Threat Hunting - A Critical Component of High Performing SOCs
Whether your cybersecurity detection and response capabilities are in-house or managed through a partner, a prioritized approach to threat hunting is a key indicator of your security program’s maturity and effectiveness.
What is threat hunting? At Recon, we define it as “a concerted effort to identify attackers that bypassed our initial detection efforts.” In other words, we assume our existing detections have failed and the Bad Guy is already in the environment. This mindset motivates us to proactively and aggressively seek out the threats we may have missed.
There are many great ways to threat hunt and our approach is one of many. We will detail exactly what threat hunting looks like for us in another post. For now, understand that we’ve formalized threat hunting as distinct 1-2 weeks sprints that all our analysts participate in. Each sprint starts with selecting a well-reasoned hypothesis about a threat or malicious tactic we may have missed. We then identify, collect, and analyze the evidence needed to prove that hypothesis. At the end, we handle any incidents, collect lessons learned, and incorporate new detection packages into our daily operations.
Let’s explore why a proactive approach to threat hunting is an essential element of a high performing cybersecurity team.
Demonstrate efficiency and focus
Without deliberate efforts to manage time and efficiency, a SOC can easily find itself overwhelmed. Challenges like a lack of analyst capacity, overwhelming alert volume, nagging false positives, an increased incident case load, or just a pile of distracting work can plague even the most well-seasoned SOC team.
Threat hunting takes up valuable time. You can’t get around it. As a human-driven activity, threat hunting cannot be automated or optimized away. But it’s also core to the SOC’s mission of stopping threats. It shouldn’t be optional or a “nice to have.” A SOC that isn’t threat hunting in some form has likely lost its way, distracted or overwhelmed by something that isn’t pushing them to keep pace with their adversary.
Shrink dwell time
The duration of time an attacker is allowed to persist within an environment, called dwell time, is a key measurement of a SOC’s effectiveness. According to the latest M-Trends Report, median dwell time for non-ransomware incidents is about 45 days globally. About 40% of these incidents are detected after 90 days or more. Further, roughly 40% of incidents are discovered by a third-party rather than someone inside to the organization. As an example, the 2020 SolarWinds incident went undetected for 465 days and was only unearthed when their compromised product was found to be the root cause of a breach at FireEye.
These numbers represent opportunity for an organization that is committed to threat hunting. It adds fuel to the assumption that a threat has slipped by undetected. The evidence is out there somewhere, it’s just a matter of finding it.
Improve daily operations
Every one of our threat hunts has two goals: 1) find the Bad Guy, and 2) improve our day-to-day detection and response capabilities. While a lot of variables go into the first goal, the second is absolutely in our control. Failure to turn our threat hunts into tangible improvement to our continuous monitoring program wastes 90% of the effort.
Throughout our hunts we are developing new detections, parsing new evidence sources, and experimenting with new techniques. We’re also learning more about our customers, their environments, and the threats they face. This work is hard and pushes us forward to new ground, our “cutting edge.” But we surrender that hard-earned ground if we don’t take steps to operationalize the results. While threat hunting is manual and cannot be automated, the resulting collection of scripts, queries, signatures, dashboards, logs, and other artifacts can and should be fed back into daily operations.
Threat hunting gets to the heart of a SOC’s purpose to find and stop threats. A mature SOC recognizes that their defenses are not perfect and threats will get through. This assumption drives the SOC to continuously improve in order to keep pace with their adversary. A SOC that isn’t focused on their threats and shrinking attackers’ dwell times has likely lost its way.