Threat Hunting: Fad or Essential Cyber Security Tactic?

Threat hunting has suddenly become a hot topic with recent articles in CSO and Dark Reading talking about it becoming a new trend, or as CSO suggests a fad. Truth is it’s a lot more than a fad - it can be your best chance of spotting and stopping a hidden attack before it causes catastrophic damage.

The history of threat hunting

Let’s take a step back and look at the basics of threat hunting for those who may be new to the concept. Dark Reading did a nice job of summing it up in an article entitled “'Threat Hunting' On The Rise”:

“Rather than simply waiting for the inevitable data breach to happen, many organizations say they have begun more actively scouting around for and chasing down bad actors and malicious activity on their networks.

Unlike the usual security approaches, threat hunting -- as some of the industry have taken to calling the trend -- combines the use of threat intelligence, analytics, and security tools with old-fashioned human smarts.”

In fact, in response to the constant stream of new breaches, many in the security industry argue organizations should operate under the assumption that their respective networks will be penetrated, if they aren’t already.

The concept of threat hunting may be new to the enterprise space, however the U.S. Department of Defense adopted this premise several years ago. In response they created hunt teams, which, at a basic level consisted of trained incident responders and analysts who proactively and iteratively search critical networks and/or historical log data for signs of a missed compromise.

While the DoD has long been reaping the rewards of threat hunting, enterprises are just starting to recognize the value. A recent SANS survey showed that 86% of organizations surveyed are interested in hunting, however more than 40% do not have a formal threat hunting program in place.

Hunting without an expert

Why such as large gap in enterprise adoption? In their respective articles, both CSO and Dark Reading suggest that threat hunting is still a very manual process and requires a great deal of expertise. While threat hunting has been marketed by some as a very intense process requiring high skill sets and detail oriented forensic analysts. This is simply due to a lack of automation and solutions tailored to the activity. An automated hunt workflow can multiply the effectiveness of an analyst by orders of magnitude, allowing a small team to cover an entire enterprise network with hundreds of thousands of nodes. Additionally, integrating existing detection and analysis technologies like threat intelligence databases and malware sandboxes will be beneficial.

Infocyte HUNT is specifically designed for this purpose. The technology was developed by former US Air Force cybersecurity officers who spent years hunting adversaries within some of the largest and most targeted defense networks in the world. This deep domain expertise was used to develop an automated process for threat hunting.

Infocyte HUNT makes it easy for a network operator or security team to hunt for threats on their own - no PhD or specialized knowledge is required. The Infocyte HUNT agentless solution scans network endpoints to detect the post-intrusion activity, active or dormant, of attackers who have successfully evaded an organization’s real-time defenses and established a beachhead within the network. Dynamic threat scoring is used to flag the severity of an identified issue so users can take immediate action when a compromise is found. It reduces the breach detection gap - the time that exists between infection and discovery - denying attackers the ability to persist, restoring trust in a network’s health.

So Fad or Essential Cyber Security Tactic?

If you still think this is a just a trend, here’s some numbers for you to consider. The SANS survey also revealed that: 

“52% who have implemented threat-hunting programs have found previously undetected threats, 74% have reduced attack surfaces, and 59% enhanced speed and accuracy of response by using threat hunting.”

With numbers like that, it’s clear that threat hunting is here to stay and should be considered an essential tool for any company serious about stepping up their security posture. To learn more about the advantages of automated threat hunting read our white paper The Breach Detection Gap and Strategies to Close It.

Kurt Mueffelmann

Kurt A. Mueffelmann is President and Chief Operating Officer (COO) of Infocyte and is responsible for defining the company's overall growth strategy.