Is threat hunting a waste of time?
It can be unless you incorporate these strategies
Many organizations are adopting regular cybersecurity threat hunting exercises as part of routine SOC operations. However, odds are that your threat hunting exercises aren’t very productive. The main reasons most threat hunting exercises are ineffectual range from the complexity of the threat landscape to lack of analytical/statistical knowledge in dealing with big data applications to competing demands on the cybersecurity team’s time. And no, that latest SIEM or EDR module with AI-enabled features can’t address all the above limitations—at least not yet.
If this resonates, then consider adopting these strategies to improve both threat detection rates and time while preserving your team’s morale.
1. Use a baseline instead of hypothesis:
Cybersecurity professionals assume breach and form a hypothesis about it to conduct their threat hunting exercises. These hypotheses are often based on threat models like MITRE ATT&CK or threat sharing platforms like MISP. This approach is very difficult to execute and scale because of innumerable combinations and permutations given the sheer number of known attacker tactics and techniques.
A more effective practice is to use MITRE ATT&CK as a baseline to identify gaps in detection coverage of your cybersecurity tools. For example, you’ll have far more success with much less effort identifying attacks by properly configuring detection rules in your host intrusion detection system (HIDS) product instead of custom developing cyber analytics and detection rules. Better detection coverage reduces blind spots, and this will pay tremendous dividends during threat hunting exercises.
2. Use attack simulation software:
Detecting cybersecurity attacks successfully is a numbers game, so you need to rely on extensive automation. Most threat hunters focus on narrow paths of inquiry, often writing numerous search queries to no avail. Turn this approach on its head. Use automated attack simulation software to simultaneously stress test your detections and defenses at scale, which is an infinitely more efficient way to discover the “unknown-unknowns”.
There’re many commercial and open source attack simulation tools that can run probabilistic attack scenarios, which make them highly effective in mimicking real-world attacks. Results of attack simulations enable threat hunters to reduce the stack to a more manageable number of scenarios that are then prioritized for further inquiry. This practice dramatically increases your threat hunting success ratio by reducing the denominator representing number of attack venues you need to investigate.
3. Don’t develop cybersecurity analytics:
Instead of developing custom queries and security analytics, use commercial or community-developed cybersecurity analytics to rapidly integrate and consume them in your detection tools like EDR or SIEM. To save even more time and effort, favor cybersecurity analytics that use Sigma for automated consumption by cybersecurity tools. For instance, SOC Prime offers both open-source and commercial options based on Sigma that you can use to hone in on what’s relevant in your environment. This practice significantly increases your threat hunting success ratio by increasing the numerator representing number of attacks you’re able to detect while reducing time and effort.
4. Use an interactive cyber investigation environment:
Even after successfully adopting the previous strategies, you may still need to create custom cyber queries and analytics, requiring integration with external data sources, advanced data processing, visualization, or machine learning. Most SIEM platforms provide built-in investigation tools, but you should augment it with Jupyter notebooks. This requires upfront training and time, but it’ll make your threat hunting team significantly more effective in the long term. Look for a series of blogs in the near future on how to use Jupyter for security operations.
In closing, consider these three questions to improve threat hunting in your organization:
- Have you got a clear understanding of how to baseline and configure the detection capabilities of all your cybersecurity products?
- Are you effectively analyzing all the default security analytics available in your SIEM and/or EDR products before custom developing new ones?
- Does your team have the necessary skills and ongoing training to conduct effective threat hunting?