Threat hunting, an often misunderstood but powerful security practice, is gaining traction, as more organizations reap benefits from it and get better at it. However, there is still a lot of room for adoption to increase and for practices to improve.
Those were key findings from the SANS Institute’s 2018 threat hunting study, which experts from SANS, Qualys and other companies discussed recently in the two-part webcast “Threat Hunting Is a Process, Not a Thing.”
“Over the past two to three years, threat hunting has been moving from a ‘What is it?’ discussion into a more formal mentality of: ‘This is what it is. Am I doing it right?’,” said Rob Lee, a SANS instructor. “But we’re still in a transition.”
For starters, there’s still considerable confusion about what threat hunting is. For example, it’s very common for many to equate it with reactive practices such as incident response. Rather, threat hunting is by definition proactive. It assumes that the organization’s prevention defenses have been bypassed, and the IT environment breached, without any alerts being triggered.
Using threat intelligence analysis and other tactics, hunters formulate and act on a hypothesis about where the intruders are likely to be lurking in silence while pursuing their nefarious goals.
SANS defines threat hunting as: A focused and iterative approach to searching out, identifying and understanding adversaries who have entered the defender’s networks. Its hypothetical approach -- SANS says -- validates data collection, detection, and analysis ahead of an incident.
Organizations can’t start engaging in threat hunting out of the blue, Lee said. Some elements must be in place, namely having:
One piece of good news from the survey is an increase in awareness from last year of the importance of proactively hunting for intruders that slip in undetected. “We’re starting to see more organizations getting the mindset that the likelihood of intruders out there compromising us is quite high and that they’re already inside our organization,” Lee said.
These stealthy intruders remain invisible on average for 90 to 100 days, so the sooner you find them, the fewer chances they’ll get to do maximum damage.
The study, which polled 600 organizations, found that 43% of respondents do threat hunting continuously, which is ideal, while 17% do it on a regular schedule, which is second best. The rest engage in threat hunting triggered by an event or a hunch (37%) -- which is more reactive and thus closer to the incident response -- or couldn’t answer (3%).
Hunting is starting to show that organizations are using intelligence properly to identify threats instead of solely relying on traditional alerts and alarms. It’s also helping organizations find threats more effectively, and it improves security operations and incident response.
“Threat hunting has these trickle-down effects of improvements across security in your entire organization,” he said.
Among the respondents who measure benefits obtained from threat hunting, almost 90% reported seeing improvements in overall security. Areas that improved thanks to threat hunting included time to containment, and number of breaches.
“Once you’re able to achieve even a minimum capability of threat hunting, it helps the overall security posture of your organization,” Lee said.
Qualys VP of Product Management Chris Carlson explained how Qualys can help organizations strengthen incident response by reducing their attack surface and doing proactive threat hunting.
For attack surface reduction, Qualys offers apps that help you:
To illustrate, Carlson cited an example where he bought a Red Hat 7.4 image in the Azure marketplace and assessed its vulnerabilities with the Qualys Cloud Agent. The agent, whose integration with Azure Security Center allows organizations to automatically deploy it on Windows or Linux images, found 27 active vulnerabilities.
In a real-life scenario where an organization deploys 1,000 of those images with the click of a button, “that attack surface is huge,” Carlson said.
Further threat intelligence analysis using Qualys apps revealed that 14 of the vulnerabilities have known public exploits, including a zero-day bug and one that’s being actively attacked.
“That’s a lot of wasted time for incident response if they’re trying to respond to these items when the attack surface is this wide open,” Carlson said.
Meanwhile, for proactive hunting, detection and response, Qualys offers apps for:
Qualys has a content library with over 95 indicators of activity and TTPs to detect:
Carlson said a key component in all of these scenarios is the Cloud Agent, which can collect data for multiple Qualys apps. That way, organizations can remove point-solution agents, and consolidate security and compliance functions in a single agent, reducing costs and complexity.
The Cloud Agent is lightweight, consuming negligible computing and network resources. After a comprehensive initial data collection of the asset, it only gathers changes. Broad OS support includes Windows, Linux, MacOS, and “cloud native” platforms such as AWS, Azure and Google Cloud. It works on premises, in clouds and remote endpoints.
We invite you to watch a recording of the webcast, which includes many more details about threat hunting, presentations from several other participants, and a Q&A session with the audience, and read the study.