friends close but your enemies closer, as Chinese general and military strategist Sun Tzu advised. That has become a little easier lately because the commoditized field of threat intelligence means both the good guys and the bad guys have ready access to advanced techniques. “The machine-learning capability that is required to understand natural language processes is becoming more and more commoditized,” Merza offers. “The cost of doing analysis is being reduced, and the barrier to doing analysis is being reduced. Tooling is becoming more and more accessible, whether through cloud computing or analytics.”
These factors seal the case for adopting formal processes, he says. The most successful organizations, Merza continues, are those that start with very specific hunting hypotheses. “Those who follow this methodology,” he says, “are finding things that were otherwise unknown or are finding things that might have left gaps in the past, and now they can improve their security operations.”
Threat hunting culls big data techniques to better analyze colossal, diverse data sets and standardize the information. Machine-learning algorithms then look for specific kill-chain behaviors, or changes in user and computer behaviors that could indicate a breach. Threat hunting is a marriage between people and machines, says David Bianco, technology adviser for Sqrrl, a Cambridge, Massachusetts-based security analytics company that helps organizations target, hunt and disrupt advanced cyberthreats. “The adversaries we’re trying to detect and respond to are not static,” Bianco declares. “They change their methods. They change their techniques. They even change their goals over time—and this happens quite frequently.”
Analysts can access a wide variety of hunting techniques, such as alert assessments, query-based log analyses and incident investigations. Most are not terribly complicated, Bianco says, but they require a basic understanding of what they are as well as how and when to use them.
Cyber hunters orchestrate the automation tools at their disposal to carry out a mission. “A threat hunter may be looking at anywhere from a few thousand to a few million or even more pieces of information on a typical hunt,” Bianco observes. “There is just no way that they can individually scrutinize thousands, millions or tens of millions of individual data points. What you find, you can then turn around and use to improve your automated detection. To me, that is the most important role of threat hunting in the organization.”