From the Deepwatch perspective, Threat Hunting is proactively searching for threats which have bypassed existing security controls and solutions. Threat Hunters, in the simplest terms, perform the manual searching and analysis required when Threat Hunting. Threat Hunting lends a human and intelligence-driven aspect to any security program.
While there are numerous ways Threat Hunting can improve security operations, there are three important benefits worth highlighting for those considering adding Threat Hunting to their security operations or looking to justify the expansion of their existing Threat Hunting functions.
Three Ways Threat Hunting Strengthens Cybersecurity
Proactive Threat Hunting can help improve security operations in three ways:
- Supplements Preventive and Detective Controls
- Improves Threat Detection Lifecycle
- Upgrades Overall Security
Supplements Preventive and Detective Controls
As much as organizations would like to believe their existing security controls and solutions are infallible, the fact is nothing is 100% effective in detecting and blocking every single threat. The rate of growth and change in the various tactics and techniques through which malicious actors manage to infiltrate and leverage a compromised environment is faster than any automated security solution can effectively prevent.
As a part of their role at Deepwatch, Threat Hunters 1) partner with Deepwatch Threat Intelligence to keep abreast of current and emerging threats, tools, and methodologies being utilized by nefarious hackers and 2) design hypothesis-based threat hunts around this intelligence. Threat Hunting can also be applied to certain phases of the Incident Response process, such as identification to understand scope, and lessons learned from an incident can be used to design future hunts.
Deepwatch Example: A recent example to best highlight this purpose of Threat Hunting is in relation to the Log4j vulnerability. When information related to Log4j hit the Cybersecurity industry, Deepwatch Threat Hunters immediately began hunting for any evidence of this vulnerability being leveraged for malicious purposes in our customers’ environments; these hunts were then turned into detections for any further related Log4j activity.
Improves Threat Detection Lifecycle
Often, the findings of a Threat Hunt result in the creation of new detection strategies and criteria for rules and alerts. The resulting outcomes of Threat Hunts can almost always be turned into an actionable item and fed back into the security program for further improvement. In addition to automated means, findings can also be used to enrich and add additional context to existing playbooks and procedures, accelerating and streamlining manual analysis and response.
Deepwatch Example: Multiple Threat Hunts, such as beacon detection through user agent strings, beacon detection through network traffic analysis, etc., have been conducted to improve detection of beaconing activity. As some of these hunts are then turned into new alerts, false positives originating from business appropriate applications and protocols, for example, are excluded from future detections; if automated exclusion is not possible, then indicators of false positives can be added to documentation for analyzing detections.
Evaluates and Upgrades Overall Security
An unfortunately common and overlooked issue in many security programs is a “set and forget” mentality when it comes to implementing and managing security devices and settings. Threat hunting can often bring to light misconfigurations, out-of-date practices, and other overlooked mistakes within an environment. Infiltrators and attackers often look for these simple oversights as “low-hanging fruit”, a low-effort and effective way to infiltrate and/or pivot in your environment. Logging gaps and other poor security hygiene are other operational issues that are often discovered through proactive hunting.
Deepwatch Example: In the process of conducting a hypothesis-based Threat Hunt, a Deepwatch Threat Hunter discovered a customer had a default firewall rule enabled which was allowing too much traffic through with little security consideration. Upon discovery, the customer was notified and corrected the rule. Had this misconfiguration not been discovered before a breach, an attacker would have had an easy way into the customer’s environment.
Interested in learning more about Threat Hunting available with Deepwatch’s award-winning Managed Detection and Response services? Contact Us to learn more about Deepwatch MDR.
About the Author:
Linnie Meehan serves as a Threat Hunter at Deepwatch. Her nearly decade-long time in Cybersecurity includes previous roles as a Cybersecurity Analyst and Threat Analyst from mid-size domestic companies to world-wide organizations. Linnie enjoys mentoring, attending cybersecurity conferences, working on projects with her nerd friends, and participating in various online cybersecurity communities. She also reads for fun and enjoys all things horror.