Top five threat hunting myths

By Rick McElroy, Head Security Strategist, Carbon Black

The cybersecurity landscape is in a constant state of change and, as many organisations have learned, it’s no longer a matter of an organisation will face a cyber attack, but when.

Attackers intentionally look normal to evade automated defences. With the rise of ransomware and fileless attacks, it's harder than ever to protect endpoints with confidence. And attacks are a huge drain on company resources

This means you’re spending almost a full year dealing with a single attack.

To prevent this, threat hunting has emerged as an essential process for organisations to pre-empt destructive attacks. This process is a proactive approach to cybersecurity that identifies gaps in defences and stops attacks before they go too deep.

The people defending an organisation should be the best chance at staying a step ahead of adversaries. While it may seem aggressive to work on the ‘assumption of breach’ — that attackers are already inside an organisation’s network and are covertly monitoring and moving throughout it — the reality is that attackers may be inside a network for days, weeks and even months on end, preparing and executing attacks, without any automated defence detecting their presence.

Threat hunting stops these attacks by seeking out covert indicators of compromise (IOCs) so attacks can be mitigated before the adversary can achieve their objectives.

The bottom line is:  The adversary is hunting for your security gaps...why aren’t you?

Myth #1 – EDR is threat hunting

Absolutely not. Endpoint detection and response (EDR) is a technology piece of the security puzzle. It automates endpoint data collection, and looks for abnormalities or malicious activity, empowering responders to react as quickly as possible.

EDR technology enables threat hunting, but the latter is fuelled by people, not automated by a platform or solution. While the data collected by an EDR solution is often indispensable to a hunter, the actual process is a continuous, proactive one in which humans search through their environment for gaps and threats.

Threat hunting is not simply installing tools and waiting for alerts, it’s humans finding evil with the help of technology and data to be able to analyse activity and artefacts. It’s not man or machine, but man and machine together that create threat hunting.

43 percent of security professionals say they have threat hunting capabilities today, which indicates that more and more organisations are beginning to realise its value (35 percent up from 2017). A security expert’s goal should be to assemble a dynamic team that advanced tools can support but never fully replace.

The hunters can use automation to help increase the effectiveness and scale of the hunt, but threat hunting is meant to go beyond what any machine can do by itself.

Myth #2  -  ‘Threat hunting is too complicated’

Not necessarily. The reality is, people have been hunting for malicious computer activity for as long as computers have existed. IT professionals troubleshoot all the time, constantly detecting and looking into odd behaviour.

For example, if CPU usage on an endpoint is noticed running at 100 percent, you’d probably want to investigate. Threat hunters are simply looking at this from a security perspective. Any who think they or their team lack the skills for this, should think again. The core skills needed to hunt effectively are baseline information security skills like operating systems and networking. 

Any given IT pro is probably already hunting, just without a formal process or technology to make it easier. The only difference between their current security and ‘threat hunting’ is putting together a program with metrics for measurable success. Those using a security platform built for threat hunting, benefit from the reduced complexity attributable to automated data collection. This minimises time-intensive incident response that forces most organisations to be reactive when an incident inevitably occurs.  

It’s also important to understand that threat hunting is something that matures over time.  No need to start out as an expert or boil the ocean to threat hunt, you just need to measure success and improve continuously.

Remember, a team has the home-field advantage against the attacker. They know you’re their environment best and are well-positioned to find gaps. Odds are that any team actively searching for these gaps will find them long before an adversary does.

Myth #3 – ‘Threat hunting isn’t worth my time’

Anyone who thinks threat hunting is just about finding malicious activity should think again.

Consider this: When you’re threat hunting, it’s entirely possible that you won’t find evil all the time. But what you will find more often than not are opportunities to improve your security program.

Through investigation, you may find you’re lacking critical data or access you would need in the event of an attack. You might also find gaps in your prevention that need fine-tuning to keep your environment in order. During the hunt, check and tweak security as needed to provide the best protection possible — before you need it. You don’t want the first time you find these gaps to be during a breach, because likely you won’t be able to close them quickly enough.

According to SANS research, organisations of all threat hunting maturity levels can experience measurable improvement in the security of their organisations through the process. 91percent of security professionals cited improvements in the speed and accuracy of response as a result of threat hunting.

These companies also saw major reductions in attack surface exposure, dwell time, time to containment and number of actual breaches. Threat hunting also cuts down the time it takes to uncover threats from months to hours, making those who do it much less likely to experience a real breach.

Read more: ​There are no hackers - there are only spies

Additionally, if an organisation’s data lives in silos, it takes effort to piece things together — resulting in a drain in productivity. This is why a solution that combines endpoint security with threat hunting is ideal. By using a single console, single platform and a single dataset, all endpoint security activities become easier. Working from a single source of truth cuts down the time and effort it takes both to hunt for threats and to remediate them.

Myth #4  -  ‘Threat hunting is too expensive’

If you do need to respond to an incident, the fact that you’ve been threat hunting — and have already collected and centralised all the endpoint activity data in your environment — will significantly reduce the time and money you spend responding and remediating.

Additionally, many compliance requirements make it necessary to prove continuous monitoring of an environment, and the fines for not doing so can be massive. A continuously monitored environment also provides a clearer picture of the tools in use, so organisations can assess costs and make more informed decisions about the technology. The truth is that the benefits of being proactive far outweigh any costs.

But what about the additional staff required to hunt?  The majority of security professionals already possess the core skills they need to hunt, and are probably already hunting. The most skilled hunters are homegrown, not hired. In fact, knowing the ins and outs of your environment delivers a huge boost over the adversary.

It can actually be less beneficial to hire someone new who isn’t familiar with your environment or corporate governance policies and expect them to be able to predict an attacker’s next move.

Myth 05  - ‘Threat hunting is jut a fad’

Not really. Hunting for threats/gaps in security technology has always been important, even if it wasn’t labelled ‘threat hunting.’ We’ve always found new ways to outsmart the adversary and keep our systems secure. Threat hunting programs  are simply a way to measure how effective you are at doing this. It’s nothing new — proactivity has always been a  strong approach.

Traditionally, it was hard to collect the right data, or use the right tools, to investigate before, during and after an attack. But now, with the development of advanced technology — like the cloud — we can. Today, threat hunting has become much easier because of the granularity of visibility that is available.

These improvements are like the invention of the light bulb, places that were hidden before become illuminated and can be quickly addressed. As threats evolve, so does the technology that combats them, and so should your security processes. The industry reflects this. In the next 24 months, 65 percent of SOCs expect increased investment in tools relating to threat hunting.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags cyber attacksCarbon Blackthreat huntingcybersecurity

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Rick McElroy

Latest Videos

More videos

Blog Posts