Threat hunting 101: Security experts weigh merits of automating an evolving field

Dive Brief:

While threat hunting and threat detection remain fundamentally different, they are connected in their ability to thwart cyber adversaries. When an organization is threat hunting, it is effectively asking "are we compromised in a way our current detection systems are not detecting?" said Heather Adkins, director of Information Security and Privacy at Google, speaking at RSA Conference in San Francisco Tuesday
Deciding how a company hunts is still a contentious subject. Adkins sees threat hunting evolving to complete automation so research can constantly ascertain threats as opposed to manual hunting, which was proposed by Dmitri Alperovitch, co-founder and CTO of CrowdStrike, speaking on the same panel. But because threat hunting is often viewed as the last line of defense, Adkins argues that automation is needed to look for things that a human isn't going to find.
Threat hunting differences aside, security experts agree that professional threat hunters should be naturally curious and have interest in "having a hand-to-hand combat with the adversary," said Alperovitch. But retaining such talent is hard due to burn out, the emotional toll of the role and the potential of not exercising skills during less contentious times.

Dive Insight:

"Ideally, my job should not exist," said Adkins. But when cyberthreats are more present than ever with cyberattacks from nation state actors, cybersecurity professionals are in it for the long haul.

The first step in threat hunting is compiling data in a place that you can "interrogate" it, Adkins said. Then experts can go out into the data "forest" without clear direction of where the threat lies or what it looks like, but continue to explore in an effort to find the "animal you're hunting," said Alperovitch.

Threat detection is having the ability to detect and stalk where lateral movement is and deciding the best method of execution. Most of the time, a threat hunter just needs one trace of unusual activity to "unravel" an entire intrusion, according to the panel.

"A bear is a bear" no matter what "forest" or network they are intruding in, according to Alperovitch. The best leads to take while hunting for those bears include looking for reconnaissance tools, a creation of new Windows Services or an upload of new kernel drivers and an execution of processes from a USB.

Those new to threat hunting should be able to uncover intrusions within six months of initiating hunting efforts because it is almost never a question of what isn't there; instead, it's a question of why threats can't be seen.

This is because hackers tend to rely on old tricks to launch new campaigns. For example, it very common for hackers to use the same HTTPs. But within attacks, hackers typically don't use well-known tools, which then helps narrow the search in the accumulated data. This will in turn make detections have "high fidelity," said Alperovitch.

Those that threat hunt have to be able to ask the collected data set very targeted questions, and an organization cannot afford time lost between those interrogations, which is why automation is key in threat hunting. While cybersecurity will be one of the last fields to ever accomplish complete automation, "we can't audit on scale with just humans," said Adkins.