Becoming the Hunter

Whilst a lot of security investment is often focused on Prevention, how do we take the fight to our opponent, the attacker? Short of Hacking Back, we can do a lot of proactive things that make a big impact on security.

A man with a rifle over his shoulder in silhouette at sunruse
The threat hunter prepares for another day

In this article I will touch on some of the activities you can take to be prepared and proactive. These include:

  1. Red Teaming and Purple Teaming

  2. Customisation and contextualisation of security - threat mapping

  3. Secure application development and vulnerability management

  4. Active threat hunting

Let's expand on one of the items above, threat hunting.

What is threat hunting?

Threat Hunting is a form of active defence that seeks to minimise the amount of time that an attacker can spend in your environment before being found. In contrast to traditional preventative controls such as firewalls and antivirus products, Threat Hunting is the process of actively searching for and detecting threats which currently exist within the network and may be actively evading existing security capabilities and solutions.

Who can / should hunt?

Anyone can hunt. Whether hunting submarines, wild animals or truffles, success is usually based on a number of considerations:

  1. Knowing the terrain (i.e. the business and technology environment)

  2. Understanding the target / threat (who / what is the adversary)

  3. Looking for spoor and other signs (e.g. indicators of compromise )

  4. Knowing what to do when you find your adversary (e.g. security incident response & digital forensics)

  5. Understanding when the process is complete and environment is rendered safe once again (who can declare network, data or system integrity)

The question of whether you Should hunt will usually come down to availability of appropriately skilled resources.

Colourful Job ad cards showing Script Writer, Pastry Chef and others
Cybersecurity recruitment may soon turn to alternative skills

What threats should be hunted?

In order to understand what threats should be hunted, the threat hunters must understand credible threats and threat actors, critical business objectives and assets and the existing security and other controls in place.

A man (shirtless) is attacked by a vampire
The valiant threat hunter succumbs to an advanced persistent threat

Even if the organisation is not an obvious target, it may be a critical part of a supply chain for others. So in considering threats TO the organisation, consideration should also be given to threats FROM the organisation.

It should be noted that threats can, and do evolve. One basic malware infection can become a network compromise, a ransom attack and ultimately a data breach.

As compromises often remain undetected for many months, consideration should also be given to the frequency of hunting activities.

How does threat hunting work?

One of my past articles outlines some of the processes involved. A high level overview of the process is below.

Threat Hunting Process Overview
Threat Hunting Process

Do I need a dedicated threat hunting capability?

The question as to whether a dedicated threat hunting capability should be in place usually comes down to capability, capacity and cost.

Aerial photo of armed soldiers preparing to deploy
The threat hunters prepare for a nation state threat actor

Maintaining the skills and tools to perform threat hunting effectively without impacting security operations typically requires a very large security team. With overwhelmingly strong industry competition, attracting and retaining security talent has become increasingly challenging.

Having a wide variety of options to choose from, security practitioners are being constantly tempted to take on more lucrative and sexier roles.

This represents both a risk and an opportunity. For organisations with mature security capability, backfill and training of less experienced talent, and up-skilling internal key resources can provide a more interesting and dynamic role for the experienced security expert.

This does however come at a cost and many organisations still either:

  1. do not understand (or see the immediate value) in threat hunting

  2. do not understand (or cannot adequately quantify) the risks that threat hunting helps to mitigate

  3. have other, more immediate operational security imperatives and are still operating in a reactive mode

  4. leverage external services to obtain threat hunting on a periodic basis

If you would like to discuss how we can assist you to hunt threats within your environment get in touch.

Author: Clinton Smith

75 views0 comments

Recent Posts

See All