Top 3 Requirements for Threat Hunting


With the SANS Threat Hunting Summit just days away, and adversary hunting gaining visibility across the industry, hunt is one of those terms that is frequently mentioned but not well-understood. What does hunting mean? What does it take to be a hunter — defeating the most sophisticated adversaries — in a rapidly evolving threatscape?

We’ve outlined three requirements for adversary hunting below. But first, why should organizations hunt?


Why Hunt?

Today, organizations take greater than 146 days to discover breaches, with the majority of these detections discovered not by the company itself, but by external organizations. Adversaries are more sophisticated in their attacks, and the traditional security stack, dependent on short-lived indicators of compromise, is not enough to tackle these modern threats. The complexity of data has also led to alert fatigue and a data deluge (including too many false positives) that overwhelms security teams with limited time and resources. To address these challenges, targeted adversary hunting enables organizations to proactively detect and stop attackers without known indicators of compromise, before damage and loss of information occurs.


Top 3 Threat Hunting Requirements


1. Evade the Adversary

Today’s adversaries look for known defensive tools, tampering and disabling them to gain access to critical systems. They are able to persist and move throughout networks freely until they find what they are looking for. To defend against them, organizations similarly must create adversary blind spots and evade detection to gain full visibility of both their networks and the adversary. By replicating adversaries’ techniques, organizations gain much greater insight into adversarial tactics, informing both the detection and prevention.


2. Cover all Stages of the Kill Chain

Given the sophistication of adversaries, no single detection methodology is fail-proof for hunting. However, adversary hunting remains too manual, with clunky interfaces and more data than anyone could reasonably handle. Key capabilities are often distributed across multiple interfaces, preventing synchronization and data integration, and leaving gaps in kill chain coverage. Given the scale of the data and the sophistication of the threats, multiple methods are required within a single interface to empower the hunt mission across all stages of the kill chain. This includes automating large-scale malware classification, as well as preventing whole classes of exploits and techniques (such as lateral movement) instead of a reactive whack-a-mole approach, coupled with an intuitive interface to expedite and facilitate data exploration and prioritization.


3. Evict without Business Disruption

Organizations must keep operations running smoothly, and don’t have time for detection and prevention approaches that slow down, or even worse, disrupt, their business operations. Simultaneously, adversary hunters must have the ability to respond and protect networks — observing, containing, or evicting an adversary from the network. A majority of security solutions today either interrupt business processes, or require companies to completely shut down processes, which puts themselves at risk and impacts their bottom line. To ensure continuation of operations while adversary hunting, the hunt team must be able to discretely isolate the malicious activity, surgically removing it, while businesses maintain normal business operations.

These are a few essential requirements for organizations to consider when hunting in their networks. To learn more detail about Endgame’s hunt approach, come meet us at the SANS Threat Hunting Summit next week or see our latest point of view here.